Press Releases

Browse our press release archive

12 Mar 2003

Virus writers fight in virtual playground

Sophos experts have advised customers about a new email-aware worm that continues an ongoing war of words between opposing groups of virus writers and hackers.

According to The Indian Snakes virus-writing gang, the W32/Yaha-Q worm was written in response to Pakistani hackers defacing websites based in India. The worm not only attempts to launch a denial of service attack against five Pakistani websites, but it also contains a number of messages directed to Pakistani hackers and Indian computer experts.

W32/Yaha-Q can activate a number of different payloads on infected computers if the day of the week is Wednesday, including writing the following message to the hard drive:

bACK oFF paKI hAckERs,uR dAyS aRe oVeR..
pAkIsTaN's IT fUtuRe iS iN uR hANd..
U sToP..wE sToP..

u sTarTeD.. wE fInIshED...

 

Other possible payloads include a message to TruSecure virus expert Roger Thompson claiming The Indian Snakes are not politically motivated:

to Mr Roger Thompson ::
[technical director of malicious code research for TruSecure Corp]

wE arE n0t p0litiCaLy m0tiVatEd sIr...
wE aRe jUsT rEtaLiaTinG t0 pAkI hAckErS aNd tHeiR sHiT hAcktIviSm..
hahha Yaha.K suCCessfuLL by lUck ??? eVeR heARd s0meThinG liKe thiS
a w0rM maDe anD spReaD bY luCk...hehehe lolz..
aNd fiNallY wE kn0w dAmN weLL wHaT tHe heLL wE aRe doinG...
thE w0rlD pUshEd uS to tHe dArK siDe..cAnT hElp iT.. no reTReaT no suRRenDeR

Yet another payload includes a message to female virus writer Gigabyte who disparaged one of the gang's earlier versions of Yaha and their habit of spelling in a mixture of upper and lowercase:

to gigabyte :: chEErS pAL, kEEp uP tHe g00d w0rK..buT W32.HLLP.YahaSux is.. lolz ;)

"This virus does not appear to be particularly widespread but protection is already available for Sophos customers," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "Unfortunately childish squabbles like this are being fought on the computers of innocent computer users, uninterested in the disagreement."

Sophos recommends companies consider blocking all Windows programs at their email gateway. It is rarely necessary to allow users to receive programs via email from the outside world. There is so little to lose, and so much to gain, simply by blocking all mailed-in programs, regardless of whether they contain viruses or not. Sophos MailMonitor for SMTP contains pro-active threat reduction technology which can help businesses block dangerous filetypes and executable code at the email gateway.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.