The latest virus attack infected more e-mails than any other virus
except Love Bug. Yet, as Bill Goodwin finds out, it was not
technically innovative
Businesses have been warned to expect a wave of e-mail viruses in
the wake of the Goner virus which struck organisations around the
world last week.
Goner, described by some experts as the most virulent virus since
Love Bug, spread worldwide in a matter of hours on 4 December,
causing e-mail systems to become congested and damaging unprotected
systems.
"This one has really hit businesses hard," said Alex Shipp, virus
technologist at Message Labs. "When the Love Bug struck, one in 20
e-mails were infected. With Goner it was one in 30. We have only
had one other virus that infected more than one in 100
e-mails."
Experts warned employers to expect a wave of copycat viruses over
the coming weeks as virus writers take advantage of the Christmas
season to hide malicious code in Christmas cards, jokes and
screensavers.
"Now is a good time to reinforce to your office that sending things
like that has dangerous consequences," said Graham Cluley, virus
technologist at Sophos.
"A lot of people are getting into the habit of sending joke e-mails
and screensavers. These present a danger because jokes can be
accidentally infected with a virus and if you have an attitude that
exchanging jokes is acceptable, virus writers will exploit that,"
he said.
The fact that the Goner virus, also known as Pentagone, was able to
spread so rapidly has raised questions about the adequacy of the
anti-virus defences that companies have put in place.
The virus could easily have been prevented, for instance, by
blocking incoming e-mail attachments with a screensaver or .scs
extension, a file type that has few, if any, legitimate business
uses.
More significantly, it shows that companies still have some way to
go in educating their staff to react cautiously to unsolicited
e-mail attachments, said Sal Viveros, marketing director at
anti-virus firm McAfee.
The lesson to be learnt is the same for all of these e-mail
viruses, he said, "If an e-mail you are not expecting is sent to
you and it has an attachment don't open it."
Goner had an unpleasant pay-load for the companies that were
infected. The virus is designed to identify and remove anti-virus
software from the PCs it infects. It also attacks personal firewall
software, leaving PCs open to hacking or denial of service attacks.
"If you are running an old version of your anti-virus [software]
when you receive Goner, that's rather nasty because not only do you
catch this virus but you are vulnerable to other viruses as well.
You might think you were immune to Kakworm and Sircam, but you're
not," said Cluley.
Repairing the virus damage could prove expensive for organisations
that find their systems infected. The clean-up and damage costs
could exceed the $8.75bn attributed to the more virulent Love Bug
virus which struck in 2000, experts believe. In some cases,
companies will be forced to re-install anti-virus software on
infected machines manually.
"You need to reinstall your anti-virus software and patch on the
new virus software. That can be quite tricky. If you install your
anti-virus software while the virus is still running, it is going
to remove the software as you install it. The only recommendation
is to visit your anti-virus supplier's Web site and follow its
instructions," said Shipp.
Despite its ranking as one of the most prolific e-mail viruses, the
technology behind Goner is not particularly innovative:
- The program was written in compiled Visual Basic and did not
call for much programming skill
- It made no attempt to disguise itself by using random file
names or e-mail subject headers
- It was able to spread rapidly, because, unlike the Love Bug
virus, which struck once, Goner continually e-mailed copies of
itself to every contact in the Outlook address books of infected
machines. Further copies were sent through the IRC and IRQ Internet
discussion channels.
"It had a really big lucky break in timing. It managed to reach a
critical mass before the anti-virus companies released new
anti-virus signatures," said Shipp.
In future, the anti-virus software suppliers may have to rethink
their strategy and publish new signatures earlier, Shipp suggested.
"My guess is that a lot of [the suppliers] could have released a
signature much earlier just to stop the virus and release another
one later to do the clean-up," said Shipp. "They don't do that
because it is not acceptable to their customers. In the light of
Goner, [suppliers] may rethink that."
Goner is just the latest example of a problem that is growing at an
incredible rate. With virus attacks threatening to reach a peak
over the Christmas holidays, now is a good time for companies to
re-evaluate their anti-virus policies.