Viruses have made a note in their diary for St Valentine's Day.
Security experts at Sophos are urging computer users to be on their guard against the threat of viruses disguised as Valentine's greetings.
As Valentine's Day approaches, Sophos has already discovered two new viruses spreading loving greetings via email attachments and peer-to-peer networks. Emails carrying the Kipis-H worm have "Happy Valentine's Day" in their subject lines, and the following message body:
With the coming Valentine's day!
I very much love you.
Attachment: Valentine.EXE
Once activated, the worm turns off all anti-virus protection, allows cybercriminals to access the computer by installing a backdoor Trojan and sends itself to all contacts in the address book forging the sender's email address.
The new VBSWG-D worm spreads via email with the subject line
"First Love Story...!!!"
and a file called
FirstLove.VBS
, but on 14 February displays a message explicitly saying
"Happy F***ing Valentine...!!!"
and then shuts down the computer, after it has sent itself to all the email addresses in the user's address book.
The message displayed by the VBSWG-D worm.
"Virus writers will exploit any excuse to dupe innocent computer users into running malicious code," said Graham Cluley, senior technology consultant at Sophos. "Hackers send viral valentines to take control of users' PCs, steal personal information, or take screenshots of confidential information, usernames, passwords and credit card numbers."
Kipis-H and VBSWG-D are the latest in a long line of viruses which have used the promise of love to entice users into activating malicious code:
- The Love Bug worm was, at the time of its release in May 2000, the biggest virus outbreak of all time. Sending an email with the subject line "ILOVEYOU" it claimed to contain a love letter. Its suspected Filipino author had charges against him dropped because local computer crime laws were not sufficient at the time of the offence.
- The Bagle-W worm said "I just need a friend" as it spread in April 2004 pretending to be from a female student seeking an "interesting and active man looking for serious relations." Included in the email was a picture of an innocent young brunette woman.
- The Lovelet-C worm spread via email systems five years ago, inviting recipients to have a date over a cup of coffee that evening.
- The Wurmark worm, which is spreading at the moment, can send itself from email addresses such as "RomeoRichard" and "Sexy_guy88" pretending to be from a secret admirer.
- The Yaha-K worm, using subject lines such as "Wanna be my sweetheart?", "You are so sweet", and "Are you looking for love", but would launch an attack from infected computers against Pakistani Government computers.
- The Numgame worm sent messages saying "Are you my valentine?" and played an onscreen game with infected users before spreading to other computers.
- The Randex network worm attempted to break into computer systems which had poorly chosen passwords, including ILOVEYOU.
"This roll call of hexadecimal hanky-panky shows that many people are looking for love in all the wrong places," continued Cluley. "Everyone should beware of unexpected email attachments arriving in their inbox - you may be risking a busted computer instead of a broken heart."
Although there have been few reports of both the Kipis-H and the VBSWG-D worms, Sophos recommends that all computer users be alert to this kind of psychological trick, ensuring that their anti-virus software is up-to-date, and that companies protect themselves with a consolidated solution which can defend them from the threats of both spam and viruses.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.