Viruses prey on 9/11 memory

PUBLISHED : Friday, 13 September, 2002, 12:00am
UPDATED : Friday, 13 September, 2002, 12:00am

The September 11 day of remembrance has been used as bait to trick Internet users into spreading new mass-mailing viruses.

Internet security software vendors yesterday warned of two Windows-based e-mail worms, Chet and Nedal, which exploit interest on the anniversary of the attacks.

Leung Siu-cheong, senior consultant at the Hong Kong Computer Emergency Response Team co-ordination centre, said there were no local reports of these worms being circulated.

'We consider these new worms as low-risk threats,' he said, at the same time urging Internet users in Hong Kong to remain vigilant, update anti-virus programs, and treat all e-mails, even from known sources, with caution.

Worms move quickly around the Internet through e-mail, carried inside other files and documents sent as attachments with the initial message.

Previous malicious codes that used the September 11 attacks included W32/Vote and its variants, Septer, Anthrax and a number of hoax worms.

Graham Cluley, senior technology consultant at Sophos Anti-Virus, said the Chet worm 'is probably the sickest and lamest trick to date'.

First discovered on Tuesday, the Chet worm appears to have been written in Russia, according to Helsinki-based anti-virus specialist F-Secure.

Symantec measured the worm as reaching 26.628 kilobytes and found it affects computers that run Microsoft operating systems Windows 95, 98, NT, 2000, XP and Me.

The worm arrives in the form of an e-mail attachment called 11september.exe. The e-mail message claims the attachment contains documentary evidence of money laundering and collusion between the al-Qaeda network and the United States government.

The message says it contains photographic evidence that the Federal Bureau of Investigation and Central Intelligence Agency discussed with al-Qaeda the best way to kill as many people as possible in New York and that there was 'a friendly dialogue between bin Laden and the secretary of a state security of USA'.

When the file is executed, the worm attempts to send an e-mail to each address in the infected computer's Windows address book. The e-mail has 'mail@' as the sender and 'All people!!' as the subject. 'The implausibility of the allegations contained in the worm's e-mail will hopefully mean most people will instantly recognise this as suspicious,' Mr Cluley said.

Abby Tang, Network Associates' Asia-Pacific product manager for McAfee Anti-Virus, said the author 'did not do a good job with Chet because it has programming bugs that made it crash with some regularity'.

However, the other September 11-themed worm, Nedal, appears to be capable of causing serious damage to computers because it can destroy large amounts of information.

Spain-based Panda Software said Nedal, which is 'Laden' spelled backwards, arrives as e-mail with the subject 'Osama bin Laden Comes Back!'. Its message calls on the destruction of Israel and the US 'to prevent wars'.

This program creates three files in the Windows directory of the computer. The first, 'Osama.

EXE', is a virus that infects files with an 'EXE' extension, destroying their original content. The second file is named 'Laden.EXE' and the third, 'Alta.

EXE'. The last file has been designed to delete the contents of the Windows System folder found in the infected computer.

Nedal also overwrites files with the following extensions: VBS, VBE, GIF, JPG, BMP, AVI, MP3, MPG, ZIP, CAB, MDB, XLS, LNK, DOC, TXT, RTF. The worm also modifies the Windows Registry and displays various random messages on the infected computer's screen.


Send to a friend

To forward this article using your default email client (e.g. Outlook), click here.

Viruses prey on 9/11 memory

Enter multiple addresses separated by commas(,)

For unlimited access to: SCMP Tablet Edition SCMP Mobile Edition 10-year news archive