'NakedWife' Trojan Worm Strikes

A new mass-mailing Trojan worm called "NakedWife" is circulating and, if executed, can delete files that are necessary for everyday computer operation, several computer security companies confirmed Tuesday.

Trend Micro began getting reports of the Trojan worm that spreads through e-mail at 8 a.m. PST Tuesday, as nine U.S. organizations, including a telecommunications company and a government agency, reported the worm, says Susan Orbuch, a company spokesperson. The worm is currently in the wild and is rated a "medium" security risk by Trend Micro, she says.

"It would go to a red alert if we went to other regions of the world," Orbuch says. "Right now, we are only getting reports from the U.S."

McAfee, a division of Network Associates, also reported that 25 corporate clients, including Fortune 500 companies, have identified the Trojan worm and the company rates it a "high risk." Computer Associates International and Central Command also reported the worm.

The trojan worm is spread through Microsoft Outlook, sending an e-mail to every e-mail address in the infected user's address book, security firms say. The worm is known as "NakedWife," "W32/Naked@MM," or "W32.HLLW.JibJab@mm."

When the Trojan is executed, it displays a Flash window that states "JibJab loading." While the file loads, the Trojan deletes DLL (Dynamic Link Library), INI (initialization files), EXE (execution files), BMP (picture files), and COM (resource) files in the Windows and system directories, according to Trend Micro. In other words, the worm deletes files used for everyday computer operation, Orbuch says.

The Trojan, which was written in VBS (Visual Basic Script), sends out the same mail as an e-mail attachment. The mail has a subject line that reads "FW: Naked Wife." It has a message body that reads "My Wife never look like that :), Best Regards." The attachment is named NakedWife.exe.

After the e-mail is sent out, the Trojan then displays another message.

"You're now (F-----!) (c) 2001 By BGK (Bill Gates Killer)," the message reads, according to Trend Micro.

A bit of "social engineering" is going on with worms like the NakedWife worm, Orbuch says. Some users are intrigued by the title and open it.

"I step back and say 'Why are people opening files that say "NakedWife" at work'," Orbuch asks.

According to Orbuch, companies should consider security measures that eliminate EXE and VBS files gaining access to a corporate network. Users also should know they should not open the attachments, she says.

For further information on viruses, worms, and Trojans, see How It Works: Viruses .