Although infections were reported in Australia, Brazil, France, Germany, UK and the US, damage appears to be fairly minimal in Asia. "Most of the reports are now coming from the US," said Trend Micro Singapore country manager Isaac Lim.
The virus--a Visual Basic Script program, known also as Goner and Gone--first hit Europe late last night. Antivirus experts had expected infections to surge again Wednesday when employees and home PC users opened email that may be infected.
However, it appears that the virus only managed to creep up on Australia, which reported the most number of calls, according to Network Associates managing director for South East Asia & India, Boon K Lee. "Other countries had more time to implement the updated virus definitions and protect their end users," he added.
Goner affects only computers running Microsoft Windows and spreads through Outlook email clients. Macs and computers running Linux or other Unix-like operating systems are unaffected.
It arrives in a message with the subject "Hi" and the following text in the body of the email:
How are you?
When I saw this screensaver, I immediately thought about you.
I am in a harry, I promise you will love it!
Attached to the message is what appears to be a screensaver file, Gone.scr, a compressed copy of the worm.
When the file is opened, Pentagone will infect the victim's PC, attempt to stop a variety of antivirus and security applications and then, if successful, delete all the files in the folders containing those applications. AtGuard's Personal Firewall, ConSeal's PC Firewall, Kaspersky Lab's AVP, Network Associates' McAfee VirusScan, Symantec's Norton Antivirus and Zone Labs' ZoneAlarm are among the programs that the worm attempts to deactivate.
The technique fails to eliminate the security in many instances. Zone Labs claims that, while the user interface component of ZoneAlarm may be deleted, the main program will continue to run.
"It is really hard to shut us down," said Gregor Freund, president and CEO for Zone Labs. "These guys are bloody amateurs. At best, they might delete the help system."
Next, the worm opens up a dialog box containing its name, Pentagone, and the handles of its creators. The dialog box also includes acknowledgements to other people on the Net, in a style similar to that of online vandals who deface Web sites.
The worm then installs a backdoor program linked to mIRC, a popular Internet Relay Chat program. The backdoor can be used to execute denial-of-service attacks against IRC servers.
In addition, the virus attempts to spread using email and ICQ.
Antivirus software maker Trend Micro has had about 22 corporate customers complain about the virus and has given it a high threat rating.
Because Pentagone cons people into opening the infected file just like dozens of previous viruses, David Perry, global director of education for Trend Micro, has concluded that computer users may never be security-conscious enough to avoid getting infected.
"Every time enough time goes by that people forget to be wary of these things, it pops up again," he said. "Apparently, we have to resign ourselves to the fact that education doesn't work."
Such PC users are a weak link, through which company networks can be attacked, said Mitch Bartlett, a technical analyst for computing services at business-information provider SPSS.
"It hit, and our exchange server actually blocked it because we have antivirus software," he said. "The people who got it were those who were getting their personal mail and their Web mail."
Telecommuters and employees checking their personal email infected their work PCs with the worm, which then inundated the internal network with more mail. By the end of the day, Bartlett said, the company had Pentagone under control.
"It is no longer troubling us; we have cleaned out everybody," he said. "But I am sure someone will get it tomorrow."
Pentagone isn't the only virus spreading significantly. Variants of the Nimda virus and a variant of the BadTrans virus are topping virus charts this month.
Staff writer Michelle Tan reported from Singapore.
Play video
There are currently no comments for this post.