‘Tis the Season … for Viruses?
- By Scott Bekker
- December 07, 2000
As the number of email-related viruses continues to grow,
one thing is becoming apparent: virus writers will go to any lengths to get a
recipient to open the infected email. Playing on the theme of the holiday
season, two Christmas-related viruses in particular have recently caused some
“Virus writers seem to be getting more cunning regarding the
psychology for getting people to open e-mails that have viruses on them,” says
Graham Cluley, senior technology consultant at Sophos,
an anti-virus software vendor. “We’re now seeing a lot of Christmas-related
viruses. It’s the holiday season and people want to have fun, so they’re
sending screen shots and other things. The virus writers are taking advantage
of this by disguising the viruses with things like Santa Claus images.”
The most damaging Christmas virus to date has been
W32/Navidad, an e-mail worm that masquerades as a Christmas card, arriving in
an e-mail message with an attachment called NAVIDAD.EXE. Once the attached
program is launched, it displays a dialog box containing the text “UI.” It then
attempts to read new email messages and to send itself to the senders’
addresses. The worm copies itself into the windows system directory with the
filename WINSVRC.VXD and changes the registry so that it runs on Windows
startup and before any file is run.
According to Sophos, the Navidad virus started to spread at
the beginning of November, but has already caused problems, evidenced by the
fact that Sophos ranked it as the second most reported virus in November and
the seventh most reported virus of 2000 overall.
While not causing as much damage as Navidad, W32/Music has
also found its ways inside a number of companies’ email systems. This virus is
attached as a file called music.com, music.exe, or music.zip and comes with
some sort of a message text saying it is a Christmas tune program. Once opened,
the virus waits a few minutes before attempting to connect to several Web
sites. It attempts to download an updated version of itself from the Web sites
and then the worm tries to send itself to email addresses found on the infected
For IT administrators, the Christmas email viruses can pose
a big problem, as employees can suffer from a seasonal lack of caution. “The
problem for administrators is that they may be perceived as the Grinch for not
letting employees open or send executable files or screen savers,” says Cluley.
“But in terms of data protection, it’s a must because data is the lifeblood of
The alternative, continued Cluley, is for the IT department
to put out a list of games or screen savers that the employees can open and
send to each other during the holiday season.
Sophos has compiled its list of the top 10 viruses of the
year. Leading the way was VBS/Kakworm, which accounted for 17 percent of the
calls made to Sophos’s help desk. Although Microsoft issued a security patch
against the exploit used by Kakworm in 1999, many users have not downloaded it.
The Love Bug virus, which made front page news across the world in May 2000,
was second on the list. The third through ten spots were, in order:
W32/Apology-B, WM97/Marker, W32/Pretty. VBS/Stages-A, W32Navidad,
W32/Ska-Happy99, WM97/Thus, and XM97/Jini.
Looking ahead, Cluley has two suggestions for companies
looking to protect against email viruses. Because most viruses contain double
extensions such as .exe, Cluley says “companies should put in a gateway that
does not allow double extensions because this would prevent a lot of the
viruses going around.”
The other recommendation is to adopt a company rule that
forbids employees to send or check emails that use Word documents. “You can
write in Word, but then you can save it in a rich text format (RTF),” Cluley
says. “It looks the same, but RTF’s can't contain macro viruses. It’s a very
simple trick that doesn’t require any software.” – James Martin
Scott Bekker is editor in chief of Redmond Channel Partner magazine.