NEWS Antivirus experts are warning of a destructive, Christmas-themed email worm and another virus which spreads via MSN Messenger, the popular instant-messaging application.
The Jitux.A worm has already begun to spread via MSN Messenger, according to Panda Software. Though it is not destructive it could prove of great annoyance to users. When executed, the file becomes resident in memory and sends messages to other MSN Messenger users every five minutes, prompting them to download the worm's code, contained in a file called jituxramon.exe.
The worm started to spread more rapidly on Friday, affecting mainly Portugal, Spain and Mexico, said Panda Software. It affects Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP. Users can remove the worm simply by scanning their PCs with antivirus software that has up-to-date virus definitions, from Panda, Symantec, McAfee or others.
A more dangerous worm is PE_QUIS.A, according to antivirus company Trend Micro; it is also called W32.HLLP.Belzy@mm by Symantec and has been detected in the past few days by several other firms. Quis spreads itself via Outlook as an email containing a destructive payload. The worm affects Windows 95, 98, and ME.
The worm infects all .exe files in the My Documents and C:\progra~1\mirc folders. Among its less disruptive effects, it overwrites ringtone files (using the extension .rtx) with the tune "Jingle Bells" and subjects the user to a quiz.
The worm arrives in an email with the subject line, "Merry Christmas!" The body reads: "You've probably received enough e-cards. Here's a nice Christmas screensaver instead :)," and the message carries an attachment called xmas.scr.
Removal involves identifying infected files with an antivirus program, deleting them and then undertaking the tricky process of removing autostart entries from the registry.
When an infected system is restarted, Windows automatically runs an application called "startup.exe", which begins by informing the user that the PC is infected. The pop-up message reads, in part: "Your computer is infected with Win32.HLLP.Quizy. However, if you complete the quiz, you may be able to disinfect it."
The quiz contains such seasonal questions as "which animal would Santa have if he actually existed?" (reindeer) and "Which season do I hate the most?" (winter). The virus writer's nationality is signposted in some questions, such as, "In which country do I live?" (Belgium) and "Which keyboard layout is used in Belgium?" (azerty).
Other questions are technical, such as, "which chipset does a U.S. Robotics 22Mbps Wireless PC Card have?" (acx100), or insulting, such as, "what does antivirus person Graham Cluley have between his toes?" (cheese).
This is not the first time Cluley has been singled out for some personal treatment by virus writers and hackers and it is likely this latest virus is once again the work of a female virus writer with a particular dislike of the Sophos man. Earlier this year Cluley was the subject of a game-bearing virus written by a Belgian hacker calling herself Gigabyte. This latest virus also purports to be the work of Gigabyte.
Upon completion of the quiz, the program executes the infection code again, and directs the user to a website which promises information on how to remove the worm.
