Two new viruses - a worm that potentially allows a virus author remote access to Webcams, and the latest Sasser variant that delivers a version of the Netsky virus - have surfaced on the Internet.
While neither is particularly prevalent at the moment, users are urged to ensure their anti-virus (AV) is up to date, as both worms carry a relatively low trace of infection, industry experts warn.
The Webcam worm - labelled Rbot-GR by AV vendor Sophos - could infect a PC without the user even knowing, says Brett Myroff, CEO of local Sophos distributor Netxactics. "Unless you are technically proficient, or are using your AV to seek it out, it could be very difficult to know."
Similarly, the Sasser variant is also fairly hidden, says Ivor Rankin, Symantec technical and SE manager for Middle East and Africa. "It infects machines almost invisibly. Like other Sasser variants, the user doesn't have to do anything to get infected."
Remote control
Myroff says the Rbot worm works much like a normal Trojan. "Basically, it comes as an e-mail with an attachment and, once opened, it infects the PC. What is different about this worm is that it contains a piece of code that allows the virus author to activate the Webcam, provided it is plugged in."
Myroff says this could have numerous security implications, though invasion of privacy remains the key aspect. "In the workplace, this worm opens up the possibilities of industrial espionage. At home, it is equivalent to a Peeping Tom who invades your privacy by peering through your curtains."
While it is not the first such worm to allow remote control of users' computers - a program called Black Orifice allowed similar access to computers in the late 1990s - it is the first of its kind with the ability to spread itself.
Although Rbot has not been widespread, there remains a risk that hackers could build a more destructive variant, says Myroff. "Yes, there is potentially a risk. That seems to be the aim of virus writers: to do the most damage. But I think this is more of a voyeur type of Trojan."
Rankin agrees that a degree of voyeurism is the most likely aim of such a worm. "I can't accurately speculate on what the author's intentions are, but there does not seem to be any real information that can be gained from this. So one can only imagine that the author is a voyeur to some degree."
Sasser attack
Rankin says the Sasser variant exploits a Microsoft vulnerability and spreads randomly by actively seeking out vulnerable computers. What is significant is that the variant also carries a version of another worm within its coding, says Rankin. "It also delivers the W32.Netsky.AC mass mailing worm."
Although the current distribution of the worm is low, Rankin warns that the potential impact could be high. "Windows 2000 and XP users will be most affected."
If a user is running a firewall, Rankin suggests they not allow any unauthorised connection to TCP port 445.
Patches for both viruses are already available.
Share
