Baba worm pretends to clean up PCs

The latest version of the Baba worm claims to clean porn off PCs, but it's just a 'dirty trick', say antivirus experts
Written by Dan Ilett, Contributor
Antivirus companies have found a mass-mailing worm that tries to spread by fooling users into believing that they have pornographic content on their PCs.

The Baba-C worm travels by email and includes the message "Windows Evidence Checker has found XXX material on your computer", but does not actually look for porn. The email claims that a user can clear their PC of this material by running a program called "Evidence Cleaner", attached to the mail. When activated, this program runs malicious code that allows hackers access to their data.

"Many people are worried about the adult material that inhabits areas of the Internet, and don't want it to reach their PC," said Graham Cluley, senior technology consultant for Sophos. "It's also clear that the Internet is widely used for accessing hardcore sexual material. Either way, many people want to ensure that their PC contains no evidence of pornographic content, and may be tempted to follow this email's instructions if they receive this worm. The Baba-C worm uses a dirty trick."

Sophos said that the email carrying the worm has the following characteristics:

"Subject: Important! XXX sites found on your computer!

Message body:

Windows Evidence Checker has found XXX content on your computer.
You can hide your activities with Evidence Cleaner service. To run Evidence Cleaner click to quick shortcut attached.
Warning! Your copy of Evidence Cleaner will be expired after 7 days. Today you can register for FREE. Please check attached instructions for more details."

By Thursday morning, Sophos had seen only a small number of copies of Baba-C.

Editorial standards