Press Releases

Browse our press release archive

26 Jan 2005

Email worms spread message of support for Fathers 4 Justice campaign, Sophos reports

Virus experts at Sophos have discovered two new mass-mailing email viruses which attempt to spread a message in support of the "Fathers 4 Justice" campaign. The campaign has made headlines in the UK and elsewhere around the world because of high profile media stunts perpetrated by some of its members, such as scaling the walls of Buckingham Palace dressed as the superhero Batman.

The W32/Mirsa-A and W32/Mirsa-B worms arrive as an attached file in an email. The emails sent containing the Mirsa-A variant pretend that the malicious attachment is a resume or curriculum vitae, whereas the Mirsa-B variant uses subject lines such as "How NOT to get Promotion", "Memorandom to all staff", "Urgent Document", "Extremely Important", and "Private and personal".

If the attached file is run, the worm will email itself out to addresses found in the Windows Address Book and copy itself into files on the infected user's hard drive. The worms also attempt to drop a section of text onto the user's hard drive.

Text dropped by W32/Mirsa-A into a Word document:

Fathers 4 Justice
Coded by UK Digital Binary Division
UK Government will listen Fathers 4 Justice
respect to:
RanSid
DILENGER
NEWORDER
KJ
VosLar

Text dropped by W32/Mirsa-B into a Word document:

We are NOW supporting Fathers 4 Justice
Tony Blair: you really should LISTEN to us or we will take further action
LeftPara
VosLar
ManTak
DILENGER

A file called Fathers4Justice.txt is created on the user's desktop by W32/Mirsa-B containing the following text:

UK Digital Binary Division
MRSA: coded by the UK Digital Binary Division
we support Fathers-4-Justice

W32/Mirsa-B also creates an internet link on the user's desktop to the Fathers 4 Justice website.

"Whoever wrote these viruses is clearly supportive of the Fathers 4 Justice campaign, but rather than dressing up as Batman and clambering up the walls of Buckingham palace to show his support he has turned to computer crime. However, people whose computers are hit by this worm are likely to be less than sympathetic," said Graham Cluley, senior technology consultant for Sophos. "It seems unlikely that the Fathers 4 Justice pressure group would approve of this kind of action, but it seems doubtful that this will be the last time a virus will be used to spread a political message."

Although there have been very few reports of the W32/Mirsa worms, Sophos recommends computer users ensure their anti-virus software is up-to-date, and that companies protect themselves with a consolidated solution which can defend them from the threats of both spam and viruses.

A clue in the code?

Intriguingly, the W32/Mirsa-A contains a possible clue which could potentially lead to the worm's author. Hidden inside the virus, and not normally displayed to the infected user, is a section of text: "sheffield hallam university is corrupt".

Message hidden inside the W32/Mirsa-A worm
Hidden inside the W32/Mirsa-A worm is a message about Sheffield Hallam University

"It's impossible to say for certain - but the virus author may be a current or past student of the university. Or maybe they're a disgruntled member of staff?," said Cluley. "Of course, it may be a complete red herring - but often virus writers have been unable to resist the temptation to put a message which has helped to later identify them inside their virus."

Other viruses which have spread a political message:

W32/Maslan-C 
Launched a series of denial-of-service attacks against websites run by Chechen rebel seperatists.

W32/Zafi-C 
Attacked the website of the newly appointed Hungarian Prime Minister.

W32/Zafi-B 
Calls for the introduction of the death penalty in Hungary.

W32/Cycle-A 
Complained about the quality of life in Iran.

W32/Zafi-A 
Displays a message calling for Hungarian patriotism, timed to coincide with the country joining the European Union.

W32/Quaters-A 
Launches a scathing attack on British Prime Minister Tony Blair and attempts to knock the Downing Street website off the internet.

W32/Colevo-A 
Redirects the web browsers of infected computers to a variety of pictures of Evo Morales, leader of the Bolivian coca leaf growers' union and runner-up in 2002's presidential elections.

W32/Vote-A 
Calls for a vote on whether America should go to war against the followers of Islam.

W32/Yaha-Q 
Apparently written in response to attacks on Indian websites, this worm not only attempts to launch a denial of service attack against five Pakistani websites, but also contains a number of inflammatory messages directed at Pakistani hackers.

W32/Yaha-E 
Launches a denial-of-service attack against a Pakistani government website.

Mawanella worm (also known as VBS/VBSWG-Z) 
Displays a message describing the burning down of two mosques and one hundred Muslim-owned shops in Mawanella, Sri Lanka.

Injustice worm (also known as VBS/Staple-A) 
Opens a number of pro-Palestinian websites and describes the alleged murder of a 12-year-old Palestinian child at the hands of Israeli soldiers. In addition, the worm spams itself to members of the Israeli government.

W32/Caric-A 
Poses as a cartoon screensaver of former US President Bill Clinton playing the saxophone. An item of female underwear emerges from the bottom of the instrument.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.