Warnings: Cholera worm/virus threat
- — 09 September, 1999 21:49
A new combined worm and virus threat, called Cholera, has been posted to a hacker's Web site and has antivirus vendors scrambling to provide protection before an epidemic spreads akin to Melissa and Worm.ExploreZip.
Computer Associates has found Cholera posted to a hacker site in Germany, and due to the potential danger inherent in the worm/virus, is warning users not to accept suspicious e-mail attachments. The worm/virus is currently listed as a medium threat, as it has not been found "in the wild" and infecting user systems, but will automatically be upgraded to a high threat as soon as it is, according to the company.
"We're calling it a moderate alert. But once it gets in the wild we will call it a high alert, because of its ability to spread," said Narender Mangalam, product manager for antivirus at Computer Associates.
Cholera is similar to Worm.ExploreZip as it unleashes a worm-style attack that will automatically send itself to any e-mail address it finds on an e-mail system, and therefore carries the potential to clog and shut down e-mail servers. Cholera is also not platform-dependent, and can operate off of any e-mail system, according to Mangalam.
Cholera also includes a virus aspect, as it will drop a virus file, W32/CTX, when it infects a new machine. At this time, Computer Associates is still investigating what payload, if any, the virus will deliver.
"We're not sure what virus does as of now," said Mangalam.
Currently Cholera will send itself to a recipient with a "smiley" face in the text and an attachment named Setup.exe that looks like a self-extracting setup program. The icon of this attachment looks like a standard Windows install program, but the colour is off. The worm goes resident when the infected system is rebooted. Once activated, the worm installs itself by adding keys to WIN.INI on Win9x and registry on WinNT. The worm will also try to copy itself to any shared drives to which the user is currently connected. Then it proceeds to infect executables in the directory from where it is launched with a virus named W32/CTX.
When users open the attachment it displays a message that reads, "Cannot open file: it does not appear to be a valid archive. If you downloaded this file, try downloading the file again".
Invisible to the user, the worm will turn into an auto-start application by writing a RUN entry to the Win.ini file (Windows 9x) or to the registry (Windows NT). After sending itself out the worm deletes itself from the system, CA officials said.
Although no reports of users being infected have been received by antivirus vendors, the potential for infection and the possibility that other virus writers will copy and alter the core capabilities of Cholera for "copy-cat" viruses, has companies on alert.
"It's sort of a duel thing because of the virus and worm aspect, so it's sort of screaming, 'Build a variant of me,' " said Mangalam.
Computer Associates intends to provide an update to its antivirus systems and recommends users contact whatever antivirus vendors they utilise.