Home & Office
'Goner' worm spreading fast
Business security measures slow the spread of the worm attack, but it is expected to make a comeback over the next two days
The "Pentagone" worm spread quickly on Tuesday, but slowed near the end of the day, as companies took measures to prevent infections.
Antivirus experts expected infections of the Visual Basic Script program--also known as "Goner" and "Gone" -- to surge again on Wednesday when employees and home PC users open email that may be infected, thus allowing the spread of the virus to continue.
"With a consumer attack, (the infection rate) goes higher for a couple of days and then goes down," said Vincent Weafer, senior director of Symantec Security Response. The BadTrans.B worm followed just such a trend, peaking during the day, with each peak rising higher for the next three days.
The worm affects only computers running Microsoft Windows and spreads through Outlook email clients. Macs and computers running Linux or other Unix-like operating systems are unaffected.
By late Tuesday afternoon, Symantec had received more than 1,000 reports of Pentagone worm infections -- each report representing anywhere from a single user to an entire company.
Email service provider MessageLabs intercepted more than 39,000 Pentagone-infected emails Tuesday, a much larger haul than the first four days of December's worst-hitter, BadTrans.B.
"We are kind of seeing it follow the sun at the moment," said Mark Sunner, chief technology officer for MessageLabs. "It has been waiting in in-trays of people coming into work."
The worm arrives in a message with the subject "Hi" and the following text in the body of the email:
How are you?
When I saw this screensaver, I immediately thought about you.
I am in a harry, I promise you will love it! Attached to the message is what appears to be a screensaver file, Gone.scr, a compressed copy of the worm. When the file is opened, Pentagone will infect the victim's PC, attempt to stop a variety of antivirus and security applications and then, if successful, delete all the files in the folders containing those applications. AtGuard's Personal Firewall, ConSeal's PC Firewall, Kaspersky Lab's AVP, Network Associates' McAfee VirusScan, Symantec's Norton Antivirus and Zone Labs' ZoneAlarm are among the programs that the worm attempts to deactivate. The technique fails to eliminate the security in many instances. Zone Labs claims that, while the user interface component of ZoneAlarm may be deleted, the main program will continue to run. "It is really hard to shut us down," said Gregor Freund, president and chief executive for Zone Labs. "These guys are bloody amateurs. At best, they might delete the help system." Next, the worm opens up a dialog box containing its name, Pentagone, and the handles of its creators. The dialog box also includes acknowledgements to other people on the Net, in a style similar to that of online vandals who deface Web sites. The worm then installs a backdoor program linked to mIRC, a popular Internet Relay Chat program. The backdoor can be used to execute denial-of-service attacks against IRC servers. In addition, the virus attempts to spread using email and ICQ. Antivirus software maker Trend Micro has had about 22 corporate customers complain about the virus and has given it a high threat rating. Because Pentagone cons people into opening the infected file just like dozens of previous viruses, David Perry, global director of education for Trend Micro, has concluded that computer users may never be security-conscious enough to avoid getting infected. "Every time enough time goes by that people forget to be wary of these things, it pops up again," he said. "Apparently, we have to resign ourselves to the fact that education doesn't work." Such PC users are a weak link, through which company networks can be attacked, said Mitch Bartlett, a technical analyst for computing services at business-information provider SPSS. "It hit, and our exchange server actually blocked it because we have antivirus software," he said. "The people who got it were those who were getting their personal mail and their Web mail." Telecommuters and employees checking their personal email infected their work PCs with the worm, which then inundated the internal network with more mail. By the end of the day, Bartlett said, the company had Pentagone under control. "It is no longer troubling us; we have cleaned out everybody," he said. "But I am sure someone will get it tomorrow." Pentagone isn't the only virus spreading significantly. Variants of the Nimda virus and a variant of the BadTrans virus are topping virus charts this month. For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section. For everything Internet-related, from the latest legal and policy-related news, to domain name updates, see ZDNet UK's Internet News Section. Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum. Let the editors know what you think in the Mailroom. And read other letters.
When I saw this screensaver, I immediately thought about you.
I am in a harry, I promise you will love it! Attached to the message is what appears to be a screensaver file, Gone.scr, a compressed copy of the worm. When the file is opened, Pentagone will infect the victim's PC, attempt to stop a variety of antivirus and security applications and then, if successful, delete all the files in the folders containing those applications. AtGuard's Personal Firewall, ConSeal's PC Firewall, Kaspersky Lab's AVP, Network Associates' McAfee VirusScan, Symantec's Norton Antivirus and Zone Labs' ZoneAlarm are among the programs that the worm attempts to deactivate. The technique fails to eliminate the security in many instances. Zone Labs claims that, while the user interface component of ZoneAlarm may be deleted, the main program will continue to run. "It is really hard to shut us down," said Gregor Freund, president and chief executive for Zone Labs. "These guys are bloody amateurs. At best, they might delete the help system." Next, the worm opens up a dialog box containing its name, Pentagone, and the handles of its creators. The dialog box also includes acknowledgements to other people on the Net, in a style similar to that of online vandals who deface Web sites. The worm then installs a backdoor program linked to mIRC, a popular Internet Relay Chat program. The backdoor can be used to execute denial-of-service attacks against IRC servers. In addition, the virus attempts to spread using email and ICQ. Antivirus software maker Trend Micro has had about 22 corporate customers complain about the virus and has given it a high threat rating. Because Pentagone cons people into opening the infected file just like dozens of previous viruses, David Perry, global director of education for Trend Micro, has concluded that computer users may never be security-conscious enough to avoid getting infected. "Every time enough time goes by that people forget to be wary of these things, it pops up again," he said. "Apparently, we have to resign ourselves to the fact that education doesn't work." Such PC users are a weak link, through which company networks can be attacked, said Mitch Bartlett, a technical analyst for computing services at business-information provider SPSS. "It hit, and our exchange server actually blocked it because we have antivirus software," he said. "The people who got it were those who were getting their personal mail and their Web mail." Telecommuters and employees checking their personal email infected their work PCs with the worm, which then inundated the internal network with more mail. By the end of the day, Bartlett said, the company had Pentagone under control. "It is no longer troubling us; we have cleaned out everybody," he said. "But I am sure someone will get it tomorrow." Pentagone isn't the only virus spreading significantly. Variants of the Nimda virus and a variant of the BadTrans virus are topping virus charts this month. For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section. For everything Internet-related, from the latest legal and policy-related news, to domain name updates, see ZDNet UK's Internet News Section. Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum. Let the editors know what you think in the Mailroom. And read other letters.