Hackers resort to gorilla tactics with Wurmark-K worm, Sophos reports

May 10, 2005 Sophos Press Release

Experts at SophosLabs™, Sophos's global network of virus and spam analysis centres, have warned users about an in-the-wild email worm which displays a picture of a famous albino gorilla as it infects innocent computers.

The Wurmark-K worm spreads as an email attachment. Emails carrying the virus have a variety of characteristics including:

Subject: Hehehe LOL!!
Message body:
I just saw this on my computer from a while ago download it and see if you can remember it lol i was lauging like crazy when i saw it! :D email me back hehe...

Subject: Your Photo Is On A Webpage!!
Message body:
I was vieweing this website and came across a picture they look just like you! infact im sure it is haha , did you email this pic into them ? or is it someonce else :S ? pic is attached a zip so download it and check & email me back!

If recipients open the attached ZIP file and launch the files contained inside (which can have names such as Sexy_02.scr, Admirer_005.scr, Photo_01.pif, Lover_01.scr and Just_For_You.pif) then they will be infected by the worm and a graphic of an albino gorilla is displayed:

  

The image displayed by the Wurmark-K worm is of Snowflake (also known as Copito de Nieve), an extremely rare albino gorilla who died in Barcelona zoo in November 2003.

As the image is being displayed, the Wurmark-K worm installs the W32/Rbot-ABK network worm and backdoor Trojan horse. This malicious worm allows hackers to break into infected computers in order to steal information from the unsuspecting user or plant other malicious code.

"This worm is no laughing matter - its intent is to hand over control of your PC to remote hackers," said Graham Cluley, senior technology consultant for Sophos. "Unless computer users properly defend themselves with up-to-date anti-virus software, firewalls and security patches then they run the risk of having their PC exploited and their bank accounts emptied."

Sophos experts believe that the W32/Wurmark-K and W32/Rbot-ABK worms are evidence of a growing trend of more and more malware spying on innocent home computer owners and poorly-protected businesses.

"Organised criminals are involved in virus-writing at a greater level than ever before. They are becoming more aggressive in their attempts to find new computers to infect and control," continued Cluley. "If you attach a new, unpatched computer to the internet, unprotected by proper firewalls and up-to-date anti-virus software, then it can easily be under the control of hackers within a matter of minutes."

Sophos recommends companies protect their email gateways with a consolidated solution to defend against viruses and spam. Businesses should also secure their desktop and servers with automatically updated protection.