Software vendors Computer Associates International (CA) and Symantec last week issued warnings about a destructive new virus that disguises itself as a year 2000 computer problem and, besides reformatting user hard drives, changes Internet Explorer home pages to an adult-content site.
The e-mail worm, known as Worm.Mypic or W32/Mypics.worm, arrives as a message without a subject line. The message body contains what appears to be an attachment called "Pics4You.exe" that is 34,304 bytes. If the executable file is opened, the worm loads into the computer's memory and attaches to the first 50 listings in address books of Microsoft Outlook users.
After 20 minutes, the virus tries to e-mail itself again and repeats that after another 10 minutes, with that cycle continuing when "Mypic" is run.
Users have to manually delete registry-key files in their computers to get rid of MyPic after an infection or the virus will stick around and monitor the system clock. When January 1, 2000 arrives, the virus will create a file called C:\CBIOS.COM, which will write over checksum data in BIOS setup information (CMOS), causing the error message "CMOS checksum is invalid" the next time the user tries to boot up the system. Checksum data is used to verify the integrity of computer data.
That message is designed to make users think the problem is related to the year 2000 -- a software problem that could occur because most older code was written with a two-digit date field that might read the "00" in 2000 as "1900" and fail to work properly.
To reboot, the BIOS setup has to be invoked to fix the CMOS checksum. The next time a user successfully boots the machine, the worm will try to format both the C: and the D: drives by creating a new file, which also has to then be deleted manually by the user in order to get the computer running properly again, the vendors said.
CA became aware of the virus when a Fortune 500 customer discovered that a few computers had been infected, said Narender Mangalam, CA director of security, adding that other software vendors also had become aware of the virus and were sending out warnings, so "we're tending to feel that it is out there".
Symantec and CA have been among the vendors to begin warning that viruses are likely to spring up around the date change and that some will disguise themselves as year 2000 problems by activating on that date.
"This is something that we've been talking about for some time now," Mangalam said. "We're seeing the number of viruses speeding up now as it gets closer to Y2K."
CA is advising customers to frequently check the Web sites of antivirus vendors to stay up to date with the viruses that are being detected, and also to make certain that security precautions -- firewalls and the like -- are in place and working properly to keep out intruders.
Antivirus maker Symantec said in a written statement last week that it now has a new definition-set file on its Web site that ensures protection against the newly discovered work, which it rates as a medium to high risk. The definition set can be downloaded at http://www.symantec.com/avcenter/download.html.
CA also has an updated version of its antivirus protection available at http://support.cai.com/Download/virussig.html. A list of newly detected viruses can be found at http://support.cai.com/techbases/ilnt/31033.html. Detailed virus information and removal instructions are available at http://www.cai.com/virusinfo/virusalert.htm.