Worm spreads false conspiracy rumors about Pope John Paul II's death, reports Sophos

June 28, 2005 Sophos Press Release

Experts at SophosLabs™, Sophos's global network of virus and spam analysis centers, have warned users to beware a new email virus which poses as breaking news stories about the supposed arrest of the author of the MyDoom worm, the capture of Osama bin Laden, or sick conspiracy theories about the death of the late Pope John Paul II.

The W32/Kedebe-F worm spreads itself via email using a wide variety of different subject lines and message bodies. Users who fall for its various tricks and launch the attached file risk disabling their security software, and passing the infection onto other computer users.

The worm can send a variety of messages, including the following:

someone sent me this document which is stolen from a secret government body and deals about John Paul's death. It says he was killed by two 'doctors' who were hired by some government bodies. The text attached contains all the story behind his death and who these doctors are.

On other occasions the text of the message can claim that Michael Jackson has died, Osama bin Laden has been captured by US soldiers, or the author of the MyDoom worm has been arrested by Microsoft.

Clicking on the attached file launches the worm, which disables security software installed on the computer and spreads the virus onto other internet users via email and peer-to-peer file-sharing networks.

"Hackers are constantly trying to dupe computer users into running malicious code with the promise of breaking news stories," said Graham Cluley, senior technology consultant for Sophos. "Using the late Pope's name is a sick trick designed to fool the unwary. Everyone should exercise extreme caution, run up-to-date anti-virus software, and ensure they never run unsolicited email attachments."

Sophos reported in April that spammers were exploiting interest in the late Pope for a "make money fast" scheme.

"Internet criminals have no respect for taste and decency. All they're interested in is making money, and other computer users' lives a misery," continued Cluley. "We wouldn't be surprised to see other public figures having their names abused by virus writers and spammers in the future."

Reassuringly, the W32/Kedebe-F worm is not reported to be spreading widely. However Sophos continues to recommend computer users practise safe computing as well as running up-to-date anti-virus software.