9/11 e-mail worm discovered, but threat appears to be low

An e-mail worm with a Sept. 11 theme has been discovered on computer systems in Europe, according to a statement from F-Secure Corp. and other security companies.

The worm, called W32/Chet-A or "Chet," accompanies an e-mail with the subject "All People!" sent from the address main@world.com. The Chet worm is stored within an attached file named 11september.exe and is only activated when an e-mail recipient opens the attachment.

Like other e-mail worms, most notably the Nimda worm that appeared last year and infected computers worldwide, the Chet worm attempts to use a computer's e-mail program and address book to spread copies of itself to other computer systems. Worms can damage the computers on which they are run or disable computer networks through massive copying and e-mailing.

Unlike the Nimda worm, the Chet worm doesn't appear to pose a serious threat to the systems it infects.

"This worm is not going to be a major problem," said Mikko Hyppönen, manager of anti-virus research at Helsinki-based F-Secure, which learned of the worm Tuesday after it was intercepted by e-mail monitoring systems belonging to British Internet service provider (ISP) MessageLabs Ltd. The worm was contained

in e-mail and did not infect or damage MessageLab systems.

The bug prevents the Chet worm from e-mailing copies of itself and generally leaves host systems unaffected, said Hypponen.

"Some users may receive a Dr. Watson [Windows debugger] report, but [Windows] and e-mail will continue to function," he said.

A lengthy text message that claims to offer "documentary materials" proving a link between the Bush administration and the al Qaeda terrorist organization is included in the e-mail containing the virus.

"As you know America and England have begun bombardment of Iraq, cause of its threat for all the world," the e-mail reads in part. "It isn't the truth. The real reason is in money laundering and also to cover up traces after acts of terrorism September, 11, 2001."

Recipients are then urged to open the attachment in order to have the documents and pictures installed on their computers. Opening the attachment launches the Chet worm.

That sketchy wording, coupled with the fatal bug in the worm's code, should keep Chet from spreading too widely, experts agreed.

"We didn't think [the message] translated very well," said Chris Wraight, a technology consultant at the Lynnfield, Mass., office of antivirus software maker Sophos PLC. Viruses frequently originate in countries where English isn't the native language, he said.

Hypponen said that all indications are that the worm originated in Russia and is likely the work of a novice virus-writer. "The person who wrote this [worm] is not too clever, not too skillful and not too bright," said Hypponen.

Despite its flawed code, however, the Chet worm is capable of infecting computers and replicating itself, he warned.

"We found that under certain conditions, the virus was able to recover from its code error and continue running," said Hypponen, adding that systems running the Windows 98 operating system and containing very long names in the Windows address book are particularly vulnerable to infection by the Chet worm.

Makers of leading antivirus software rushed to post new virus definitions protecting systems against the Chet worm, despite the low risk it apparently poses. New virus definitions were available for most leading antivirus programs, including those from McAfee.com Corp., Symantec Corp. and Sophos, and experts are warning computer users to be vigilant.

"We encourage people to follow safe computing practices and delete any unsolicited executable attachments," said Wraight.


Copyright © 2002 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon