Software vendors Computer Associates (CA) and Symantec today issued warnings about a destructive new virus that disguises itself as a year 2000 computer problem, and besides reformatting user hard drives, changes Internet Explorer home pages to an adult-content site.
The e-mail worm, known as Worm.Mypic or W32/Mypics.worm, arrives as a message without a subject line. The message body contains what appears to be an attachment called "Pics4You.exe" that is 34,304 bytes. If the executable file is opened, the worm loads into the computer's memory and attaches to the first 50 listings in Microsoft Outlook users' address books. After 20 minutes, the virus tries to e-mail itself again and repeats that after another 10 minutes, with that cycle continuing when "Mypic" is run. Users have to manually delete registry-key files in their computers to get rid of MyPic after an infection, or the virus will stick around and monitor the system clock.
When Jan. 1, 2000, arrives, the virus will create a file called C:\CBIOS.COM, which will write over checksum data in BIOS setup information (CMOS), causing the error message "CMOS checksum is invalid" the next time the user tries to boot up the system. Checksum data is used to verify the integrity of computer data. That message is designed to make users think the problem is related to the year 2000 - a software problem that could occur because most older code was written with a two-digit date field that might read the "00" in 2000 as "1900" and fail to work properly. To reboot, the BIOS setup has to be invoked to fix the CMOS checksum. The next time a user successfully boots the machine, the worm will try to format the C: and the D: drives by creating a new file, which also has to then be deleted manually by the user in order to get the computer running properly again, the vendors say.
CA became aware of the virus when a Fortune 500 customer discovered that a few computers had been infected, says Narender Mangalam, CA director of security. He says other software vendors also had become aware of the virus and were sending out warnings, so "we're tending to feel that it is out there."
Symantec and CA have been among the vendors to begin warning that viruses are likely to spring up around the date change and that some will disguise themselves as year 2000 problems by activating on that date.
"This is something that we've been talking about for some time now," Mangalam says. "We're seeing the number of viruses speeding up now as it gets closer to Y2K."
CA is advising customers to frequently check antivirus vendors' Web sites to stay up to date with the viruses that are being detected, and also to make certain that security precautions - firewalls and the like - are in place and working properly to keep out intruders. Antivirus maker Symantec said in a written statement today that it now has a new definition-set file on its Web site that ensures protection against the newly discovered work, which it rates as a medium to high risk.
RELATED LINKS
Virus Signature Updates
From CA.
More info on specific viruses
From CA.
Feedback
Tell us your thoughts on this article or the issues it raises.
