News

‘Tis the Season … for Viruses?

• By Scott Bekker
• 12/07/2000

“Virus writers seem to be getting more cunning regarding the psychology for getting people to open e-mails that have viruses on them,” says Graham Cluley, senior technology consultant at Sophos, an anti-virus software vendor. “We’re now seeing a lot of Christmas-related viruses. It’s the holiday season and people want to have fun, so they’re sending screen shots and other things. The virus writers are taking advantage of this by disguising the viruses with things like Santa Claus images.”

The most damaging Christmas virus to date has been W32/Navidad, an e-mail worm that masquerades as a Christmas card, arriving in an e-mail message with an attachment called NAVIDAD.EXE. Once the attached program is launched, it displays a dialog box containing the text “UI.” It then attempts to read new email messages and to send itself to the senders’ addresses. The worm copies itself into the windows system directory with the filename WINSVRC.VXD and changes the registry so that it runs on Windows startup and before any file is run.

According to Sophos, the Navidad virus started to spread at the beginning of November, but has already caused problems, evidenced by the fact that Sophos ranked it as the second most reported virus in November and the seventh most reported virus of 2000 overall.

While not causing as much damage as Navidad, W32/Music has also found its ways inside a number of companies’ email systems. This virus is attached as a file called music.com, music.exe, or music.zip and comes with some sort of a message text saying it is a Christmas tune program. Once opened, the virus waits a few minutes before attempting to connect to several Web sites. It attempts to download an updated version of itself from the Web sites and then the worm tries to send itself to email addresses found on the infected PC.

For IT administrators, the Christmas email viruses can pose a big problem, as employees can suffer from a seasonal lack of caution. “The problem for administrators is that they may be perceived as the Grinch for not letting employees open or send executable files or screen savers,” says Cluley. “But in terms of data protection, it’s a must because data is the lifeblood of a company.”

The alternative, continued Cluley, is for the IT department to put out a list of games or screen savers that the employees can open and send to each other during the holiday season.

Sophos has compiled its list of the top 10 viruses of the year. Leading the way was VBS/Kakworm, which accounted for 17 percent of the calls made to Sophos’s help desk. Although Microsoft issued a security patch against the exploit used by Kakworm in 1999, many users have not downloaded it. The Love Bug virus, which made front page news across the world in May 2000, was second on the list. The third through ten spots were, in order: W32/Apology-B, WM97/Marker, W32/Pretty. VBS/Stages-A, W32Navidad, W32/Ska-Happy99, WM97/Thus, and XM97/Jini.

Looking ahead, Cluley has two suggestions for companies looking to protect against email viruses. Because most viruses contain double extensions such as .exe, Cluley says “companies should put in a gateway that does not allow double extensions because this would prevent a lot of the viruses going around.”

The other recommendation is to adopt a company rule that forbids employees to send or check emails that use Word documents. “You can write in Word, but then you can save it in a rich text format (RTF),” Cluley says. “It looks the same, but RTF’s can't contain macro viruses. It’s a very simple trick that doesn’t require any software.” – James Martin