An Internet worm that disguises itself as a Shockwave Flash movie is gaining traction among corporations around the world, and at least one antivirus software vendor upgraded the virus to "high risk" Friday afternoon.
Antivirus company McAfee said it has received as many as 50 reports of the virus in the past 24 hours, most of which are from corporations, including several Fortune 500 companies. The unusually high number of reports prompted the Network Associates subsidiary to upgrade the virus from medium risk to high risk late Friday afternoon.
Trend Micro also is seeing increased incidents of the virus, which arrives in an e-mail bearing the subject line "A great shockwave flash movie." Trend Micro received reports of the worm Friday from nine Fortune 500 companies in the U.S., Europe and Asia, as well as numerous smaller companies, officials said.
The worm, which first appeared Thursday, is delivered to users in the form of an e-mail attachment that appears to be a Shockwave Media Player. When a user tries to view the fake movie attachment, the worm sends a copy of itself to all people in the address book who use Microsoft Outlook e-mail program, potentially clogging e-mail networks.
The worm doesn't destroy files on a user's computer but renames all files of the ".jpeg" and ".zip" type and moves them to the PC's root directory, said Patrick Nolan, a virus researcher with McAfee's Anti-Virus Emergency Response Team - AVERT.
There doesn't appear to be a pattern to the industries that have been affected by the virus, which include companies in the manufacturing, banking, healthcare and retail sectors, officials at Trend and McAfee said.
While the worm doesn't delete files, it can clog networks and take e-mail servers offline. Cleaning up files that have been relocated and renamed could also waste considerable time for IS staff, Nolan said.
Antivirus vendors have long been warning users not to open attached files of the ".exe" type. One reason the Creative.exe virus may be spreading so quickly is that uses the Shockwave Flash movie icon. Users tend to trust familiar icons they see on their computers, and virus writers are starting to play off that trust, a spokeswoman for McAfee said.
"This could be setting a new trend in virus writing," she said.
The virus hasn't caused as much damage as the notorious "I Love You" virus, which reached millions of computers in May and wreaked havoc at corporations around the globe. The ability of "I Love You" to delete files, and the fact that it spread so rapidly, earned it McAfee's highest risk assessment - "high risk - outbreak." The Shockwave virus is currently rated at high risk, one step below.
Antivirus vendors said users should upgrade their antivirus software immediately. Most vendors provide free updates to the latest antivirus files on their Web sites. Trend Micro said its users should visit www.antivirus.com/vinfo/, while McAfee pointed its users to www.avertlabs.com/.
McAfee, in Santa Clara, is at www.nai.com/. Trend Micro can be reached at its North American headquarters in Cupertino, Calif., at www.antivirus.com/.
RELATED LINKS
Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.
Request a reprint or permission to use this article.
