NEWS: World Cup virus kicks off

***s0nIc*** · June 11th, 2002, 07:23 AM

As network managers prepare to tackle the onslaught of World Cup-related emails in between catching a few games, users are warned to be on the lookout for viral emails.
A Visual Basic Script worm that uses the World Cup as bait has kicked off against unsuspecting fans.

Masquerading as an application for viewing match results, WorldCup spreads via email and the popular Internet Relay Chat application.

The virus appears to be a simple rewrite of the Chick virus, which claimed to be a collection of Britney Spears pictures. The virus cannot do any damage automatically, as a user has first to open the infected file.

WorldCup typically arrives in an email with the subject line: "RE: Korea Japan Results", while the text inside reads: "Takes a look at these results... Regards". The attached file that puts the boot in is called Koreajapan.chm.

When run, the user also has to fall for another security no-no and enable Active X controls at the prompt. The worm then launches its payload.

The virus only sends itself to the first entry in the address book, once per infected machine.

To cover its tracks, WorldCup displays a screen that claims to be an application for viewing match results, but does not in fact work.

Source: http://www.xatrix.org/article1599.html

***Noia*** · June 11th, 2002, 12:52 PM

A Snake in the Grass........VERY short grass......must be tiny snake........lol
- Noia

**nutta** · June 11th, 2002, 04:25 PM

If it only sends itself to the first address in your book why dont you put in a new entry like the one I have : 0000 ( as the address) virus stopper ( as the name) or what ever you want as a name for the entry. By putting 0000 you insure that this is the first entry!!!! And its an dummy address. ( I got this idea from a newsletter from Panda Software awhile ago.)

This should help curb the virus that go by the first entry.....Some virus will not compleate their MISSION if they are stopped on the first address!

**WiteWoLF** · June 11th, 2002, 06:47 PM

Or you could just update your Virii detection gear.

***KorpDeath*** · June 11th, 2002, 08:53 PM

Or just don't be an idiot and execute something you aren't sure of. Duh.

**NetSyn** · June 11th, 2002, 09:35 PM

or dont use Outlook Express like a idiot!

**thesecretfire** · June 11th, 2002, 11:58 PM

I haven't heard of .chm before...how many different extensions are there for activeX/VB executables?

str34m3r · June 12th, 2002, 12:07 AM

And what have we learned from this thread? Defense in depth is the way to go:
A. Don't use Outlook Express.
B. Regardless of your e-mail client, don't open unknown attachments.
C. Make sure your virus definitions are up to date.
D. Go ahead and throw that 0000 entry in your adress book just in case.

**emrys** · June 12th, 2002, 12:20 AM

hmm well first of ppl must learn not to open attachments by adresses that they dont recognize...sencond dont enable an option cuz the email asks ya...but it is truly pathetic for ppl to make viruses and use events that are supposed to be fun and entertaining as a way to lure ppl into getting infected...it kinda sickens me

Thread: NEWS: World Cup virus kicks off

Thread Tools

Display

NEWS: World Cup virus kicks off

Posting Permissions