Sophos downplays 'panda' virus

Security vendor claims "very few" incidents of the malware infecting systems have been reported.

Security vendor Sophos has clarified that a new virus which supposedly originated in the Chinese state of Shanghai and is reportedly making its rounds worldwide, is not as widespread as initially thought by Chinese officials.

According to the earlier this week, the malware mainly attacked Chinese-language Windows PCs.

The Shanghai Information Technology Service Center assigned a five-star rating to the malware--dubbed worm.whboy--due to the threat to local area networks in government bureaus and companies. Kingsoft Corp, a Beijing-based antivirus company, reported that the virus had infected computers in over 1,000 companies, mostly multinational ones.

However, Sophos said in a media statement Friday that there were "very few reports of the malware being seen in the wild". The vendor has named the malware variants W32/Fujacks-I and W32/Fujacks-J.

Paul Ducklin, head of technology of the Asia-Pacific region at Sophos, told ZDNet Asia in an e-mail that while the virus has been reported to affect Chinese language systems, Windows PCs with English language capabilities are also vulnerable.

Ducklin explained that the virus has the ability to spread rapidly in a PC by latching onto .exe files, and can also infect other PCs through network-sharing and removable devices such as USB keys, music players and network cameras. The malware "creates a hidden AUTORUN file on removable devices" in an attempt to spread the virus automatically when an infected device is inserted into another PC, he added.

"By default, Windows does not enable AUTORUN for regular USB keys," Ducklin noted. "However, so-called 'U3' USB keys, commonly used as portable software repositories, pretend to be CD drives when they are inserted so that AUTORUN does work for these devices."

In spite of the nature of infection, the Fujacks malware is unlikely to lead to a "pandemic" because it is easy to spot systems that have been inflicted with the virus, said Graham Cluley, senior technology consultant at Sophos.

He explained that the virus changes the icons of .exe files to images of pandas burning joss-sticks and that some infected files are unable to work, and hence, PCs need to be disinfected before the programs can be used. "That makes infection rather obvious," Cluley said.

Infected PC

"We have had one or two reports of infected PCs from Asia, but there is no evidence of any sort of 'devastating' outbreak--at least amongst business users--as suggested elsewhere," he noted.