USB flash drive worm spreads information about AIDS

June 20, 2007 Sophos Press Release

Sophos, a world leader in IT security and control, has discovered a worm which spreads by copying itself onto removable drives such as USB flash drives, in an attempt to spread information about AIDS and HIV.

The W32/LiarVB-A worm hunts for removable drives such as floppy disks and USB memory sticks (as well as spreading via network shares), and then creates a hidden file called autorun.inf to ensure a copy of the worm is run the next time it is connected to a Windows PC. Once it has infected a system it drops an HTML file containing a message about AIDS and HIV to the user's drive.

The worm drops an HTML file containing a message about AIDS.
The worm drops an HTML file containing a message about AIDS.

"Much of the malware we see in SophosLabs is designed to generate income for the hackers. The LiarVB-A worm is different in that respect - it appears that the motive was to spread information about AIDS instead," said Graham Cluley, senior technology consultant for Sophos. "Even though the hacker responsible for this worm wasn't set on filling his pockets with cash, and may have felt that he was spreading an important message, they are still breaking the law. In the future we might see more graffiti-style malware being written on behalf of political, religious and other groups looking for a soapbox to broadcast their opinions."

At the bottom of the HTML file there is a marquee message in white writing on a pink background. The message which scrolls from right to left reads as follows:

This file Doesn't make harmful change to your computer. This File is NOT DANGEROUS for your Computer and FlashDisk (USB). This File Doesn't Disturb any Data or Files on your computer and FlashDisk (USB). So Dont be affraid, and Be Happy !

A scrolling message displayed at the bottom claims that the worm causes no harm
A scrolling message displayed at the bottom of the HTM file claims that the worm causes no harm.

"It's nonsense to say that this worm doesn't harm computers - it makes changes to a PC's settings and overwrites files with itself," continued Cluley. "There is no such thing as a useful virus, and companies should be allowed to decide for themselves what code runs on their computers rather than virus writers thinking it's okay to inject whatever code they like into corporate networks."

Last month Sophos warned about another family of worms which targeted flash drives, changing installations of Internet Explorer to say that they were "Hacked by 1BYTE".

Sophos experts advise that users disable the autorun facility of Windows so removable devices such as USB keys and CD ROMs do not automatically launch when they are attached to a PC. Any storage device which is attached to a computer should be checked for virus and other malware before use. Floppy disks, CD ROMs, USB keys, external hard drives and other devices are all capable of carrying malicious code which could infect the computers of innocent users.

Interestingly, the LiarVB-A worm is not the first piece of malware to be associated with information about AIDS. In 1989, Dr Joseph Popp distributed an AIDS information floppy disk to more than 20,000 people. The Trojan horse program on the floppy disk would trash users' disks if they did not send money to a rented post office box in Panama. Popp's creation is considered one of the very first examples of ransomware.

Sophos recommends companies automatically update their corporate virus protection, and defend their users with a consolidated solution to defend against the threats of viruses, spyware, hackers and spam.