Sophos researchers reported on 17 March 2003 that they discovered a new e-mail-aware worm that feeds on public interest in the war in Iraq in an apparent attempt to lure unsuspecting users.
The W32/Ganda-A http://www.sophos.com/virusinfo/analyses/w32gandaa.html worm, which appears to have been written in Sweden, uses a variety of different e-mail subject lines and message bodies to try and encourage computer users to run its viral attachment.
The worm can use a variety of different subject lines and message bodies, in both English and Swedish, including:
Subject line: Spy pics.
Message text: "Here`s the screensaver i told you about. It contains pictures taken by one of the US spy satellites during one of it`s missions over iraq. If you want more of these pic`s you know where you can find me. Bye!"
Subject line: GO USA !!!!
Message text: "This screensaver animates the star spangled banner. Please support the US administration in their fight against terror. Thanx a lot!"
Subject line: G.W Bush animation.
Message text: "Here`s the animation that the FBI wants to stop. Seems like the feds are trying to put an end to peoples right to say what they think of the US administration. Have fun!"
Subject line: Is USA always number one?
Message text: "Some misguided people actually believe that an american life has a greater value than those of other nationalities. Just have a look at this pathetic screensaver and then you`ll know what i`m talking about. All the best."
"At a time of international crisis it is understandable that computer users will be interested in finding out the latest news from the Middle East, and many may be tempted to share breaking news with their friends and colleagues via e-mail," said Brett Myroff, CEO of Southern African distributor for Sophos, NetXactics.
"The author of this virus is exploiting interest in current affairs by deliberately presenting his virus in this way. The message to users is simple: be suspicious of all unsolicited e-mails."
In a bizarre twist, the author of W32/Ganda-A claims to have a grievance with the Swedish educational system. Hidden inside the virus is the following text:
[WORM.SWEDENSUX] Coded by Uncle Roger in H~ornsand, Sweden, 03.03. I am being discriminated by the swedish schoolsystem. This is a response to eight long years of discrimination.
"We don`t know what Uncle Roger`s problem is with the school system in Sweden," continued Myroff. "But whatever his problem is, a worm is not an appropriate way to complain about it."
Sophos recommends companies consider blocking all Windows programs at their e-mail gateway. It is rarely necessary to allow users to receive programs via e-mail from the outside world. There is so little to lose, and so much to gain, simply by blocking all mailed-in programs, regardless of whether they contain viruses or not. Sophos http://www.sophos.com/products/software/mailmonitor/mmsmtp.html MailMonitor for SMTP not only detects known viruses but also contains proactive threat reduction technology which can help businesses block dangerous filetypes and executable code at the e-mail gateway.
Sophos customers who have kept their anti-virus software up-to-date are automatically protected against W32/Ganda-A. Users of other anti-virus products are recommended to update their software.
Share
