Latest Internet Worm Has Fatal Error

[London, ENGLAND] Anti-virus software company
Kaspersky Lab reported
Tuesday that the latest Internet worm, named “Dilber” (no “t”), is
unable to proliferate owing to an error in its code.

I-Worm.Dilber carries a payload of no less than five different
viruses, some of which Kaspersky describes as “deplorably destructive.”
They include Chernobyl, Freelink and SK, all of them well-known
to the anti-virus community.

Eugene Kaspersky, head of anti-virus research at Kaspersky Lab, said
that it was very lucky that there was an error in the worm because it
would be hard to imagine the consequences if it had the ability to spread.
He warned, however, that the mistake could be rectified and a fully
functional version of the worm could appear on the Internet.

“This worm is very dangerous, because it is compressed by ASPack
packing utility. Only a few anti-viruses are able to search for
viruses in files of this format,” said Kaspersky.

Related to the so-called “I-Worm.Silver” and presumably
written by the same person, Dilber is a Windows executable
written in Delphi. It uses a VBS file helper to access the
Internet, then tries to spread to the local network.

On the LAN, Dilber attempts to copy itself to the Windows
directory with the name SETUP_.EXE. However, if it fails it
uses the name DILBERTDANCE.JPG.EXE and remains as either
a background application (under Windows 95/98) or as a service
(under WinNT), running two spreading routines at regular

Like several previous worms, Dilber sends itself to the first 20
addresses in MS Outlook, saying “Hi (sendername)… Received
your mail, and will send you a reply ASAP. Until then, check
out this funny Dilbert Dance (attached).”

The attached file name is called: dilbertdance.jpg.exe.

Internet users familiar with both the Dilbert cartoon and
the highly popular Web entertainment Hamster Dance will probably
feel an irresistible compulsion to open the file — just as
thousands of people responded to the ILOVEYOU message which
brought networks grinding to a halt a few weeks ago.

One remedy is Kaspersky Lab’s AntiViral Toolkit Pro (AVP),
to which protection against Dilber has been added in the
daily update.

News Around the Web