Three new viruses made their appearance yesterday, at least one of which appeared in SA shortly after detection.
The Mawanella Visual Basic Script (VBS) worm is written, according to security company Kaspersky Labs, with the VBS Worm Generator. The same kit was used to create the widely distributed Kournikova virus earlier this year.
Mawanella makes no attempt to disguise itself, but arrives as an attachment named "mawanella.vbs". If activated, the script displays an assci- drawing of a house and the following text:
"Mawanella is on of the Sri Lanka's Muslim Village. This brutal incident happened here 2 Muslim Mosques & 100 Shops are burnt. I hat this incident, What about you? I can destroy your computer I didn't do that because I am a peace-loving citizen."
Meanwhile, the VBS file is copied into the Windows system directory and e-mailed to all addresses in the Microsoft Outlook address book.
At least one South African company was infected with Mawanella by yesterday.
The Trojan pickpocket
The more sophisticated Eurosol Trojan is apparently aimed at stealing money from users of a Russian Internet money exchange system.
According to Kaspersky Labs, Eurosol steals passwords for the WebMoney system, which allows online transactions without the use of a credit card. The virus is disguised as an offer to view advertising banners in return for money.
Once started, Eurosol scans the computer for WebMoney key files keys.kwm and purses.kwm. If these files are found, they are encrypted and transferred to a remote server via file transfer protocol (FTP).
Eurosol also neutralises the ATGuard personal firewall, if installed, so that the connection to the remote server is not blocked.
Money can be transferred from the stolen accounts via postal transfer.
"Kaspersky Labs already has taken the necessary steps in order to stave off this defrauding, and has closed all exploitable Eurosol servers," the company said in a statement. It estimates that more than 300 users were affected before detection.
An anti-Echlon virus?
Newsbytes reports that a variant of the LoveLetter virus, VBS/LoveLet-CL, has been detected in the wild, although it is not widely spread. According to comments in the code of the virus, it is aimed at crippling the Echelon spy system believed to be operated by the US and its allies.
According to anti-virus company Sophos, the worm also contains several hundred keywords such as "CIA", "toxin" and "satellite", apparently to trigger detection by Echlon e-mail monitoring.
The worm propagates through e-mail to addresses listed in Microsoft Outlook with the attachment echelon.vbs.
Related stories:
Love Bug variant targets Echelon spy system
Share