RealTime IT News

Worm Adds Insult to Injury

Internet users infected with a virus may not feel particularly brilliant, but a new worm reported by PandaLabs will actually tell them they're not.

The W32/Cisum.A worm displays the message "YOU ARE AN IDIOT" while repeating an MP3 with the same phrase every five seconds. Beyond audibly berating its victims, the Cisum worm also targets security programs, including firewalls and anti-virus programs, and shuts them down.

The worm also looks for and shuts down instances of the Netsky and Bagle worms that may be present on a user's PC.

Cisum is spread automatically across a user's network by copying a file to the root directory of local and mapped network drives. PandaLabs considers the distribution mechanism of the worm as one of the reasons why it hasn't spread far.

"As this worm is designed primarily to spread on a network environment, we won't see a big distribution on consumer machines," Patrick Hinojosa, CTO of Panda Software U.S., told internetnews.com. "If this is sent as a component of an e-mail-borne threat we will start to see wider distribution."

The Cisum.A worm creates a number of files in the Windows system directory and writes multiple registry entries. It also creates a copy of the worm, an 8-character random file name that has an EXE extension. Whenever Windows starts, a Windows service called ProjectX runs, which triggers the visual and audio "idiot" notification.

It affects Windows 2003, XP, 2000, NT, ME, 98 and 95.

Cisum isn't the first worm to play a sound file when activated. That dubious honor belongs to NetSky.C, according to Wallace, which played a sound, though not an insulting voice like Cisum.

The Cisum MP3 file can be heard on PandaLab's site.

Users should (as always) update their anti-virus software in order to avoid being called an idiot.