NYT worm story
- This was in the NY times.
I thought this was a good occasion for your SACC-computer guru to remind you
to check your PC and software for Y2K compliance and to be sure that your
anti-virus files are up to date.
New Disguise for Infection of Computers
By JOHN MARKOFF
The first of what experts fear could be many malicious
software programs masquerading as the Year 2000 computer problem began
spreading on Thursday. The new program hides on hard drives, poised to begin
destroying data on Jan. 1.
The program, which is technically known as a computer worm,
has been named W32.Mypics.Worm by anti-virus researchers. The researchers
said Friday that the worm had already made its way into the networks of some
corporate clients, though they would not identify them.
Several anti-virus companies reported that they had already
released code that identifies and eliminates the program.
Like two recent worms, Melissa and Explore, and their
variants, the new worm spreads by pretending to be e-mail from an
acquaintance. Unlike the Explore worm, however, it cannot attack a computer
or data unless the recipient opens a file sent as an attachment.
But the most crucial difference with this worm is that it is
designed to attack its host computer on New Year's Day, when many people
will be expecting a variety of computer-related disruptions as a result of
the so-called Y2K problem.
"There is so much media attention about Y2K problems that
this is a great way to disguise a malicious program," said Marian Merritt,
group product manager for anti-virus products at the Symantec Corporation.
This kind of malicious program has been long anticipated. In
background meetings with reporters and analysts earlier this year,
anti-virus software developers began describing a range of possible events
in which virus authors were likely to use the timing of the Year 2000
problem to propagate their handiwork.
The Year 2000 problem is caused by the fact that programmers
for many years set aside only two digits to denote years in software. As a
result, programs that have not been repaired by Jan. 1 will act as if the
year is 1900, possibly causing serious problems throughout the increasingly
digital world. Viruses and worms that mimic the Year 2000 problem actually
have nothing to do with flawed year designations.
A number of anti-virus companies said yesterday that they
had received reports about the program and that it had probably first been
released in the United States.
Intended for users of Windows-based computers, the worm is
transmitted as an attachment to e-mail that lands in Microsoft's Outlook and
Outlook Express e-mail software. Once it invades a computer, the worm will
resend itself to up to 50 people in the Outlook address book. There is no
subject line, and the body of the e-mail contains the phrase "Here's some
pictures for you!"
But the attachment, a file called "pics4you.exe," is
actually a small program that runs when an unsuspecting computer user tries
to view the pictures.
"These types of programs really harm the new user," Ms.
Merritt said. "Although an expert user will usually not fall for these
tricks, people who are new to computers are generally unsuspecting."
If the message and the attached file are simply deleted, the
program will not harm a computer, she said.
If the program is run, however, it will mail itself to 50
people in the Outlook address book, then hide itself in a component of the
Windows operating system known as the registry. The program also resets the
home page of users of Microsoft's Internet Explorer browser to a personal
page on the Yahoo Geocities Web site that until yesterday afternoon
contained sexually explicit pictures.
The page was titled "Daves Web Page: Brought to You From the
Cave!" Computer researchers said yesterday that they were not certain why
that particular page had been chosen, though one said it was possible that
the virus author simply wanted to make use of a counter on that page that
recorded the number of visitors.
As of noon yesterday, the site had recorded almost 5,000 new
visits. Shortly thereafter, a Yahoo spokesman said, the site had been taken
down, but he would not say whether it had been taken down by the page's
owner or by the company.
After infection, each time the computer is turned on, the
worm program checks the date. When it detects Jan. 1 or a later date, it
executes two separate tasks known as payloads. The first tries to overwrite
the computer's BIOS, or basic input output statement, memory, a small
permanent storage area that contains the instructions the computer follows
when it boots. These are necessary for everything from running a modem or
printer to finding the operating system on a hard drive.
Once that happens, the computer when next turned on will
refuse to start. Instead, it will display a message like "CMOS Checksum
Many of today's computers protect the BIOS from this type of
vandalism, but the worm's second form of attack is more malicious: it
overwrites a Windows start-up file named autoexec.bat with a file of the
same name that causes the operating system to reformat the hard drive, or C
drive, and any second hard drive or other storage device designated as the D
drive. This destroys all programs and data on the computer.
"We are very concerned about the time delay built in to this
program," said Narender Mangalan, director of security for Computer
Associates in Islandia, N.Y., the maker of McAfee anti-virus products.
He said that because both the date trigger and the use of
e-mail address books by viruses and worms were increasingly popular trends,
the company had released a program known as a variant analyzer that tries to
find programs that are similar to existing viruses and worms.
And the variations are likely to grow quickly between
Christmas and New Year's Day. Traditionally, Ms. Merritt said, the number of
viruses and worms tends to increase during and after school holidays, when
students, who are the most frequent authors of malicious programs, have more
free time to devote to their illicit hobbies.