Warnings issued about new 'WTC' virus

Security experts today issued a warning about a dangerous new virus that is spread via e-mail and takes advantage of people's curiosity and interest in the recent terrorist attack against the U.S. and the political fallout between Muslims and non-Muslims.

Officials at antivirus vendor Trend Micro Inc. in Cupertino, Calif., said companies should be on the lookout for the "WTC.exe" virus, which arrives via an e-mail attachment and carries malicious code that reformats the recipient PC's hard drive, deletes files and attempts to eliminate the system's antivirus protection software.

The virus comes almost two weeks after the Sept. 11 terrorist attacks against the World Trade Center (WTC) and the Pentagon and uses social engineering to prey on individuals' natural curiosity about the attacks. The subject line of the e-mail carrying the virus is known to read "FW: Peace between America and Islam," according to Susan Orbuch, a spokeswoman for Trend Micro. Likewise, the body of the message reads, "Hi, Is it a war against America or Islam. Lets Vote to live in peace."

The attacks against the Trade Center and Pentagon have been linked to international terrorist Osama bin Laden, who has declared a jihad, or Islamic holy war, against the U.S. Since then, Muslim-American religious leaders and other political leaders, including President Bush, have gone out of their way to inform people that bin Laden and his extremist terrorist organization don't represent the beliefs of Islam or of the Muslim world in general.

So far, Trend Micro has received only spot reports of infections, said Orbuch.

However, "the timely social engineering of this virus leads us to believe that it has a high likelihood of spreading," she said. "Corporations should be using content filters ... to block executables at the gateway so folks don't even have a chance to open these things."

The name of the virus is TROJ_VOTE.A. Preliminary analysis by Trend Micro indicates that it was created using Visual Basic 5 and uses Microsoft Outlook address book to propagate. In addition to reformatting the user's hard drive, the virus also deletes certain AV files, installs a file called Zacker.vbs, modifies the Internet Explorer start-up page and modifies the user's autoexec.bat file to include a command to reformat drive C.

Jack Danahy, senior vice president of server security at WatchGuard Technologies Inc. in Seattle, said the new virus is similar to the "I Love You" virus because it first sends a copy of itself to everybody in the recipient's e-mail address book.

Related stories:

Related:
How to handle Windows 10 updates
Shop Tech Products at Amazon