Worm tracks down child porn
The worm dubbed "Noped", encrypted as Visual Basic Script (VBS) code, arrives as an attachment to an email entitled "FWD: Help us all to end illegal child porn now." Once executed, the virus searches all hard drives for JPEG files possessing names that indicate they may contain child pornography.
"Noped" comes bundled with a list of government and police e-mail addresses that it will send a random alert to if it discovers a match for one or more of the JPEG file names listed in the script. The attached file is named "END ILLEGAL child porn NOW.TXT...vbs", with a string of a dozen dots helping to obscure the fact that it ends with the executable ".vbs" extension and not ".TXT". The worm also displays a lengthy document detailing what it claims are international laws concerning child pornography.
But police inspector Terry Jones, of Manchester Police's Obscene Publications Unit, has confirmed that British police departments will not be responding to the worm alerts, as the reports would fail to meet evidence standards. "This is not an approach that we would advocate, as child pornography is a delicate area to investigate, and we must have reasonable cause to suspect our evidence has been gathered ethically."
Antivirus company Symantec is reporting that the virus only offers a level two threat, and that it expects to see less than a hundred infections reported. "The virus is currently not that wild--companies should have updated their virus definitions by now, so that if it spreads, they will be safe," said Andre Post, researcher at Symantec.
Noped appears less malicious than the prolific Homepage worm that infected scores of companies earlier this month. Like Noped, Homepage was written in Visual Basic script. When launched, the Homepage attachment automatically forwarded the same email to all the people in a victim's address book, and simultaneously opened one of four pornographic Web pages on the person's computer.