Sophos researchers report that they have discovered a new
email-aware worm that feeds on public interest in the imminent war
in Iraq in an apparent attempt to lure unsuspecting users.
The W32/Ganda-A
worm, which appears to have been written in Sweden, uses a variety
of different email subject lines and message bodies to try and
encourage computer users to run its viral attachment.
The worm can use a variety of different subject lines and
message bodies, in both English and Swedish, including:
Subject line:Spy pics.
Message text:Here's the screensaver i told you about.
It contains pictures taken by one of the US spy satellites during
one of it's missions over iraq. If you want more of these pic's you
know where you can find me. Bye!
Subject line:GO USA !!!!
Message text:This screensaver animates the star
spangled banner. Please support the US administration in their
fight against terror. Thanx a lot!
Subject line:G.W Bush animation.
Message text:Here's the animation that the FBI wants to
stop. Seems like the feds are trying to put an end to peoples right
to say what they think of the US administration. Have fun!
Subject line:Is USA always number one?
Message text:Some misguided people actually believe
that an american life has a greater value than those of other
nationalities. Just have a look at this pathetic screensaver and
then you'll know what i'm talking about. All the best.
"At a time of international crisis it is understandable that
computer users will be interested in finding out the latest news
from the Middle East, and many may be tempted to share breaking
news with their friends and colleagues via email," said Graham
Cluley, senior technology consultant for Sophos Anti-Virus. "The
author of this virus is exploiting interest in current affairs by
deliberately presenting his virus in this way. The message to users
is simple: be suspicious of all unsolicited emails."
In a bizarre twist, the author of W32/Ganda-A claims to have a
grievance with the Swedish educational system. Hidden inside the
virus is the following text:
[WORM.SWEDENSUX] Coded by Uncle Roger in
Hõrnsand, Sweden, 03.03. I am being discriminated by the swedish
schoolsystem. This is a response to eight long years of
discrimination.
"We don't know what Uncle Roger's problem is with the school
system in Sweden," continued Cluley. "But whatever his problem is a
worm is not an appropriate way to complain about it."
Sophos recommends companies consider blocking all Windows
programs at their email gateway. It is rarely necessary to allow
users to receive programs via email from the outside world. There
is so little to lose, and so much to gain, simply by blocking all
mailed-in programs, regardless of whether they contain viruses or
not. Sophos MailMonitor for SMTP not
only detects known viruses but also contains pro-active threat
reduction technology which can help businesses block dangerous
filetypes and executable code at the email gateway.
Sophos customers who have kept their anti-virus software
up-to-date are automatically protected against W32/Ganda-A. Users
of other anti-virus products are recommended to update their
software.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.