Latest Internet Worm Has Fatal Error
Page 1 of 1
[London, ENGLAND] Anti-virus software company Kaspersky Lab reported Tuesday that the latest Internet worm, named "Dilber" (no "t"), is unable to proliferate owing to an error in its code.
I-Worm.Dilber carries a payload of no less than five different viruses, some of which Kaspersky describes as "deplorably destructive." They include Chernobyl, Freelink and SK, all of them well-known to the anti-virus community.
Eugene Kaspersky, head of anti-virus research at Kaspersky Lab, said that it was very lucky that there was an error in the worm because it would be hard to imagine the consequences if it had the ability to spread. He warned, however, that the mistake could be rectified and a fully functional version of the worm could appear on the Internet.
"This worm is very dangerous, because it is compressed by ASPack packing utility. Only a few anti-viruses are able to search for viruses in files of this format," said Kaspersky.
On the LAN, Dilber attempts to copy itself to the Windows directory with the name SETUP_.EXE. However, if it fails it uses the name DILBERTDANCE.JPG.EXE and remains as either a background application (under Windows 95/98) or as a service (under WinNT), running two spreading routines at regular intervals.
Like several previous worms, Dilber sends itself to the first 20 addresses in MS Outlook, saying "Hi (sendername)... Received your mail, and will send you a reply ASAP. Until then, check out this funny Dilbert Dance (attached)."
The attached file name is called: dilbertdance.jpg.exe.
Internet users familiar with both the Dilbert cartoon and the highly popular Web entertainment Hamster Dance will probably feel an irresistible compulsion to open the file -- just as thousands of people responded to the ILOVEYOU message which brought networks grinding to a halt a few weeks ago.
One remedy is Kaspersky Lab's AntiViral Toolkit Pro (AVP), to which protection against Dilber has been added in the daily update.