Harry Potter worm claims teenage wizard is dead

Sophos Press Release

Hackers exploit Potter-mania as Hairy worm attempts to infect USB memory drives

With just weeks remaining until the release of the last ever Harry Potter novel, and the imminent premiere of the fifth movie in the franchise, Sophos has warned of a new computer worm exploiting Potter-mania around the world.

The W32/Hairy-A worm can automatically infect a PC when users plug-in USB drives, which carry a file posing as a copy of the eagerly anticipated novel, "Harry Potter and the Deathly Hallows". If the users have allowed USB drives to 'auto-run' they will see a file called


Inside this Word document file is the simple phrase "Harry Potter is dead." The worm then looks for other removable drives to infect.

The Word document declares that Harry Potter is dead

After infecting Windows computers, the worm creates a number of new users - namely the main characters from JK Rowling's celebrated series of books about student wizards: Harry Potter, Hermione Granger and Ron Weasley.

 Hairy Login

After logging in, users are shown the following message via a batch file:

read and repent

the end is near
repent from your evil ways O Ye folks
lest you burn in hell...JK Rowling especially


In addition, every time infected users open Internet Explorer they will find their start page has been redirected to an Amazon.com web page selling a spoof book entitled "Harry Putter and the Chamber of Cheesecakes".

"Much of the world is waiting with bated breath for the final Harry Potter novel, and the premiere of the new movie is looming too. There is a real danger that muggles will blindly allow their USB flash drives to auto-run and become infected by this worm," said Graham Cluley, senior technology consultant for Sophos. "Using such social engineering at this time is a trick dastardly enough for Lord Voldemort himself."

 Harry Putter
The worm redirects Internet Explorer to an Amazon.com webpage offering a parody of the Harry Potter books.

"The fact that this worm has been inspired by the tales of a fictional schoolboy wizard doesn't make it a harmless prank," continued Cluley. "A worm like this which infects and tampers with users' computers without their permission is committing a criminal act. Someone needs to get a little more sunshine in their diet and put their energies into a more positive pursuit than writing malicious code like this."

Unlike most malware written today, the Hairy worm does not appear to have been written with financial reward in mind.

"This is an 'old school' virus, written to give the author a platform to show off rather than to steal identities or cash," said Cluley. "This person isn't being driven by the desire to inflate his or her bank account, but by a loathing for JK Rowling and her incredibly popular books."

Sophos notes that this is not the first time that the residents of Hogwarts School have been exploited by cybercriminals. In 2005 spammers tried to make money fast by claiming that recipients could win an advance copy of the then latest book in the series, "Harry Potter and the Half-Blood Prince". The year before, a virus pretended to be a downloadable version of the movie "Harry Potter and the Prisoner of Azkaban" on peer-to-peer file-sharing networks.

Sophos has been automatically protecting customers against the W32/Hairy-A worm since 19:42 GMT on 27 June 2007.

Recently experts at SophosLabs™, Sophos's global network of malware and spam analysis centers, have reported an increasing trend for malware authors to spread via USB devices.

Sophos experts advise that users disable the autorun facility of Windows so removable devices such as USB keys and CD ROMs do not automatically launch when they are attached to a PC. Any storage device which is attached to a computer should be checked for virus and other malware before use. Floppy disks, CD ROMs, USB keys, external hard drives and other devices are all capable of carrying malicious code which could infect the computers of innocent users.

Sophos recommends companies protect themselves with a consolidated solution which can defend against the threats of viruses, spyware, spam and hackers.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at www.sophos.com/company.