Sophos experts have advised customers about a new email-aware
worm that continues an ongoing war of words between opposing groups
of virus writers and hackers.
According to The Indian Snakes virus-writing gang, the W32/Yaha-Q worm was written
in response to Pakistani hackers defacing websites based in India.
The worm not only attempts to launch a denial of service attack
against five Pakistani websites, but it also contains a number of
messages directed to Pakistani hackers and Indian computer
experts.
W32/Yaha-Q can activate a number of different payloads on
infected computers if the day of the week is Wednesday, including
writing the following message to the hard drive:
bACK oFF paKI hAckERs,uR dAyS aRe
oVeR..pAkIsTaN's IT fUtuRe iS iN uR hANd..U sToP..wE sToP..u sTarTeD.. wE fInIshED...
Other possible payloads include a message to TruSecure virus
expert Roger Thompson claiming The Indian Snakes are not
politically motivated:
to Mr Roger Thompson ::[technical director of malicious code research for TruSecure
Corp]wE arE n0t p0litiCaLy m0tiVatEd sIr...
wE aRe jUsT rEtaLiaTinG t0 pAkI hAckErS aNd tHeiR sHiT
hAcktIviSm..
hahha Yaha.K suCCessfuLL by lUck ??? eVeR heARd s0meThinG liKe
thiS
a w0rM maDe anD spReaD bY luCk...hehehe lolz..
aNd fiNallY wE kn0w dAmN weLL wHaT tHe heLL wE aRe
doinG...
thE w0rlD pUshEd uS to tHe dArK siDe..cAnT hElp iT.. no reTReaT
no suRRenDeR
Yet another payload includes a message to female virus writer
Gigabyte who disparaged one of the gang's
earlier versions of Yaha and their habit of spelling in a mixture
of upper and lowercase:
to gigabyte :: chEErS pAL, kEEp uP tHe g00d
w0rK..buT W32.HLLP.YahaSux is.. lolz ;)
"This virus does not appear to be particularly widespread but
protection is already available for Sophos customers," said Graham
Cluley, senior technology consultant for Sophos Anti-Virus.
"Unfortunately childish squabbles like this are being fought on the
computers of innocent computer users, uninterested in the
disagreement."
Sophos recommends companies consider blocking all Windows
programs at their email gateway. It is rarely necessary to allow
users to receive programs via email from the outside world. There
is so little to lose, and so much to gain, simply by blocking all
mailed-in programs, regardless of whether they contain viruses or
not. Sophos MailMonitor for SMTP
contains pro-active threat reduction technology which can help
businesses block dangerous filetypes and executable code at the
email gateway.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.