Female virus-writer, Gigabyte, arrested in Belgium, Sophos comments

February 16, 2004 Sophos Press Release

Gigabyte, female author of such viruses as Coconut-A, Sahay-A, and Sharp-A, has been arrested by Belgium authorities.

Kim Vanvaeck, suspected of being the virus writer usually known only by the nickname "Gigabyte", has reportedly been charged with computer data sabotage and if convicted, faces up to three years in prison and fines of up to €100,000.

She was arrested a few miles outside Brussels in her hometown, Mechelen. After questioning, the Belgian authorities reportedly confiscated her five computers and closed down her website, where she posts her virus creations. She was released 24 hours later.

Gigabyte, who claimed in the Sahay worm to be part of the 'Metaphase VX Team', has also been mentioned in the code of other viruses, such as the Yaha-Q worm, which includes the text "to gigabyte :: chEErS pAL, kEEp uP tHe g00d w0rK.." and the Trilisa-A virus, which displays the words "HECHO EN ADMIRACION A GIGABYTE" as part of its payload.

"Gigabyte has presented herself almost as a Lara Croft-style figure, in the male-dominated virus writing arena, and this has made her a favourite for the media," said Graham Cluley, senior technology consultant at Sophos. "Unfortunately for her, her hunger for attention may also have been her undoing. One wonders why an obviously computer literate girl would squander her skills on criminal activity."

Some of Gigabyte's viruses explained:

W32/Qizy-A
December 2003
Posing as a Christmas screensaver, the Qizy worm asked infected users a number of questions, including what Sophos's Graham Cluley kept between his toes. Correct answers revealed map directions to a mystery package.

W32/Coconut-A
July 2003
Displays a graphical game where the recipient must throw coconuts at the heads of Belgian hacker, Frans Devaere, and Sophos's Graham Cluley. Each hit ensures that one less file on the recipient's computer will be infected.

W32/Sahay-A
January 2003
An email-aware worm that spreads via a screensaver called MathMagic.scr. If users run the attachment, it forwards the virus onto everyone in the Windows address book. The virus also attempts to disinfect any infections of W32/Yaha-K. However, due to bugs, it may fail to do this correctly.

W32/Sharp-A
March 2002
An email-aware worm pretending to be a Windows Update communication. The Sharp virus is a proof of concept virus because it is first virus to be written in C#, a Microsoft's programming language, which can run natively on .NET platforms.

W32/Parrot-A
Mid 2001
An email-aware worm with an infected attached file called parrot.scr. There is also a virus which renames files in the Windows directory, and drops an audio file that played when the virus is run. It also drops a VBS file displaying a message box which includes offensive text about anti-virus researcher Graham Cluley.