Virus disguised as Saddam Hussein death photographs, Sophos reports

February 03, 2005 Sophos Press Release
Saddam Hussein
Be wary of emails that say Saddam Hussein has died escaping from custody.

Anti-virus experts at Sophos have warned computer users that a worm is spreading posing as photographic evidence that Saddam Hussein has been killed following an attempted escape bid from custody.

The W32/Bobax-H worm is designed to create zombie networks of innocent third-party PCs for spammers to spread junk email from. The worm spreads both via email and using a Microsoft security vulnerability previously exploited by the infamous Sasser worm.

Emails generated by the Bobax-H worm can use a variety of different message bodies and attached filenames. Different message bodies used by the worm include the following:

Message body:
Saddam Hussein - Attempted Escape, Shot dead
Attached some pics that i found
Message body:
Osama Bin Laden Captured.
Attached some pics that i found

Attached files, which contain the viral code, can have PIF, SCR, EXE or ZIP extensions.

Users will run the attached file on a Windows computer risk infecting their PC. The worm will then attempt to forward itself onto other email addresses and vulnerable computers, attempt to disable anti-virus and security software, and install an email relay module which can be used by external hackers for sending spam.

"Many people these days use the internet to keep abreast of the latest breaking news stories - it is these individuals that worms like Bobax-H are trying to infect," said Graham Cluley, senior technology consultant at Sophos. "People who launch unsolicited attachments without thinking are walking straight into the hands of malicious virus writers and spamming gangs."

The Bobax-H worm exploits the same LSASS vulnerability first reported by Microsoft on 13 April 2004 in Microsoft Security Bulletin MS04-011, and later exploited by the widespread Sasser worm.

"There's really no excuse for computers still to be suffering from this Microsoft security vulnerability 10 months after a fix was first made available, as so many major viruses have tried to take advantage of it," continued Cluley. "Everyone responsible for the security of Windows computers should ensure they are defended against this threat and check that they are routinely installing security patches."

Saddam Hussein is the latest in a long line of public figures to be used as bait by malware authors and hackers. Politicians such as Margaret Thatcher, Ronald Reagan, Arnold Schwarzenegger, Bill Clinton, George W Bush and PW Botha have been have been used in the past. Furthermore, the promise of glimpses of glamorous pin-ups like Halle Berry, Anna Kournikova, Julia Roberts, Jennifer Lopez, Britney Spears or the stars of 'Sex and the City' have previously been used to help viruses spread.

Even Bill Gates, David Beckham, and Michael Jackson have been used as a psychological trick to dupe users into opening infected files.

Sophos recommends companies protect their email gateways with a consolidated solution to defend against viruses and spam. Businesses should also secure their desktop and servers with automatically updated protection.