| Chris Fowler on Fri, 1 Dec 2000 12:43:29 +0200 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Pro-Linux Virus |
Any body seen this one yet?
http://www.msnbc.com/news/496999.asp?cp1=1
Pro-Linux virus infecting companies
olite' bug includes repair instructions; has hit four
firms
By Bob Sullivan
MSNBC
Nov. 30 - A computer virus that poses as a
Shockwave movie and urges victims to
install the Linux operating system has
infected at least four Fortune 500
companies according to antivirus firms.
Known as "Prolin," or pro-Linux, the bug
politely places instructions on how to
recover from infections on the victim's
computer. Experts are concerned that it
might spread quickly around the Internet.
Trend Micro information page on Prolin
Network Associates description of Prolin
IT'S UNCLEAR HOW risky Prolin is:
Trend Micro ranks it a high risk, Symantec a
medium, and Network Associates a low.
Still, all three are closely watching the bug,
which appears to have been written within
the past 24 hours and has already claimed
victims.
It arrives via e-mail with the subject
line: "A great Shockwave flash movie."
The message reads: "Check out this
new flash movie that I downloaded just now
... It's Great
Bye" and the attachment is called
CREATIVE.EXE.
But clicking on that attachment triggers
a series of events in the victim's computer
that amount to an advertisement for the
Linux operating system.
It renames all JPG and ZIP files on the
victim's computer with the appendage
"change atleast now to LINUX." It then
drops a text file called
MESSAGEFORU.TXT, which offers the
following advice:
"Hi, guess you have got the message. I
have kept a list of files that I have infected
under this. If you are smart enough just
reverse back the process. i could have done
far better damage, i could have even
completely wiped your harddisk. Remember
this is a warning & get it sound and clear... -
The Penguin."
The Linux
mascot is a
penguin.
According to
Trend Micro public
education director
David Perry, the
bug hit three large
clients Thursday
afternoon. At one,
5,000 copies of the
message clogged
the firm's mail
server. He said one
of the victims was
"a sizeable Internet hosting company," and
added the bug first hit in Paris. He urged
users not to click on any attachment "until
this dies down."
"There is no movie, there is nothing to
be seen," Perry said.
Network Associates and its McAfee
division are rating the bug a low risk, said
researcher Patrick Nolan, because the firm
has so far received only one confirmed
report of a corporate infection.
"But we are watching it," he said.
Symantec has seen four "very large"
clients get the bug, but some of those
reports may overlap with Trend Micro's
reports, since large companies often have
multiple antivirus vendors. Given that the
bug is brand new and already spreading,
Symantec director of antivirus research
Vincent Weafer said it could likely become
a problem.
"It's probably going to spread, but it's
too early to tell," Weafer said.
The bug spreads in Melissa-like
fashion, sending itself to everyone in the
victim's address book. When that's finished,
it apparently calls home and reports in,
sending a note to an e-mail address
presumably owned by the author. The
subject line of that note is "Job complete,"
and the message body says "Got yet
another idiot."
The virus is also known as Creative.exe
and Troj_Shockwave.
--
--------------------------------------------------------------------------
Chris Fowler Work: +27 (12) 307 8242 Fax: +27 (12) 307 7575
Cell: +27 (83) 304 0956
email: chris.fowler@xxxxxxxxx
--------------------------------------------------------------------------