The first worm that took advantage of the Dec. 26 earthquake and tsunami disasters has appeared, several anti-virus firms warned users Tuesday. Dubbed "Zar.a," the worm uses the subject "Tsunami Donation! Please help" and message copy "Please help us with your donation and view the attachment below! We need you!" to dupe recipients into opening the attachment and launching the worm.
Although Zar.a -- which has been labeled Sun.a by a few security companies -- spreads by hijacking addresses it finds in the Microsoft Outlook address book, it doesn't seem to do any damage or open any backdoors in the infected machine. Instead, it's goal appears to be to launch a denial-of-service (DoS) attack against a hacker Web site. As of mid-day Tuesday, that site was offline.
Scams leveraging the publicity generated by the disasters in Southeast Asia, and the outpouring of donations to relief groups, have been circulating almost since the tsunami struck, but this is the first worm with a tsunami angle.
It's not unusual for hackers to use current events to entice users into reading the e-mail carriers and opening the attachments that are actually worm payloads.
Another first, said U.K.-based security firm Sophos on Tuesday, is the appearance of a worm that falsely tells them that their computer contains pornographic material, and offers a free cleaner tool to wipe traces of the smut, but not the smut itself, off the drive.
"The Baba.c worm is using a dirty trick," said Graham Cluley, Sophos' senior technology consultant, in an e-mailed statement.
Baba.c claims that the attached "Evidence Cleaner" can hide any traces of pornography, but in actuality, the file runs the worm which opens a backdoor to give the hacker access to the PC.
"Many people are worried about the adult material that inhabits the Internet, and don't want it to reach their PC. It's also clear that the Internet is widely used for accessing hardcore sexual material," added Cluley. "Either way, people want to ensure that their PC contains no evidence of XXX content, and may be tempted to follow this e-mail's instructions."
The last Baba worm, Baba.b, appeared in late October 2004, and was linked to a South Korean university by virtue of text embedded in the malicious code. Baba.b, however, used a common tactic of posing as a mail delivery error message. Baba was also involved in a minor controversy last fall, when some anti-virus firms dubbed it a member of the Netsky family, while others, such as Sophos, maintained that it was different enough to deserve its own designation.
Another first for 2005 was the appearance this weekend of the first new variant of the long-running MyDoom worm family. MyDoom, which is almost one-year old, , has been one of the most pernicious worms ever by measure of the number of variations, now up to at least 35.
The newest MyDoom, labeled "MyDoom.ai" by Symantec (but MyDoom.ap by McAfee, one indication of the confusing MyDoom situation) is a more-or-less standard MyDoom in that it spreads via e-mail and popular file-sharing software like KaZaA and Morpheus, tries to disable a wide range of security software, and blocks access to a long list of anti-virus update sites to prevent infected machines from being purged.
What's unusual about this variant is the sophistication and variety of the messages the attacker uses to entice recipients into opening the attached file.
While some are relatively tame -- and standard -- such as those that claim the message is a warning of an e-mail problem or that requested documents are included, others range from a bogus offer of a porno Web sites password to a claim that the FBI is investigating the recipient's IP address because of a report of online fraud.
"Thank you for registering at WORLDXXXPASS.COM," reads one variation of the new MyDoom. "All your payment info, login and password you can find in the attachment file."
Another MyDoom message read: "There was a fraud attempt logged by The Internet Fraud Complaint Center from your IP. This is a serious crime, so all records was sent to the FBI. All information you can find in the attachment. Your IP was flagged and if there will be anover [sic] attemption [sic] you will be busted. This message is brought to you by the Federal Bureau of Investigation and the National White Collar Crime Center."
MyDoom.ai is currently a low-level threat, according to the alerts generated by most anti-virus firms. Symantec, for instance, tagged the worm with a "2" in its 1 through 5 system, while Sophos labeled it as "low."