Press Releases

Browse our press release archive

19 May 2004

Cycle worm latest in a long line of political viruses, says Sophos

The Cycle worm protests about life in Iran
The Cycle worm protests about life in Iran

Sophos virus analysts have discovered a computer worm which spreads a message from its author about life in Iran.

The W32/Cycle-A worm, which searches for computers vulnerable to the same Microsoft security vulnerability as the Sasser worm, drops a message on the hard drives of infected computers complaining about the quality of life in Iran.

The message dropped by the worm in the form of an ASCII text file is signed by the author who calls himself "Cyclone", and complains that European governments are supporting the regime in Tehran, because of the war in neighbouring Iraq.

"Whether you agree or not with the message Cyclone has put inside his worm, writing and distributing a virus is not a responsible way to make your case," said Graham Cluley, senior technology consultant for Sophos. "This is just the latest in a long list of politically-motivated viruses - all of them have failed to realise that computer users want to choose what runs on their PC, rather than let a virus or worm run riot across their systems, regardless of its political intentions."

The security vulnerability exploited by the Cycle worm was first patched by Microsoft on 13 April 2004 in Microsoft Security Bulletin MS04-011.

Sophos recommends that every IT manager responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.mspx.

Home users of Microsoft Windows can visit windowsupdate.microsoft.com to have their systems scanned for critical Microsoft security vulnerabilities.

Other viruses which have spread a political message:

W32/Zafi-A
Displays a message calling for Hungarian patriotism, timed to coincide with the country joining the European Union.

W32/Quaters-A
Launches a scathing attack on British Prime Minister Tony Blair and attempts to knock the Downing Street website off the internet.

W32/Colevo-A
Redirects the web browsers of infected computers to a variety of pictures of Evo Morales, leader of the Bolivian coca leaf growers' union and runner-up in 2002's presidential elections.

W32/Vote-A
Calls for a vote on whether America should go to war against the followers of Islam.

W32/Yaha-Q
Apparently written in response to attacks on Indian websites, this worm not only attempts to launch a denial of service attack against five Pakistani websites, but also contains a number of inflammatory messages directed at Pakistani hackers.

W32/Yaha-E 
Launches a denial-of-service attack against a Pakistani government website.

Mawanella worm (also known as VBS/VBSWG-Z) 
Displays a message describing the burning down of two mosques and one hundred Muslim-owned shops in Mawanella, Sri Lanka.

Injustice worm (also known as VBS/Staple-A) 
Opens a number of pro-Palestinian websites and describes the alleged murder of a 12-year-old Palestinian child at the hands of Israeli soldiers. In addition, the worm spams itself to members of the Israeli government.

W32/Caric-A 
Poses as a cartoon screensaver of former US President Bill Clinton playing the saxophone. An item of female underwear emerges from the bottom of the instrument.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.