An e-mail worm with a Sept. 11 theme has been discovered on computer systems in Europe, according to F-Secure and other security companies.
The worm, called W32/Chet-A or "Chet," accompanies an e-mail with the subject "All People!" sent from the address main@world.com. The Chet worm is stored within an attached file named 11september.exe and is only activated when an e-mail recipient opens the attachment.
Like other e-mail worms, most notably the NIMDA worm that appeared last year and infected computers worldwide, the Chet worm attempts to use a computer's e-mail program and address book to spread copies of itself to other computer systems. Worms can damage the computers on which they are run, or disable computer networks through massive copying and e-mailing.
Advertisement: |
Unlike the NIMDA worm, not to mention the attacks to which it refers, the Chet worm does not appear to pose a serious threat to the systems it infects.
"This worm is not going to be a major problem," said Mikko Hyppönen, Manager of Anti-Virus Research at Helsinki-based F-Secure, which discovered the worm Tuesday on systems belonging to British ISP MessageLabs Ltd.
"There is a real bug in the (worm's) code that crashes the worm after it runs for a while."
The bug prevents the Chet worm from e-mailing copies of itself and generally leaves host systems unaffected, said Hyppönen.
"Some users may receive a Dr. Watson report, but (Windows) and e-mail will continue to function," he said.
A lengthy text message that claims to offer "documentary materials" proving a link between the Bush administration and the al Qaeda terrorist organization is included in the e-mail containing the virus.
"As you know America and England have begun bombardment of Iraq, cause of its threat for all the world," the e-mail reads in part.
"It isn't the truth. The real reason is in money laundering and also to cover up traces after acts of terrorism September, 11, 2001."
Recipients are then urged to open the attachment in order to have the documents and pictures installed on their computer. Opening the attachment launches the Chet worm.
That sketchy wording, coupled with the fatal bug in the worm's code should keep Chet from spreading too widely, experts agree.
"We didn't think (the message) translated very well," said Chris Wraight, technology consultant at the Lynnfield, Massachusetts office of U.K.-based antivirus software maker Sophos PLC. Viruses frequently originate in countries where English is not the first language, he noted.
F-Secure's Hyppönen agreed, and said that all indications are that the worm originated in Russia and is likely the work of a novice virus writer.
"The person who wrote this (worm) is not too clever, not too skillful, and not too bright," said Hyppönen.
Despite its flawed code, however, the Chet worm is capable of infecting computers and replicating itself, he warned.
"We found that under certain conditions, the virus was able to recover from its code error and continue running," said Hyppönen, adding that systems running the Windows 98 operating system and containing very long names in the Windows address book are particularly vulnerable to infection by the Chet worm.
Makers of leading antivirus software rushed to post new virus definitions protecting against the Chet worm, despite the low risk posed by the worm. New virus definitions were available for most leading antivirus programs including those from McAfee.com, Symantec and Sophos, and experts warn computer users to be vigilant.
"We encourage people to follow safe computing practice and delete any unsolicited executable attachments," Wraight said.
The IDG News Service is a Network World affiliate.
RELATED LINKS
Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.
Request a reprint or permission to use this article.
