A bogus Microsoft security alert is apparently being used by crafty hackers to spread the latest version of a computer worm on the Internet.
In an announcement on its Symantec Antivirus Research Center (SARC) Web site, Symantec said that the W32.Leave.B.Worm is a variant of the W32-Leave.worm identified several weeks ago by the FBI's National Infrastructure Protection Center.
What's new, said Patrick Martin, SARC's development manager, is that this is apparently the first time that a virus or worm has been distributed using a faked Microsoft security bulletin. "It's a sneaky way to get on your system," Martin said. "We've just never seen them use the tactic of a security bulletin as a guise."
The worm downloads components from Web sites and contains code to accept commands from Internet Relay Chat programs, according to Symantec.
But the threat to corporate IT departments by the worm is listed by Symantec as "low" because it can be easily avoided by using up-to-date antivirus software and firewall protection, Martin said. "This targets consumer users, not IT departments."
The worm could, however, eventually be used to prepare target machines for involvement in distributed denial-of-service attacks that can bring Web sites to their knees, he said.
The worm is being sent out as part of an e-mail that purports to be "Microsoft Security Bulletin MS01-037."
The fake bulletin says that a "serious virus" is aimed at Windows machines and should be protected by the download and installation of an attached "security patch." The bogus bulletin attempts to scare recipients by saying that the virus has the "complexity to destroy data like none seen before."
According to the NIPC, the worm only affects computers that have been infected previously with another virus, the SubSeven Trojan, which can permit a remote computer to gain complete control of an infected machine. The worm and trojan work together to use the target machine.
A spokeswoman at the NIPC refused to comment beyond the agency's posted warnings.
Alan Paller, research director at the SANS Institute, a nonprofit security and antivirus research group, said the worm appears not to damage computers, nor allow the theft of data. The goal of the invaders, he said, appears to be to use target computers to click ad banners and other sites as part of a money-making scheme.
"This is a new kind of crime," Paller said. "We believe this is a financial crime."
Analysis of the worm began in mid-June, when sensor reports started flooding into the incident reporting site and a new Internet Storm reporting center set up by the SANS Institute.
More information on detection, removal and protection from the worm has been made available by SANS and by the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.
(Computerworld reporter Deborah Radcliff contributed to this report.)