Warnings issued about new 'WTC' virus

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/storyba/0,4125,NAV47_STO64195,00.html

By DAN VERTON 
September 24, 2001

Security experts today issued a warning about a dangerous new virus
that is spread via e-mail and takes advantage of people's curiosity
and interest in the recent terrorist attack against the U.S. and the
political fallout between Muslims and non-Muslims.

Officials at antivirus vendor Trend Micro Inc. in Cupertino, Calif.,
said companies should be on the lookout for the "WTC.exe" virus, which
arrives via an e-mail attachment and carries malicious code that
reformats the recipient PC's hard drive, deletes files and attempts to
eliminate the system's antivirus protection software.

The virus comes almost two weeks after the Sept. 11 terrorist attacks
against the World Trade Center (WTC) and the Pentagon and uses social
engineering to prey on individuals' natural curiosity about the
attacks. The subject line of the e-mail carrying the virus is known to
read "FW: Peace between America and Islam," according to Susan Orbuch,
a spokeswoman for Trend Micro. Likewise, the body of the message
reads, "Hi, Is it a war against America or Islam. Lets Vote to live in
peace."

The attacks against the Trade Center and Pentagon have been linked to
international terrorist Osama bin Laden, who has declared a jihad, or
Islamic holy war, against the U.S. Since then, Muslim-American
religious leaders and other political leaders, including President
Bush, have gone out of their way to inform people that bin Laden and
his extremist terrorist organization don't represent the beliefs of
Islam or of the Muslim world in general.

So far, Trend Micro has received only spot reports of infections, said
Orbuch.

However, "the timely social engineering of this virus leads us to
believe that it has a high likelihood of spreading," she said.
"Corporations should be using content filters ... to block executables
at the gateway so folks don't even have a chance to open these
things."

The name of the virus is TROJ_VOTE.A. Preliminary analysis by Trend
Micro indicates that it was created using Visual Basic 5 and uses
Microsoft Outlook address book to propagate. In addition to
reformatting the user's hard drive, the virus also deletes certain AV
files, installs a file called Zacker.vbs, modifies the Internet
Explorer start-up page and modifies the user's autoexec.bat file to
include a command to reformat drive C.

Jack Danahy, senior vice president of server security at WatchGuard
Technologies Inc. in Seattle, said the new virus is similar to the "I
Love You" virus because it first sends a copy of itself to everybody
in the recipient's e-mail address book.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.