Worm may hit at noon

By PETER GRIFFIN

Code Red, the virus worm responsible for infecting 250,000 computers in less than nine hours this month, could re-awaken today to continue its rampage.

In an unprecedented show of concern, representatives of the United States Government, the FBI, Microsoft and online security organisations will meet in Washington today urging computer users worldwide to "take immediate action to respond to the threat", billed by security experts as the fastest-spreading internet infection yet.

With the next Code Red worm attack expected to begin at noon NZ time, Microsoft is likely to use the forum to remind its millions of software users worldwide to download a security "patch" for Microsoft Internet Servers Software (IIS) versions 4 and 5, closing the hole in the software that the worm was able to exploit.

While the White House thwarted an earlier Code Red attack on its website (www.whitehouse.gov) by changing the IP (internet protocol) address, a stronger version of the worm is displaying new traits, including the ability to delete files from hard drives.

Arjon de Landgraaf, who runs the E-Secure-IT Online Alert Service from Auckland, said that as the first country in the world to greet the dawn, New Zealand was likely to suffer the first Code Red attacks.

"What will be interesting to see is if Code Red has changed from targeting IP 91, which the White House changed from to avoid the last attack."

Another e-mail-based worm, SirCam, continues to wreak havoc.

SirCam picks up a file from a user's hard drive and sends itself as an attachment to e-mail addresses in the victim's address book.

Thousands of computer users receiving e-mail have been greeted recently with a seemingly innocent message: "I send you this file in order to have your advice" or "I hope you can help me with this file that I send".

Opening the attached file allows the worm to spread to the hard drive.

SirCam's arrival was particularly embarrassing for anti-virus software giant Symantec - the worm slipped through its products' defences despite users having downloaded the latest updates and employing the correct patches.

Symantec NZ manager Richard Batchelar described SirCam as "a case of where the bad guys are one step in front".

Both Symantec commercial products and the popular Norton anti-virus software could not detect infected e-mails that carried a malformed "MIME-header".

"Our scanning ability is looking for one thing but with SirCam they've hidden certain components of the MIME that we are looking for.

"It is sneaking through as the common cold with HIV attached to it."

Mr Batchelar said Symantec had quickly produced patches for two of the vulnerable platforms, and a patch for the third would be available by Friday.

Local victims of Code Red and SirCam worms range from home users and small businesses to one of the country's two major brewers.

John Mycroft, of facilities management software company Mycroft, found anti-virus software useless in detecting SirCam.

"I have received what appears to be the SirCam worm, which came undetected through our virus scans even though they are up to date," he wrote in an e-mail.

"It deletes files at random and has created literally thousands - over 62,000 at the last count - of new files on my Machine, too."

Herald IT staff received about 60 SirCam infected e-mails daily out of a total of 6000 inbound messages.

Public relations company Communication by Design was particularly embarrassed to discover that a confidential file had been sent to a Herald e-mail address.

Mr Batchelar urged users of Symantec software to visit the company's website and download the necessary patch.

Links


Digital Island

Microsoft Downloads

Symantec

Co-logic