New e-mail virus hits UK

A new e-mail worm has been sweeping through UK networks that uses the same tricks as Lovebug and Anna Kournikova, but one company...

A new e-mail worm has been sweeping through UK networks that uses the same tricks as Lovebug and Anna Kournikova, but one company believes it has discovered a clue to the culprit's identity.

Homepage, so-called because of its subject heading, was first spotted in Asia. Its first high-profile target was the Australian network, and now UK organisations are coming under attack.

The e-mail contains the body text, "Hi! You've got to see this page! It's really cool ;O)". When activated, the worm changes the browser's default page to one of four adult-orientated websites and sends itself out to e-mail addresses stored in Outlook.

McAfee has reported 18,000 infected e-mails so far today, which compares to a final total of 21,000 for the first variant of Lovebug. This gave a good indication of its impact, said McAfee products manager Jack Clark.

"The e-mail is not destructive, just obscene, so a lot of companies may not report it," he said.

Anti-virus vendor Sophos has found evidence that may make it possible to track down the author of the Homepage worm. The four sites linked to by the worm were designed by the same person in the style of those set up to use the services of Adultcheck, a company that handles e-commerce for pornographic sites, said Cluley.

"This suggests the sites weren't selected at random. Maybe the worm was a way to get a few hits on the sites, in which case the author was very stupid. The authorities can contact Adultcheck to find out who runs the sites to see if there is a connection," he said.

McAfee's Clark advised organisations to invest in generic anti-virus software that blocked attachments such as the Visual Basic Script (VBS) that was used to write these worms.

George Cluley, senior technology consultant at Sophos Anti-Virus, agreed that Homepage was not as damaging as its infamous predecessors. So far, his company had received 100 reports of hits. "At this stage we weren't even keeping statistics because it was so chaotic," he said.

But the success of Homepage demonstrated that some firms have yet to learn the lessons of Lovebug and Kournikova, added Cluley.

"PC users should not open attachments in unsolicited e-mails and companies should block VBS files that come in over the network. There's no legitimate reason to send them," he said.

IT staff should block any attachments with double extensions, such as the file name Homepage.html.vbs, explained Cluley. Staff believed "html.vbs" was a link to a website, without realising it could launch a program.

"There is no need for people to receive double extensions. People should reject them and ask the sender to explain their true nature," he said.

Meanwhile, Sophos has yet to receive any reports about another new worm that attacks Solaris. sadmind/IIS targets Solaris servers then uses the machines to launch assaults on systems running Microsoft's Internet Information Server (IIS), according to the Computer Emergency Response Team (Cert) at Pittsburgh's Carnegie Mellon University.

The worm, that defaces web sites, has attacked 50 Solaris machines and hundreds of IIS systems, said Cert. Sophos expected no attacks in the UK because the worm used vulnerabilities in the servers discovered two years ago, said Cluley.

"We anticipate most people would have patched the faults or find that it's easy to patch them online," he said.

Read more on Operating systems software