Press Releases

Browse our press release archive

16 Feb 2005

Serbian virus has a political agenda, Sophos reports

Experts at SophosLabs™, Sophos's global network of virus and spam analysis centres, have discovered a new computer virus which displays a nationalist message habitually used by a Serbian politician.

The W32/Deadcode-A virus infects executable files on computers, displaying the following message when they are launched:

BlackHand.w32
Long Live Great SERBIA
Serbian Radical Party politician Tomislav Nicolic habitually finishes all of his speeches with the phrase.
The message displayed by the Deadcode-A virus
The message displayed by the Deadcode-A virus.

Throughout the late 1990s, a group of Serbian nationalists calling themselves "Crna Ruka" (which means "Black Hand" in English) defaced a number of Croatian and Albanian websites with the message "Long Live Great Serbia". The hackers took their name from a Serbian nationalist group active at the beginning of the 20th century, one of whose members assassinated Archduke Franz Ferdinand in Sarajevo, triggering the series of events which lead to the outbreak of the First World War in 1914.

"Whether the Deadcode virus is written by the same Black Hand hacking gang who attacked websites in the late 1990s is uncertain - it's quite possible this virus is written by a 'copycat' who is sympathetic with the Serbian nationalist cause," said Graham Cluley, senior technology consultant for Sophos. "However, there is a long history of innocent users being infected by viruses which have attempted to spread political messages - everyone should ensure their defences are kept updated."

It appears that the virus writer wanted his creation to be called "BlackHand", but Sophos researchers have chosen the name "Deadcode" for the virus instead.

"Generally the experts in our laboratories don't like to use the same name that the virus writer may have wanted for his malware," explained Cluley. "After all, why should we feed their egos by using the name they've embedded in their malicious code?"

Sophos recommends companies protect their email gateways with a consolidated solution to defend against viruses and spam. Businesses should also secure their desktop and servers with automatically updated protection.

Other viruses which have spread a political message:

W32/Mirsa-A
Spread a message in support of the "Fathers 4 Justice" campaign.

W32/Maslan-C
Disguised as pictures of a nude glamour model, this virus launched a series of denial-of-service attacks on websites run by Chechen rebel separatists.

W32/Zafi-C
Attacked the website of the newly appointed Hungarian Prime Minister.

W32/Zafi-B
Calls for the introduction of the death penalty in Hungary.

W32/Cycle-A
Complained about the quality of life in Iran.

W32/Zafi-A
Displays a message calling for Hungarian patriotism, timed to coincide with the country joining the European Union.

W32/Quaters-A
Launches a scathing attack on British Prime Minister Tony Blair and attempts to knock the Downing Street website off the internet.

W32/Colevo-A
Redirects the web browsers of infected computers to a variety of pictures of Evo Morales, leader of the Bolivian coca leaf growers' union and runner-up in 2002's presidential elections.

W32/Vote-A
Calls for a vote on whether America should go to war against the followers of Islam.

W32/Yaha-Q
Apparently written in response to attacks on Indian websites, this worm not only attempts to launch a denial of service attack against five Pakistani websites, but also contains a number of inflammatory messages directed at Pakistani hackers.

W32/Yaha-E
Launches a denial-of-service attack against a Pakistani government website.

Mawanella worm (also known as VBS/VBSWG-Z)
Displays a message describing the burning down of two mosques and one hundred Muslim-owned shops in Mawanella, Sri Lanka.

Injustice worm (also known as VBS/Staple-A)
Opens a number of pro-Palestinian websites and describes the alleged murder of a 12-year-old Palestinian child at the hands of Israeli soldiers. In addition, the worm spams itself to members of the Israeli government.

W32/Caric-A
Poses as a cartoon screensaver of former US President Bill Clinton playing the saxophone. An item of female underwear emerges from the bottom of the instrument.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.