February 3, 2005 11:31 AM PST
Saddam Hussein 'death' photos used as worm bait
The Bobax.H worm purports to offer photos that show that the former Iraqi leader was killed while attempting to escape from custody, the antivirus company said.
"It's a brand new virus that converts users' PCs into spam factories," said Graham Cluley, a Sophos senior security consultant. "Although it hasn't reached epidemic proportions yet, it is spreading."
The worm can spread via e-mail and by using the Microsoft LSASS vulnerability, the same flaw used by the Sasser worm to spread in record time. The vulnerability was reported 10 months ago, and a patch is available.
Bobax.H, which affects PCs running Microsoft Windows, propagates when people open an e-mail attachment containing the virus, Sophos said in its advisory. It then attempts to forward itself to other e-mail addresses and vulnerable computers. Bobax-H will also try to disable antivirus and security software, as well as install an e-mail relay module to transform the PC into a spam factory.
The attachments in the Bobax.H e-mails carry a number of different file names, and the body of the message varies too, Sophos said. Examples of message bodies include: "Saddam Hussein - Attempted Escape, Shot dead. Attached some pics that i found" and "Osama Bin Laden Captured. Attached some pics that i found."
Cluely noted that virus writers rely on celebrities to entice people to open malicious e-mail attachments. One example was the Anna Kournikova virus, a mass-mailing worm that posed as a photo of the popular Russian tennis player.
News junkies who receive e-mails purporting to include news should take measures to get information or photos without putting their computers at risk, Cluley said.
"A lot of people are using the Internet for the latest breaking news. But rather than open an attachment, they can go to a reputable news site like CNN or the BBC. They can look there for the information or photos," he said.