Reports are coming in of a new e-mail-based worm variant that cleverly poses as a tool for removing evidence of pornography from the hard disk of recipients.
The mass-mailer, dubbed W32/Baba-C by antivirus vendor Sophos, falsely claims in its subject line that it has detected adult-related material on a PC and suggests the user run the attached "evidence cleaner" to remove traces of it having been there.
This follows on the heels of news today that another worm disguised itself as a plea for tsunami aid.
Clicking on the W32/Baba-C mailer installs the worm, which then mails itself to people in the user's various e-mail address books and opens a back door for hackers to gain access to the compromised PC. If an infection has taken place, the worm communicates back to the point of origin to let it know a new PC has been hacked. The worm sender could then initiate data theft from this PC.
The worm is in its early stages, only affects Windows, and is believed to be small-scale at present, but the potential for it to spread further is clear. As ever, virus and Trojan writers are looking to play on anxieties. "Many people are worried about the adult material that inhabits areas of the Internet, and don't want it to reach their PC. It's also clear that the Internet is widely used for accessing hardcore sexual material," says Graham Cluley, Sophos's senior technology consultant and resident virus expert.
"There is one type of person who doesn't want this type of stuff (porn) on their computer. And there is the type of person who does." The clever part is that the worm can catch people from both groups unawares, he said. "We've seen viruses in the past that have scanned a hard disk for porn." This is the first example that has used anxieties about pornography to attempt infection, however.
The original Baba-A worm came to light last October and was believed to have originated at a South Korean university. It is not clear whether the Baba-C variant has come from the same source, though the style of English used in the message body does not appear to be that that of a native speaker of the language.
Meanwhile, the virus "top 20" for December, published on Kaspersky Labs' viruslist.com, rated W32/Zafi-d as the most commonly found virus with 17.8 percent of outbreaks, followed by Zafi-b at 13.4 percent, and Netsky-G at almost 11 percent.