New e-mail worm said to be spreading rapidly

By CRAIG STEDMAN (May 09, 2001) Antivirus software vendors are reporting that a new worm written to take advantage of Microsoft Corp.'s Outlook e-mail software is quickly spreading itself by luring unsuspecting users to open an attachment that supposedly contains a "really cool" Web page.

The new worm, which has been dubbed Homepage because that word is used in the message's subject line, doesn't carry destructive payloads that could damage infected computers, according to alerts released late yesterday and early today by antivirus vendors. But, they warned, it could choke corporate e-mail systems by sending itself to all users listed in Outlook address books.

"Early propagation reports indicate that this virus is spreading faster than many of the biggest viruses we saw last year," said Mikko Hypponen, manager of antivirus research at F-Secure Corp. in Espoo, Finland, in a statement issued today. He added that Homepage also appears to be moving more quickly than the AnnaKournikova.jpg.vbs worm that replicated itself through e-mail systems in February (see story) .

Symantec Corp.'s antivirus research center said in an advisory posted on its Web site last night that more than 10 companies had reported being hit by the worm at that point. Cupertino, Calif.-based Symantec rated Homepage's ability to damage systems as a low threat but said the worm is capable of quickly distributing itself to more users.

Marius van Oers, an Amsterdam-based virus researcher at Network Associates Inc.'s McAfee.com Corp. subsidiary in Sunnyvale, Calif., said today that some companies in Europe and Asia have already turned off their e-mail servers because of the worm. McAfee.com has received "thousands" of reports of infections in those two regions, plus dozens from users in the U.S., he added.

"These are almost Loveletter proportions," van Oers said, referring to the "I Love You" worm that wreaked havoc worldwide a year ago. However, that worm deleted files from infected computers and included a sniffer program that stole user passwords -- destructive capabilities that apparently aren't included in the Homepage worm.

Homepage, known formally by names such as VBS.VBSWG2.D@mm, is another in a long line of Visual Basic Script (VBS) worms that target Outlook users. The body of the e-mail message carrying the worm says, "Hi. You've got to see this page! It's really cool ;O)" and invites recipients to open an attachment labelled "Homepage.HTML.vbs."

The worm attempts to open purported Web pages with pornographic content when the attachment is executed by a user, the antivirus vendors said. In addition to F-Secure and Symantec, other companies that have released warnings about Homepage include Trend Micro Inc. in Cupertino and Sophos Anti-Virus in the U.K.

Joris Evers of the IDG News Service contributed to this report.

http://www.computerworld.com/cwi/news/headlines/latest/date/0,1041,NAV47-68-84-88,00.html

-- Martin Thompson (mthom1927@aol.com), May 09, 2001