X-rated 'Homepage' worm dying out

"It has gone through the Asia-Pacific (region), then Europe and now America," said Alex Shipp, chief antivirus technologist for e-mail service provider MessageLabs. "But now it is essentially over."

By late Wednesday morning PDT, Shipp said, the Gloucester, U.K.-based company was seeing 1,500 infected e-mail messages every hour--about half the volume at the peak eight hours earlier.

Though the worm wasn't waning as fast as previous self-spreading programs, such as the AnnaKournikova virus and the LoveLetter worm, Homepage seems to be on its way out, he said.

In total, MessageLabs deleted more than 23,000 copies of the virus from incoming e-mail, Shipp said.

Created by a newer version of the worm-generating toolkit that spawned the AnnaKournikova worm, Homepage arrives in a person's in-box, apparently from a known friend or colleague, with the subject line "Homepage" and the message:
Hi! You've got to see this page! It's really cool ;O)

The worm is attached as the file "HOMEPAGE.HTML.VBS." In some e-mail programs, it may appear without the VBS extension designating it as a program written in Microsoft's Visual Basic language, leading people to believe that the attached file is a Web page.

The attached file is not an HTML document but a malicious Visual Basic script. Once executed, the script will forward the same e-mail to all the people in a victim's address book and automatically open one of four pornographic Web pages on the person's computer.

Virus watchers said the malicious e-mail attachment uses code similar to that of the Kournikova worm, which spread quickly around the world in February by encouraging victims to click on a supposed picture of Russian tennis star Anna Kournikova.

At its peak, the Anna virus accounted for one out of every 200 e-mails processed by MessageLabs. The Homepage worm accounted for one out of every 55 e-mails but fell short of the one out of every 28 e-mails for which the LoveLetter virus was responsible.

Graham Cluley, head of research at British antivirus company Sophos, said the new worm illustrates that people need to be alert to the danger of e-mail attachments. "It's not even a particularly clever bit of social engineering," he says. "It just says, 'this is cool.'"

The new e-mail worm, known to virus experts as VBS.VBSWG2, infected hundreds of companies Tuesday and Wednesday, according to antivirus firms.

According to experts, the worm will not cause damage to the computer system that receives the initial e-mail but could bring down corporate mail servers by sending out thousands of copies of itself.

Antivirus software maker Symantec said Tuesday night that more than 30 companies reported receiving the worm. Sophos reported that 40 of its corporate customers were hit, and F-Secure said it received more than 30 reports. Wednesday morning, security services company Network Associates said 50 corporate clients had seen the virus worldwide, and antivirus firm Trend Micro pegged its affected business customers at 22.

What is most disturbing about the success of the Homepage worm, according to antivirus experts, is that many companies are still not blocking Visual Basic attachments from entering their systems--a step they could easily take using basic filtering technology.

Despite that, the rate at which the worm infects new victims seems to be slowing, said Vincent Gullotto, director of Network Associates' antivirus emergency response team.

"We haven't seen many more copies this morning," he said.

ZDNet UK's Will Knight contributed from London.