Homepage worm dies out

Summary:The worldwide flood of emails caused by the virus is starting to dry up, say antivirus experts, less than 24 hours after the malicious attachment first went out

The worldwide flood of emails caused by the virus is starting to dry up, say antivirus experts, less than 24 hours after the malicious attachment first went out

Less than 24 hours after the Homepage worm started spreading, the surge of email created by the infectious computer code has started to subside, antivirus experts said Wednesday.

"It has gone through the Asia-Pacific [region], then Europe and now America," said Alex Shipp, chief antivirus technologist for email service provider MessageLabs. "But now it is essentially over."

By late Wednesday morning Pacific time, Shipp said, the Gloucester, UK-based company was seeing 1,500 infected email messages every hour -- about half the volume at the peak eight hours earlier.

Though the worm wasn't waning as fast as previous self-spreading programs, such as the AnnaKournikova virus and the LoveLetter worm, Homepage seems to be on its way out, he said.

In total, MessageLabs deleted more than 23,000 copies of the virus from incoming email, Shipp said.

Created by a newer version of the worm-generating toolkit that spawned the AnnaKournikova worm, Homepage arrives in a person's in-box, apparently from a known friend or colleague, with the subject line "Homepage" and the message: "Hi! You've got to see this page! It's really cool ;O)".

The worm is attached as the file "HOMEPAGE.HTML.VBS." In some email programs, it may appear without the VBS extension designating it as a program written in Microsoft's Visual Basic language, leading people to believe that the attached file is a Web page.

The attached file is not an HTML document but a malicious Visual Basic script. Once executed, the script will forward the same email to all the people in a victim's address book and automatically open one of four pornographic Web pages on the person's computer.

Virus watchers said the malicious email attachment uses code similar to that of the Kournikova worm, which spread quickly around the world in February by encouraging victims to click on a supposed picture of Russian tennis star Anna Kournikova.

At its peak, the Anna virus accounted for one out of every 200 emails processed by MessageLabs. The Homepage worm accounted for one out of every 55 emails but fell short of the one out of every 28 emails for which the LoveLetter virus was responsible.

Graham Cluley, head of research at British antivirus company Sophos, said the new worm illustrates that people need to be alert to the danger of email attachments. "It's not even a particularly clever bit of social engineering," he says. "It just says, 'this is cool.'"

The new email worm, known to virus experts as VBS.VBSWG2, infected hundreds of companies Tuesday and Wednesday, according to antivirus firms.

According to experts, the worm will not cause damage to the computer system that receives the initial email but could bring down corporate mail servers by sending out thousands of copies of itself.

Antivirus software maker Symantec said Tuesday night that more than 30 companies reported receiving the worm. Sophos reported that 40 of its corporate customers were hit, and F-Secure said it received more than 30 reports. Wednesday morning, security services company Network Associates said 50 corporate clients had seen the virus worldwide, and antivirus firm Trend Micro pegged its affected business customers at 22.

What is most disturbing about the success of the Homepage worm, according to antivirus experts, is that many companies are still not blocking Visual Basic attachments from entering their systems -- a step they could easily take using basic filtering technology.

Despite that, the rate at which the worm infects new victims seems to be slowing, said Vincent Gullotto, director of Network Associates' antivirus emergency response team.

"We haven't seen many more copies this morning," he said.

ZDNet UK's Will Knight contributed to this report.

Take me to the Virus Workshop

Is your PC safe? Find out at the Hackers News Special.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Topics: Tech Industry

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.