Sophos, a world leader in IT security and control, has
discovered a worm which spreads by copying itself onto removable
drives such as USB flash drives, in an attempt to spread
information about AIDS and HIV.
The W32/LiarVB-A worm hunts
for removable drives such as floppy disks and USB memory sticks (as
well as spreading via network shares), and then creates a hidden
file called autorun.inf to ensure a copy of the worm is run the
next time it is connected to a Windows PC. Once it has infected a
system it drops an HTML file containing a message about AIDS and
HIV to the user's drive.
The worm drops an HTML file containing a
message about AIDS.
"Much of the malware we see in SophosLabs is designed to
generate income for the hackers. The LiarVB-A worm is different in
that respect - it appears that the motive was to spread information
about AIDS instead," said Graham Cluley, senior
technology consultant for Sophos. "Even though the hacker
responsible for this worm wasn't set on filling his pockets with
cash, and may have felt that he was spreading an important message,
they are still breaking the law. In the future we might see more
graffiti-style malware being written on behalf of political,
religious and other groups looking for a soapbox to broadcast their
opinions."
At the bottom of the HTML file there is a marquee message in
white writing on a pink background. The message which scrolls from
right to left reads as follows:
This file Doesn't make harmful change to your computer. This
File is NOT DANGEROUS for your Computer and FlashDisk (USB). This
File Doesn't Disturb any Data or Files on your computer and
FlashDisk (USB). So Dont be affraid, and Be Happy !
A scrolling message displayed at the bottom of
the HTM file claims that the worm causes no harm.
"It's nonsense to say that this worm doesn't harm computers - it
makes changes to a PC's settings and overwrites files with itself,"
continued Cluley. "There is no such thing as a useful virus, and
companies should be allowed to decide for themselves what code runs
on their computers rather than virus writers thinking it's okay to
inject whatever code they like into corporate networks."
Last month Sophos warned about
another family of worms which targeted flash drives, changing
installations of Internet Explorer to say that they were "Hacked by
1BYTE".
Sophos experts advise that users disable the autorun facility of
Windows so removable devices such as USB keys and CD ROMs do not
automatically launch when they are attached to a PC. Any storage
device which is attached to a computer should be checked for virus
and other malware before use. Floppy disks, CD ROMs, USB keys,
external hard drives and other devices are all capable of carrying
malicious code which could infect the computers of innocent
users.
Interestingly, the LiarVB-A worm is not the first piece of
malware to be associated with information about AIDS. In 1989, Dr
Joseph Popp distributed an AIDS information floppy disk to more
than 20,000 people. The Trojan horse program on the floppy disk
would trash users' disks if they did not send money to a rented
post office box in Panama. Popp's creation is considered one of the
very first examples of ransomware.
Sophos recommends companies automatically update their corporate
virus protection, and defend their users with a consolidated solution to defend against the
threats of viruses, spyware, hackers and spam.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.