"Pentagone" virus spreads rapidly
Posted by vincent on 04 December 2001 - 23:26 · 13 comments & 207 views
About the Author
Full name: Unknown
Forum name: vincent
Contact: via forum PM
Submissions: Normal · Headline
Full name: Unknown
Forum name: vincent
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google
Dubbed Pentagone, Goner or Gone, the Visual Basic Script program spreads via e-mail and the messaging system ICQ. On infected computers, it stops most antivirus and security programs.
"We are kind of seeing it follow the sun at the moment," said Mark Sunner, chief technology officer for e-mail service provider MessageLabs. "It has been waiting in in-trays of people coming into work."
MessageLabs has captured more than 23,000 e-mails containing copies of the worm, said Sunner, adding that the rate, now at about 100 messages per minute, is increasing.
The worm only affects computers running Microsoft Windows and spreads through Outlook e-mail clients. Macs and computers running Linux or other Unix-like operating systems are unaffected.
The worm arrives in a message with the subject "Hi" and the following text in the body of the e-mail:
How are you ?
When I saw this screensaver, I immediately thought about you
I am in a harry, I promise you will love it!
Attached to the message is what appears to be a screensaver file, Gone.scr, a compressed copy of the worm.
When the file is opened, Pentagone will infect the victim's PC, attempt to stop a variety of antivirus and security applications and then, if successful, delete all the files in the folders containing those applications. AtGuard's Personal Firewall, ConSeal's PC Firewall, Kaspersky Lab's AVP, Network Associates' McAfee VirusScan, Symantec's Norton Antivirus and Zone Labs' ZoneAlarm are among the programs that the worm attempts to deactivate.
After eliminating the security on the computer, the worm opens up a dialog box containing its name, Pentagone, and the handles of its creators. The dialog box also includes acknowledgements to other people on the Net, in a style similar to that of online vandals who deface Web sites.
The worm then installs a backdoor program linked to mIRC, a popular Internet Relay Chat program. The backdoor can be used to execute denial-of-service attacks against IRC servers.
In addition, the virus attempts to spread using e-mail and ICQ.
To spread by e-mail, Pentagone uses script commands to send a copy of itself to every entry in the victim's Outlook address book. In ICQ, the worm uses specific commands to send a copy of itself to other people using the messaging application.
Antivirus software makers have been inundated with calls from customers who have been infected or seen copies of the worm.
"It is extremely widespread," said April Goostree, virus research manager for McAfee.com. "We are seeing both corporate and home users being hit. We consider it an outbreak because of how fast it's spreading in so short a period."
Rival Trend Micro has had about 22 corporate customers complain about the virus and has given it a high threat rating.
David Perry, global director of education for TrendMicro, has decided that computer users may never be security-conscious enough to avoid getting infected.
"Every time enough time goes by that people forget to be wary of these things, it pops up again," he said. "Apparently, we have to resign ourselves to the fact that education doesn't work."
Pentagone isn't the only virus spreading significantly. Variants of the Nimda virus and a variant of the BadTrans virus are topping virus charts this month.