New "Spammer.A" Worm More Deadly Than "I Love You"
- By Scott Bekker
Computer Associates International Inc. (CA) warned all computer users of a new worm known as Spammer.A that is more destructive than the recent "I Love You" worm, and has already infected thousands of computers, proliferating via e-mail. CA says that the new worm is unrelated to "I Love You."
A polymorphic worm, Spammer.A, also known as VBS.NewLove.A and VBS.Spammer.A, has a destructive payload that renames the files on an infected user's computer and sets their file size to zero. Because of its morphing capabilities, Spammer.A is considered more dangerous than recent worms such as "I Love You."
Spammer.A arrives attached to an e-mail message with the subject line implying a forward, with "FW:" and followed by a file name with the extension "name.Vbs", where the name could be Doc, Xls, Mdb, Bmp, Mp3, Txt, Jpg, Gif, Mov, Url, or Htm.
The worm installs itself by copying its code to Windows and System directories and modifying two registry keys. As a polymorphic worm, Spammer.A modifies its code when changing from generation to generation. Before infecting a system, the worm inserts a random number of comment lines throughout the entire programming code. These comment lines start with an apostrophe and contain up to 300 randomly selected characters, capital letters from A to Z. Additionally, each line of the code could be indented by a random number of spaces.
CA (www.ca.com) has developed a solution for polymorphic worms such as Spammer.A. It is available at their Web site. - Isaac Slepner
Scott Bekker is editor in chief of Redmond Channel Partner magazine.