Worm plays on rumors of romance between Brad Pitt and Angelina Jolie, Sophos reports

March 31, 2005 Sophos Press Release

Experts at SophosLabs™, Sophos's global network of virus and spam analysis centres, have discovered a worm which plays upon the public's interest in movie stars Brad Pitt and Angelina Jolie, as well as celebrities such as Britney Spears, Pamela Anderson and Paris Hilton.

The W32/Ahker-F worm spreads via email using messages such as:

Watch Angelina Jolie and Brad Pitt cought on TAPE! SEXY CLIP! WATCH IT!

Sophos believes the worm's author (who calls himself "Agent Hacker") is capitalising on media interest in Brad Pitt and Angelina Jolie's possible friendship. There has been speculation that the film stars' relationship may have contributed to the recent breakdown of Pitt's marriage with ex-Friends' actress Jennifer Aniston.

If the attached file, Clip.zip, is opened and executed the worm will attempt to spread to other email users. Other messages sent by the worm include:

Hey buddy,
Check out this new porn clip of Britney Sprers!
Very Short but HOT!!
DOWNLOAD IT and WATCH IT!
Hello!
Paris Hilton new SEX TAPE has been released!
In the attachment you will find some short quick scenes(HOT!!) that I liked the most!!
Download it! I know its SHORT but at least youve watched the HOTTEST parts of it!
Hell yeah...it's Pam!
Watch this latest clip of Pamela Anderson!
You will find the clip in the attachment! Enjoy!

"People's appetite for salacious gossip is insatiable, and some may be tempted to run what appear to be pornographic movie files distributed across the internet," said Graham Cluley, senior technology consultant for Sophos. "However, virus writers have a long history of disguising their malicious code as this kind of content. Everyone should be very careful about what they choose to run on their computer."

"If people want to read and look at this kind of stuff they may be better off picking up one of the magazines in the queue for the supermarket checkout till than using their PC," continued Cluley.

As well as spreading via email, the worm attempts to spread via file-sharing networks using a variety of salacious sounding filenames such as PORNO.exe, XXX.exe, Naked WWE Divas.exe, Naked Britney.exe, Naked Celebrity.exe, and Celeb uncensord.exe. It also attempts to launch a distributed denial of service attack against Microsoft's security update website used by millions of computer users around the world.

Additionally, the Ahker-F worm attempts to disable security-related software on Windows computers and block access to anti-virus websites.

Curiously, the virus writer has embedded a number of secret messages inside his code including

Agent Hacker rules!
and
Genes don't contain any record of humain history, you'll NEVER catch me!(Agent Hacker - Bazzi

Although there have only been a small reports of the worm, Sophos recommends computer users ensure their anti-virus software is up-to-date, and that companies protect themselves with a consolidated solution which can defend them from the threats of both spam and viruses.