RealTime IT News

Internet Worm Found in Europe Updates Itself

[London, ENGLAND] A new Internet worm discovered in France and Germany this week can update itself with new functionality, warns anti-virus software company Kaspersky Lab.

The worm, named Sonic, consists of two parts -- a loader and a main module. Arriving via e-email, the loader penetrates the PC's operating system and automatically connects to a hacker's site on Geocities, from which it downloads the main module.

Gaining what is known as "backdoor functionality" -- remote control of the user's computer -- the main module can not only track all the user's activities but also has the potential to be extremely destructive. This, says Kaspersky, is because the loader can return to the hacker's site for more code.

Denis Zenkin, head of corporate communications for Russia-based Kaspersky Lab, said it was not the first time malicious code with a self-updating ability had appeared on the Internet. Prior to Sonic were the so-called "Babylonia virus" and the "Resumé worm" which had similar capabilities.

"However this is not something that catches our attention at the moment. What is more disturbing is that this feature appears to have become a new standard for malicious programs, since more and more of them can update themselves via the Internet," said Zenkin.

Zenkin added that this is a very dangerous trend as it allows hackers to extend their "malware's abilities" in real-time with direct connection to the infected computers.

Malware? Before stopping to admire the sheer poetry of computer jargon, users may wish to find out more about the new worm by checking Kaspersky's Virus Encyclopedia viruslist.com.

In the version of the worm found in Europe on Monday, the main module gains access to the Windows address book, extracts e-mail addresses, and sends an infected message containing a copy of the loader to each address.

The message in the first versions of the worm bears the subject line "Choose your poison" -- and comes with an attachment named GIRLS.EXE.

Clearly, users must be alert for other messages, given the self-updating capabilities of the worm.