Sophos experts have advised customers about a new email-aware worm that continues an ongoing war of words between opposing groups of virus writers and hackers.
According to The Indian Snakes virus-writing gang, the W32/Yaha-Q worm was written in response to Pakistani hackers defacing websites based in India. The worm not only attempts to launch a denial of service attack against five Pakistani websites, but it also contains a number of messages directed to Pakistani hackers and Indian computer experts.
W32/Yaha-Q can activate a number of different payloads on infected computers if the day of the week is Wednesday, including writing the following message to the hard drive:
bACK oFF paKI hAckERs,uR dAyS aRe oVeR.. pAkIsTaN's IT fUtuRe iS iN uR hANd.. U sToP..wE sToP..
u sTarTeD.. wE fInIshED...
Other possible payloads include a message to TruSecure virus expert Roger Thompson claiming The Indian Snakes are not politically motivated:
to Mr Roger Thompson :: [technical director of malicious code research for TruSecure Corp]
wE arE n0t p0litiCaLy m0tiVatEd sIr...
wE aRe jUsT rEtaLiaTinG t0 pAkI hAckErS aNd tHeiR sHiT hAcktIviSm..
hahha Yaha.K suCCessfuLL by lUck ??? eVeR heARd s0meThinG liKe thiS
a w0rM maDe anD spReaD bY luCk...hehehe lolz..
aNd fiNallY wE kn0w dAmN weLL wHaT tHe heLL wE aRe doinG...
thE w0rlD pUshEd uS to tHe dArK siDe..cAnT hElp iT.. no reTReaT no suRRenDeR
Yet another payload includes a message to female virus writer Gigabyte who disparaged one of the gang's earlier versions of Yaha and their habit of spelling in a mixture of upper and lowercase:
to gigabyte :: chEErS pAL, kEEp uP tHe g00d w0rK..buT W32.HLLP.YahaSux is.. lolz ;)
"This virus does not appear to be particularly widespread but protection is already available for Sophos customers," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "Unfortunately childish squabbles like this are being fought on the computers of innocent computer users, uninterested in the disagreement."
Sophos recommends companies consider blocking all Windows programs at their email gateway. It is rarely necessary to allow users to receive programs via email from the outside world. There is so little to lose, and so much to gain, simply by blocking all mailed-in programs, regardless of whether they contain viruses or not. Sophos MailMonitor for SMTP contains pro-active threat reduction technology which can help businesses block dangerous filetypes and executable code at the email gateway.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.