Free Web Hosting Provider - Web Hosting - E-commerce - High Speed Internet - Free Web Page
Search the Web

Worm is wolf in sheep's clothing

A destructive new worm that purports to rid computers of malicious viruses actually leaves the viruses intact and chews up files instead, security experts said Friday. The worm, dubbed Win32.All3gro.A, poses as a "good worm," experts said, highlighting the dangers of a new fad for creating self-propagating applications to delete malicious programs that resurfaced after the Code Red II worm scare early this month. Code Red II installs a "back door," leaving computers vulnerable to attacks.

While it sounds like an attractive concept, the "good worm" notion is actually a bad idea, experts concurred.

"Even if it's with good intent, it's not a good idea," said Vincent Weafer, director of Symantec antivirus research center. "It could have unexpected results. And there's no centralized control to update it."

"It's not a responsible approach," said Russ Cooper, surgeon general of TruSecure.

"How do you know it's only going to do good things?" Cooper said. "How do you prevent it from clogging the network and affecting uninfected computers? How do you prevent people from modifying it into a malicious worm?"

Worms, programs that spread themselves from one computer to another, were initially created to perform helpful tasks before they became a way for malicious hackers to spread viruses, with the first reported worm in 1971 designed to aid air traffic controllers.

Xerox's Palo Alto Research Center experimented further in the 1980s, designing worms to do things like clean up printer queues, Weafer said. After one of the worms malfunctioned and "went out of control," researchers developed a "vaccine," the first antivirus software, he said.

Weafer is convinced that Win32.All3gro.A is a malicious worm merely posing as an antivirus program.

The worm doesn't completely remove the viruses it claims to eradicate--the highly infectious and malicious SirCam, Badtrans and PrettyPark--and depending on the day of the week it tries to delete documents or system files, while e-mailing itself to recipients on a computer's address book, he said.

"It is a malicious attempt with social engineering to try to fool people into downloading it," Weafer said.

It's fairly common for virus writers to take advantage of security holes left by other viruses or malicious applications, he said.

For example, the Leaves worm in June looked for computers infected with the System SubSeven Trojan, a "back door program." It closed the hole but then created a new one for itself, according to Weafer.

In May researchers detected a relatively nondestructive worm that masqueraded as an antivirus warning from Symantec.

Researchers don't know the origin of Win32.All3gro.A, but Weafer said it was first discussed in a magazine article in Korea. "We've seen very little of this (worm) out in the wild," so it is a low threat, he added.

The worm arrives with a subject line that says "New antivirus tool" and an attachment labeled "Antivirus.exe." Symantec's antivirus software will protect computers from the worm, Weafer said.
Copyright © 2001, All Rights Reserved.
Created & Maintained by VQUEST.