Worm Adds Insult to Injury

Internet users infected with a virus may not feel particularly brilliant, but
a new worm reported by PandaLabs will actually tell them they’re not.

The W32/Cisum.A worm displays the message “YOU ARE AN IDIOT” while repeating an MP3 with the same phrase
every five seconds. Beyond audibly berating its victims,
the Cisum worm also targets security programs, including firewalls and anti-virus
programs, and shuts them down.

The worm also looks for and shuts
down instances of the Netsky and Bagle worms that may be present on a user’s

Cisum is spread automatically across a user’s network by copying a
file to the root directory of local and mapped network drives. PandaLabs considers
the distribution mechanism of the worm as one of the reasons why it hasn’t spread far.

“As this worm is designed primarily to spread on a network environment,
we won’t see a big distribution on consumer machines,” Patrick Hinojosa, CTO of
Panda Software U.S., told internetnews.com. “If this is sent as a component of an e-mail-borne
threat we will start to see wider distribution.”

The Cisum.A worm creates a number of files in the Windows
system directory and writes multiple registry entries. It also creates a copy of the worm,
an 8-character random file name that has an EXE extension.
Whenever Windows starts, a Windows service called ProjectX runs, which
triggers the visual and audio “idiot” notification.

It affects Windows 2003, XP, 2000, NT, ME, 98 and 95.

Cisum isn’t the first worm to play a sound file when activated. That dubious
honor belongs to NetSky.C, according to Wallace, which played a sound, though not
an insulting voice like Cisum.

The Cisum MP3 file can be heard
on PandaLab’s site.

Users should (as always) update their anti-virus software in order to
avoid being called an idiot.

News Around the Web