NakedWife virus spreads from US military

A virus advertising itself as an e-mailed photo of someone's wife has started infecting computers in Europe and the United States and may have started spreading from the US military, according to antivirus experts.

Four different antivirus software companies have reported that at least 68 organisations have computers infected by the virus.

"At the onset, (those infected were) strictly military," said Patrick Nolan, an antivirus researcher with McAfee's Antivirus Emergency Research Team, adding that three of the 18 organisations so far infected with the virus were part of the US military.

Rival software maker Trend Micro said that of its first three customers reporting the virus, one had been military. As of Tuesday morning, Trend had a total of ten corporate and military customers -- all in the US -- reporting the virus. Antivirus company Symantec said it had 30 organizations report infections.

The virus, known as a Trojan horse because it poses as a seemingly harmless e-mail attachment, appears as an attachment called "NakedWife.exe" in an e-mail from a known person with the subject line "FW: Naked Wife" and the following in the body of the message:

My wife never looked like that :) Best Regards, (sender's Outlook username).

If the attachment is opened, NakedWife displays what is apparently a Shockwave Flash window with the logo for online media company JibJab and the word "loading" beneath. While the window is open, the virus deletes any files in the Windows and system directories with DLL, INI, EXE, BMP and COM extensions, removing numerous critical system files.

Because of the text in the window, some antivirus companies refer to the Trojan horse as JibJab. But John Nugent, vice president of production for the company, said, "We have nothing to do with the virus."

The virus also uses Microsoft Outlook to spread, sending itself to everyone listed in the address book including groups. Because it uses mass-mailing techniques, NakedWife is considered a worm as well.

After sending the e-mail, the virus displays a dialog box titled "Flash" and the contents, "You're now F***ED! ©2001 by BGK (Bill Gates Killer)."

While initial reports of infections came from military organisations, Nolan said there could be other explanations.

"It is not known at this time if it originated with the military," he said. "It may be that the first person to be infected knew someone in the military."

The spread of Trojan horses seems to indicate that despite warnings and high-profile outbreaks such as the AnnaKournikova virus, a small number of people are still more than willing to open attachments, said Susan Orbuch, spokeswoman for Trend Micro.

"Maybe for viruses, social engineering is more effective than new technology," she said.

Trend Micro, Symantec and McAfee planned to post updated virus definitions to detect the virus on their sites later in the day.

Computer services company Computer Associates said 10 of its corporate customers had also reported infections but would not discuss whether any customers were military.

Take me to Hackers

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read what others have said.