Tis the Season … for Viruses?

As the number of e-mail-related viruses continues to grow, one thing is becoming apparent: Virus writers will go to any lengths to get a recipient to open the infected e-mail. Playing on the theme of the holiday season, two Christmas-related viruses in particular have recently caused some problems.

"Virus writers seem to be getting more cunning regarding the psychology for getting people to open e-mails that have viruses on them," says Graham Cluley, Senior Technology Consultant at Sophos, an anti-virus software vendor. "We’re now seeing a lot of Christmas-related viruses. It’s the holiday season and people want to have fun, so they’re sending screen shots and other things. The virus writers are taking advantage of this by disguising the viruses with things like Santa Claus images."

The most damaging Christmas virus to date has been W32/Navidad, an e-mail worm that masquerades as a Christmas card, arriving in an e-mail message with an attachment called NAVIDAD.EXE. Once the attached program is launched, it displays a dialog box containing the text "UI." It then attempts to read new e-mail messages and to send itself to the senders’ addresses. The worm copies itself into the windows system directory with the filename WINSVRC.VXD and changes the registry so that it runs on Windows startup and before any file is run.

According to Sophos, the Navidad virus started to spread at the beginning of November, but has already caused problems, evidenced by the fact that Sophos ranked it as the second most reported virus in November and the seventh most reported virus of 2000 overall.

While not causing as much damage as Navidad, W32/Music has also found its ways inside a number of companies’ e-mail systems. This virus is attached as a file called music.com, music.exe, or music.zip and comes with some sort of a message text saying it is a Christmas tune program. Once opened, the virus waits a few minutes before attempting to connect to several Web sites. It attempts to download an updated version of itself from the Web sites and then the worm tries to send itself to e-mail addresses found on the infected PC.

For IT administrators, the Christmas e-mail viruses can pose a big problem, as employees can suffer from a seasonal lack of caution. "The problem for administrators is that they may be perceived as the Grinch for not letting employees open or send executable files or screen savers," says Cluley. "But in terms of data protection, it’s a must because data is the lifeblood of a company."

The alternative, continued Cluley, is for the IT department to put out a list of games or screen savers that the employees can open and send to each other during the holiday season.