Virus experts at Sophos have discovered two new mass-mailing
email viruses which attempt to spread a message in support of the
"Fathers 4 Justice" campaign. The campaign has made headlines in
the UK and elsewhere around the world because of high profile media
stunts perpetrated by some of its members, such as scaling the
walls of Buckingham Palace dressed as the superhero Batman.
The W32/Mirsa-A
and W32/Mirsa-B
worms arrive as an attached file in an email. The emails sent
containing the Mirsa-A variant pretend that the malicious
attachment is a resume or curriculum vitae, whereas the Mirsa-B
variant uses subject lines such as "How NOT to get Promotion",
"Memorandom to all staff", "Urgent Document", "Extremely
Important", and "Private and personal".
If the attached file is run, the worm will email itself out to
addresses found in the Windows Address Book and copy itself into
files on the infected user's hard drive. The worms also attempt to
drop a section of text onto the user's hard drive.
Text dropped by W32/Mirsa-A into a Word document:
Fathers 4 Justice
Coded by UK Digital Binary Division
UK Government will listen Fathers 4 Justice
respect to:
RanSid
DILENGER
NEWORDER
KJ
VosLar
Text dropped by W32/Mirsa-B into a Word document:
We are NOW supporting Fathers 4
Justice
Tony Blair: you really should LISTEN to us or we will take
further action
LeftPara
VosLar
ManTak
DILENGER
A file called Fathers4Justice.txt is created on the
user's desktop by W32/Mirsa-B containing the following text:
UK Digital Binary Division
MRSA: coded by the UK Digital Binary Division
we support Fathers-4-Justice
W32/Mirsa-B also creates an internet link on the user's desktop
to the Fathers 4 Justice website.
"Whoever wrote these viruses is clearly supportive of the
Fathers 4 Justice campaign, but rather than dressing up as Batman
and clambering up the walls of Buckingham palace to show his
support he has turned to computer crime. However, people whose
computers are hit by this worm are likely to be less than
sympathetic," said Graham Cluley, senior
technology consultant for Sophos. "It seems unlikely that the
Fathers 4 Justice pressure group would approve of this kind of
action, but it seems doubtful that this will be the last time a
virus will be used to spread a political message."
Although there have been very few reports of the W32/Mirsa
worms, Sophos recommends computer users ensure their anti-virus
software is up-to-date, and that companies protect themselves with
a consolidated solution which can defend
them from the threats of both spam and viruses.
A clue in the code?
Intriguingly, the W32/Mirsa-A contains a possible clue which
could potentially lead to the worm's author. Hidden inside the
virus, and not normally displayed to the infected user, is a
section of text: "sheffield hallam university is corrupt".
|
| Hidden inside the W32/Mirsa-A worm is a message
about Sheffield Hallam University |
"It's impossible to say for certain - but the virus author may
be a current or past student of the university. Or maybe they're a
disgruntled member of staff?," said Cluley. "Of course, it may be a
complete red herring - but often virus writers have been unable to
resist the temptation to put a message which has helped to later
identify them inside their virus."
Other viruses which have spread a political message:
W32/Maslan-C
Launched a series of denial-of-service attacks against websites run
by Chechen rebel seperatists.
W32/Zafi-C
Attacked the website of the newly appointed Hungarian Prime
Minister.
W32/Zafi-B
Calls for the introduction of the death penalty in Hungary.
W32/Cycle-A
Complained about the quality of life in Iran.
W32/Zafi-A
Displays a message calling for Hungarian patriotism, timed to
coincide with the country joining the European Union.
W32/Quaters-A
Launches a scathing attack on British Prime Minister Tony Blair and
attempts to knock the Downing Street website off the internet.
W32/Colevo-A
Redirects the web browsers of infected computers to a variety of
pictures of Evo Morales, leader of the Bolivian coca leaf growers'
union and runner-up in 2002's presidential elections.
W32/Vote-A
Calls for a vote on whether America should go to war against the
followers of Islam.
W32/Yaha-Q
Apparently written in response to attacks on Indian websites, this
worm not only attempts to launch a denial of service attack against
five Pakistani websites, but also contains a number of inflammatory
messages directed at Pakistani hackers.
W32/Yaha-E
Launches a denial-of-service attack against a Pakistani government
website.
Mawanella worm (also known as
VBS/VBSWG-Z)
Displays a message describing the burning down of two mosques and
one hundred Muslim-owned shops in Mawanella, Sri Lanka.
Injustice
worm (also known as VBS/Staple-A)
Opens a number of pro-Palestinian websites and describes the
alleged murder of a 12-year-old Palestinian child at the hands of
Israeli soldiers. In addition, the worm spams itself to members of
the Israeli government.
W32/Caric-A
Poses as a cartoon screensaver of former US President Bill Clinton
playing the saxophone. An item of female underwear emerges from the
bottom of the instrument.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.