E-mail Worm Digs For Suspected Porn
May 29, 2001
Another computer worm has been released by hackers bent on cleaning up the Internet.
Just a week after the so-called "Cheese worm" was spotted attempting to repair well-known security holes on servers running the open-source Linux operating system, virus experts say they are receiving reports of an e-mail-borne worm that seeks out images of child pornography on systems running Microsoft Windows.
Dubbed "Noped" (or VBS.Noped.A@mm, in some virus database nomenclature), the encrypted Visual Basic Script (VBS) code arrives as an attachment to e-mail. When launched, Noped searches all accessible hard drives for JPEG files matching a list of filenames that the script's author seems to believe indicate child pornography.
A description of the worm from Symantec's Anti-virus Research Center (SARC), says that Noped comes bundled with a list of e-mail addresses for government agencies and that it will send an alert to an agency selected from the list at random if it finds a match for one or more of the JPEG file names.
That behavior could cause extreme embarrassment for innocent individuals with the misfortune of having innocuous JPEG files named identically to any those on Noped's hit list.
However, SARC was reporting today that Noped is not particularly widespread, despite its other abilities, which included duplicating itself by mailing copies of the VBS code to every contact found in a recipient's Outlook e-mail address book.
SARC said Noped arrives in an e-mail with the subject line "FWD: Help us ALL to END ILLEGAL child porn NOW" and the message content "Hi, just a quick e-mail. Please read the attached document as soon as you can. Thanks."
The infected e-mail will have an attached file named "END ILLEGAL child porn NOW.TXT............vbs" - with a string of a dozen dots helping to obscure the fact that the file name ends with the executable ".vbs" extension and not ".TXT".
SARC said clicking on the VBS file causes it to begin its mass-mailing activities and the scans for JPEG files. In addition, the worm displays a rather lengthy document (which will generally launched in the Windows Notepad) detailing what it says are international laws concerning child pornography.
If Noped finds JPEG files matching its list of suspected child pornography images, the message it sends to authorities contains the text: "Hi, this is Antipedo2001. I have found a PC with known Child Pornography files on the hard drive. I have included a file listing below and included a sample for your convenience."
When run, the Noped worm modifies several entries in the Windows registry that need to be restored to remove the worm manually.
SARC is at http://www.symantec.com/avcenter