Two new worms crawling through networks

Security experts yesterday reported two new worms in the wild, both based on Visual Basic Script (VBS).

Security experts yesterday reported two new worms in the wild, both based on Visual Basic Script (VBS).

One is named after Mawanella, a small town in Sri Lanka, and contains a message protesting violence there. The worm first appeared early Thursday morning, according to Vincent Gullotto, senior director of Avert Labs, the anti-virus response division of anti-virus firm McAfee, a sub-division of Network Associates. The worm is related to the Homepage and Anna Kournikova worms that hit computers worldwide early in May and February, respectively, and was probably created using the same worm-writing kit.

Mawanella is a VBS worm, written in Microsoft's Visual Basic Script and using Microsoft's Outlook Express e-mail client to spread itself. The worm appears as an e-mail with the subject line "Mawanella" and an attachment called Mawanella.vbs. When the attachment is double-clicked, the e-mail is sent to all recipients listed in Outlook's address book. Also, a window pops up on the screen that depicts, using parentheses and slashes, a burning house. Beneath the picture, text reads:

"Mawanella is one of the Sri Lanka's Muslim village. This brutal incident happened here 2 Muslim Mosques and 100 shops are burnt. I hat this incident, What about you? I can destroy your computer I didn't do that because I am a peace-loving citizen."

If the worm is unable to resend itself using Outlook, another message pops up asking the user to "Please Forward this to everyone," according to an alert sent out by anti-virus company Central Command.

The worm is only medium risk, according to Gullotto, because it is not destructive but could spread quickly. Such mass e-mailers have the potential to overwhelm and crash corporate e-mail servers.

This worm functions in the same way and appears similar to other recent worms and thus "most people should realise what it is and that they shouldn't open it," Gullotto said. The worm, however, does get opened and spread within companies despite filters that block .VBS attachments because many people have Yahoo or Hotmail e-mail accounts that they check at work, he said. Opening attachments from these accounts can also infect systems, Gullotto said.

McAfee anti-virus definitions have been released to cover Mawanella, he said.

UK-based security software vendor Sophos, has meanwhile warned of a new variant on the Love Bug worm which, as well as infecting users' machines, seems designed to attract the attention of the Echelon surveillance system.

Sophos added that it has found just one example of the worm in the wild. Dubbed VBS/LoveLet-CL, the worm creates two copies of itself on the user's hard drive using the file names command.vbs and WinVXD.vbs, and these files are executed every time the computer boots up, according to Sophos.

The worm is VBS-based and tries to send itself to every address in an infected Outlook user's address book in e-mails with the subject line "!!!" the company said.

Written within the worm's code are numerous comments and code words that Sophos said may be designed to trigger monitoring by the international Echelon system - possibly in an effort to overwhelm it if the virus becomes widespread. These include "sabotage," "assassination," "booby traps," and "terrorism."

Among the virus' other effects, it searches for files with a range of extensions and overwrites them with itself. It can also propagate itself using mIRC (Internet Relay Chat).

Read more on Antivirus, firewall and IDS products