Sophos, a leading developer of corporate anti-virus protection,
believes the author of the new Winevar worm
(W32/Winevar-A), was inspired by the Association of Anti-Virus Asia
Researchers (AVAR) 2002 conference, held last week in Seoul,
The Winevar worm drops the W32/Flcss worm (also known
as FunLove) onto infected machines and spreads via an email with a
subject line of "Re: AVAR(Association of Anti-Virus Asia
Researchers)". Furthermore, Sophos has found that, in an apparent
deliberate attempt to directly harm the anti-virus community, the
Winevar worm attempts to launch a denial of service attack on the
website of US security firm, Symantec.
"Ironically, the Winevar worm author seems to have got his
inspiration from a conference intended to reduce the impact of
computer viruses," said Graham Cluley, senior technology consultant
for Sophos Anti-Virus. "Fortunately for computer users - and for
Symantec - Winevar has not had a major impact, but we advise
everyone to update their anti-virus software in order to protect
against this worm."
The Winevar worm shares code characteristics with the Braid worm (W32/Braid-A,
first seen in early November) which has infected many computer
users across the world. It is likely that both Winevar and Braid
were written by the same virus writer, who it now seems may be
based in Korea.
An interesting side effect of this worm is that it changes file
associations so that all files ending .CEO are treated as if they
are executable. This means a future virus could transmit itself
amongst Winevar victims in the form of a .CEO file.
"Winevar creates the ultimate in dishonest CEOs - infected users
should double check their file associations to make sure they do
not leave this vulnerability open," said Cluley.
Sophos has had protection available against W32/Winevar-A since
25 November. Users of Sophos MailMonitor
for SMTP have been able to prevent the virus from entering
their organisation using pro-active threat reduction technology
before this date.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.