Experts at SophosLabsâ„¢, Sophos's global network of virus and
spam analysis centres, have discovered a new computer virus which
displays a nationalist message habitually used by a Serbian
politician.
The W32/Deadcode-A virus
infects executable files on computers, displaying the following
message when they are launched:
BlackHand.w32
Long Live Great SERBIA
Serbian Radical Party politician Tomislav Nicolic habitually
finishes all of his speeches with the phrase.
 |
| The message displayed by the Deadcode-A
virus. |
Throughout the late 1990s, a group of Serbian nationalists
calling themselves "Crna Ruka" (which means "Black Hand" in
English) defaced a number of Croatian and Albanian websites with
the message "Long Live Great Serbia". The hackers took their name
from a Serbian nationalist group active at the beginning of the
20th century, one of whose members assassinated Archduke Franz
Ferdinand in Sarajevo, triggering the series of events which lead
to the outbreak of the First World War in 1914.
"Whether the Deadcode virus is written by the same Black Hand
hacking gang who attacked websites in the late 1990s is uncertain -
it's quite possible this virus is written by a 'copycat' who is
sympathetic with the Serbian nationalist cause," said Graham Cluley, senior
technology consultant for Sophos. "However, there is a long history
of innocent users being infected by viruses which have attempted to
spread political messages - everyone should ensure their defences
are kept updated."
It appears that the virus writer wanted his creation to be
called "BlackHand", but Sophos researchers have chosen the name
"Deadcode" for the virus instead.
"Generally the experts in our laboratories don't like to use the
same name that the virus writer may have wanted for his malware,"
explained Cluley. "After all, why should we feed their egos by
using the name they've embedded in their malicious code?"
Sophos recommends companies protect their email gateways with a
consolidated solution to defend against
viruses and spam. Businesses should also secure their desktop and
servers with automatically updated protection.
Other viruses which have spread a political message:
W32/Mirsa-A
Spread a message in support of the "Fathers 4 Justice"
campaign.
W32/Maslan-C
Disguised as pictures of a nude glamour model, this virus launched
a series of denial-of-service attacks on websites run by Chechen
rebel separatists.
W32/Zafi-C
Attacked the website of the newly appointed Hungarian Prime
Minister.
W32/Zafi-B
Calls for the introduction of the death penalty in Hungary.
W32/Cycle-A
Complained about the quality of life in Iran.
W32/Zafi-A
Displays a message calling for Hungarian patriotism, timed to
coincide with the country joining the European Union.
W32/Quaters-A
Launches a scathing attack on British Prime Minister Tony Blair and
attempts to knock the Downing Street website off the internet.
W32/Colevo-A
Redirects the web browsers of infected computers to a variety of
pictures of Evo Morales, leader of the Bolivian coca leaf growers'
union and runner-up in 2002's presidential elections.
W32/Vote-A
Calls for a vote on whether America should go to war against the
followers of Islam.
W32/Yaha-Q
Apparently written in response to attacks on Indian websites, this
worm not only attempts to launch a denial of service attack against
five Pakistani websites, but also contains a number of inflammatory
messages directed at Pakistani hackers.
W32/Yaha-E
Launches a denial-of-service attack against a Pakistani government
website.
Mawanella worm (also known as
VBS/VBSWG-Z)
Displays a message describing the burning down of two mosques and
one hundred Muslim-owned shops in Mawanella, Sri Lanka.
Injustice
worm (also known as VBS/Staple-A)
Opens a number of pro-Palestinian websites and describes the
alleged murder of a 12-year-old Palestinian child at the hands of
Israeli soldiers. In addition, the worm spams itself to members of
the Israeli government.
W32/Caric-A
Poses as a cartoon screensaver of former US President Bill Clinton
playing the saxophone. An item of female underwear emerges from the
bottom of the instrument.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.