New Disguise for Infection of Computers
nytimes.com
The first of what experts fear could be many malicious software programs
masquerading as the Year 2000 computer problem began spreading on
Thursday. The new program hides on hard drives, poised to begin
destroying data on Jan. 1.
The program, which is technically known as a computer worm, has been named
W32.Mypics.Worm by anti-virus researchers. The researchers said Friday that the
worm had already made its way into the networks of some corporate clients,
though they would not identify them.
Several anti-virus companies reported that they had already released code that
identifies and eliminates the program.
Like two recent worms, Melissa and Explore, and their variants, the new worm
spreads by pretending to be e-mail from an acquaintance. Unlike the Explore worm,
however, it cannot attack a computer or data unless the recipient opens a file sent
as an attachment.
But the most crucial difference with this worm is that it is designed to attack its
host computer on New Year's Day, when many people will be expecting a variety
of computer-related disruptions as a result of the so-called Y2K problem.
"There is so much media attention about Y2K problems that this is a great way to
disguise a malicious program," said Marian Merritt, group product manager for
anti-virus products at the Symantec Corporation.
This kind of malicious program has been long anticipated. In background meetings
with reporters and analysts earlier this year, anti-virus software developers began
describing a range of possible events in which virus authors were likely to use the
timing of the Year 2000 problem to propagate their handiwork.
The Year 2000 problem is caused by the fact that programmers for many years set
aside only two digits to denote years in software. As a result, programs that have
not been repaired by Jan. 1 will act as if the year is 1900, possibly causing serious
problems throughout the increasingly digital world. Viruses and worms that mimic
the Year 2000 problem actually have nothing to do with flawed year designations.
A number of anti-virus companies said yesterday that they had received reports
about the program and that it had probably first been released in the United States.
Intended for users of Windows-based computers, the worm is transmitted as an
attachment to e-mail that lands in Microsoft's Outlook and Outlook Express e-mail
software. Once it invades a computer, the worm will resend itself to up to 50 people
in the Outlook address book. There is no subject line, and the body of the e-mail
contains the phrase "Here's some pictures for you!"
But the attachment, a file called "pics4you.exe," is actually a small program that
runs when an unsuspecting computer user tries to view the pictures.
"These types of programs really harm the new user," Ms. Merritt said. "Although
an expert user will usually not fall for these tricks, people who are new to
computers are generally unsuspecting."
If the message and the attached file are simply deleted, the program will not harm a
computer, she said.
If the program is run, however, it will mail itself to 50 people in the Outlook address
book, then hide itself in a component of the Windows operating system known as
the registry. The program also resets the home page of users of Microsoft's
Internet Explorer browser to a personal page on the Yahoo Geocities Web site that
until yesterday afternoon contained sexually explicit pictures.
The page was titled "Daves Web Page: Brought to You From the Cave!" Computer
researchers said yesterday that they were not certain why that particular page had
been chosen, though one said it was possible that the virus author simply wanted
to make use of a counter on that page that recorded the number of visitors.
As of noon yesterday, the site had recorded almost 5,000 new visits. Shortly
thereafter, a Yahoo spokesman said, the site had been taken down, but he would
not say whether it had been taken down by the page's owner or by the company.
After infection, each time the computer is turned on, the worm program checks the
date. When it detects Jan. 1 or a later date, it executes two separate tasks known as
payloads. The first tries to overwrite the computer's BIOS, or basic input output
statement, memory, a small permanent storage area that contains the instructions
the computer follows when it boots. These are necessary for everything from
running a modem or printer to finding the operating system on a hard drive.
Once that happens, the computer when next turned on will refuse to start. Instead,
it will display a message like "CMOS Checksum Invalid."
Many of today's computers protect the BIOS from this type of vandalism, but the
worm's second form of attack is more malicious: it overwrites a Windows start-up
file named autoexec.bat with a file of the same name that causes the operating
system to reformat the hard drive, or C drive, and any second hard drive or other
storage device designated as the D drive. This destroys all programs and data on
the computer.
"We are very concerned about the time delay built in to this program," said
Narender Mangalan, director of security for Computer Associates in Islandia, N.Y.,
the maker of McAfee anti-virus products.
He said that because both the date trigger and the use of e-mail address books by
viruses and worms were increasingly popular trends, the company had released a
program known as a variant analyzer that tries to find programs that are similar to
existing viruses and worms.
And the variations are likely to grow quickly between Christmas and New Year's
Day. Traditionally, Ms. Merritt said, the number of viruses and worms tends to
increase during and after school holidays, when students, who are the most
frequent authors of malicious programs, have more free time to devote to their
illicit hobbies. |
