‘Tis the Season … for Viruses?

As the number of email-related viruses continues to grow, one thing is becoming apparent: virus writers will go to any lengths to get a recipient to open the infected email. Playing on the theme of the holiday season, two Christmas-related viruses in particular have recently caused some problems.

“Virus writers seem to be getting more cunning regarding the psychology for getting people to open e-mails that have viruses on them,” says Graham Cluley, senior technology consultant at Sophos, an anti-virus software vendor. “We’re now seeing a lot of Christmas-related viruses. It’s the holiday season and people want to have fun, so they’re sending screen shots and other things. The virus writers are taking advantage of this by disguising the viruses with things like Santa Claus images.”

The most damaging Christmas virus to date has been W32/Navidad, an e-mail worm that masquerades as a Christmas card, arriving in an e-mail message with an attachment called NAVIDAD.EXE. Once the attached program is launched, it displays a dialog box containing the text “UI.” It then attempts to read new email messages and to send itself to the senders’ addresses. The worm copies itself into the windows system directory with the filename WINSVRC.VXD and changes the registry so that it runs on Windows startup and before any file is run.

According to Sophos, the Navidad virus started to spread at the beginning of November, but has already caused problems, evidenced by the fact that Sophos ranked it as the second most reported virus in November and the seventh most reported virus of 2000 overall.

While not causing as much damage as Navidad, W32/Music has also found its ways inside a number of companies’ email systems. This virus is attached as a file called, music.exe, or and comes with some sort of a message text saying it is a Christmas tune program. Once opened, the virus waits a few minutes before attempting to connect to several Web sites. It attempts to download an updated version of itself from the Web sites and then the worm tries to send itself to email addresses found on the infected PC.

For IT administrators, the Christmas email viruses can pose a big problem, as employees can suffer from a seasonal lack of caution. “The problem for administrators is that they may be perceived as the Grinch for not letting employees open or send executable files or screen savers,” says Cluley. “But in terms of data protection, it’s a must because data is the lifeblood of a company.”

The alternative, continued Cluley, is for the IT department to put out a list of games or screen savers that the employees can open and send to each other during the holiday season.

Sophos has compiled its list of the top 10 viruses of the year. Leading the way was VBS/Kakworm, which accounted for 17 percent of the calls made to Sophos’s help desk. Although Microsoft issued a security patch against the exploit used by Kakworm in 1999, many users have not downloaded it. The Love Bug virus, which made front page news across the world in May 2000, was second on the list. The third through ten spots were, in order: W32/Apology-B, WM97/Marker, W32/Pretty. VBS/Stages-A, W32Navidad, W32/Ska-Happy99, WM97/Thus, and XM97/Jini.

Looking ahead, Cluley has two suggestions for companies looking to protect against email viruses. Because most viruses contain double extensions such as .exe, Cluley says “companies should put in a gateway that does not allow double extensions because this would prevent a lot of the viruses going around.”

The other recommendation is to adopt a company rule that forbids employees to send or check emails that use Word documents. “You can write in Word, but then you can save it in a rich text format (RTF),” Cluley says. “It looks the same, but RTF’s can't contain macro viruses. It’s a very simple trick that doesn’t require any software.” – James Martin

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • RAMBleed Side-Channel Attack Method Disclosed by Researchers

    Academic researchers this week published information about another side-channel attack method, called "RAMBleed," that can expose information from memory chips, including encryption key information.

  • Penguin

    Windows 10 Preview Build 18917 Shows Off New Linux Integration

    Microsoft's latest Windows 10 "fast-ring" preview release is showcasing a coming Delivery Optimization enhancement, along with the ability to try the newly emerged Windows Subsystem for Linux version 2.

  • Customizing Microsoft Office 365

    While the overall look and feel of Office 365 is pretty standard across organizations, there are several ways to personalize it and make it fit better with your company's specific needs.

  • Microsoft 365 Business Tenants Getting Conditional Access and Trouble-Ticket Features

    Microsoft added its conditional access security service to Microsoft 365 Business subscriptions, according to a Wednesday announcement, and it also added new trouble-ticket features for Microsoft 365 administrators.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.