New worm may be first written in C#
- — 04 March, 2002 09:28
Researchers this week discovered a virus written using Microsoft's C# programming language, a find that one antivirus expert said is a first.
The W32/Sharpei@MM virus is a mass-mailing worm that also can damage certain files on a system that uses Microsoft's .Net framework, according to Vincent Gullotto, vice president of research for McAfee, a division of Network Associates Inc. However, it apparently has not yet appeared in the wild and McAfee characterized it as a low-risk threat.
The .Net framework, unveiled last year, is the set of APIs and class libraries that developers use to develop applications for Microsoft's .Net Web services platform. C# is a component-based programming language, sometimes compared to Java, that Microsoft introduced with .Net.
The Sharpei virus comes as an e-mail attachment and is disguised as a Microsoft Corp. update file to make a system more secure. If activated, it can forward itself to contacts in a user's address book. In a system that uses the .Net framework, it can affect some executables, Gullotto said. One interesting feature of the virus is that after it creates e-mail messages to propagate itself, it deletes those sent messages -- evidence of its actions -- from the list of sent messages on the user's computer.
The worm was written by a female virus writer, probably in the Netherlands, who is known to McAfee because of earlier worms, he said.
Also this week, virus experts became aware of a slowly spreading, low-risk worm that disguises itself as a set of pictures of pop singer Britney Spears. This virus, recently renamed VBS/Chick@M, can spread itself via both a Microsoft Outlook address book and the mIRC Internet Relay Chat program, according to McAfee. However, it appears to forward itself only to the first contact in an Outlook address list, which means its spread would be fairly slow. Users of mIRC would see the worm as an attachment to an mIRC chat message.
The e-mail message typically carries the subject line "RE: Britney Pics" and carries an attachment called Britney.chm.
The attachment that appears in either an e-mail or a chat message is actually a Windows Help file. Clicking on it will bring up a Windows Help window along with a warning about possibly unsafe ActiveX files. If users click "Yes" to the ActiveX warning, the virus will begin running and try to propagate itself.
VBS/Chick@M was discovered on Tuesday but apparently had not hit any users by Friday afternoon, according to Gullotto. The worm is unlikely to have much impact, partly because the attachment it sends appears with the .chm extension of a Windows Help file.
The deluge of e-mail viruses over the past two years has made even consumers a bit more sophisticated about potential threats, he said.
"They are getting a little bit smarter to realize that .jpg or .mpg is the type of file you use to get a picture or a movie," Gullotto said.
McAfee said it made patches available that protect against both of the new viruses.