E-Mail Virus Slams Muslim Group

November 15, 2001

Executives at the American Muslim Council are mad as hell.

Last Friday, on the Muslim Sabbath and on the cusp of the holy month of Ramadan, the council's e-mail list was infected with the malicious "Snow White" virus.

The council, in a press release, described the infection as a "criminal invasion" by "hackers" in "a deliberate attempt to discredit and to disable e-mail communications to our members."

Virus experts, on the other hand, are pretty sure the whole thing's a big mistake.

Snow White, known to virus fighters as "W32/Hybris.gen@MM," has been infuriating the online world since October 2000. At its peak in January 2001, hybrid strains accounted for more than 20 percent of the complaints reported to anti-virus company Sophos.

The virus, according to researchers with Network Associates, usually comes as an e-mail message from hahaha@sexyfun.net, with the subject "Snowhite and the Seven Dwarfs - The REAL story!" There's an attachment -- usually sexy virgin.scr, joke.exe, midgets.scr or dwarf4you.exe -- that, when opened, infects the WSOCK32.DLL file, a key component of Windows that's used whenever a computer connects to the Internet.

The modified file keeps tabs on all of the e-mail addresses communicating with the infected computer, and then sends a copy of the worm to those addresses.

As it operates, the worm accesses a newsgroup like alt.comp.virus to update itself. The most common of these virus plug-ins is a spiral graphic that can't be closed or stopped once it appears on the victim's desktop.

At this point, most anti-virus programs have long found vaccines for the infection.

But these "old viruses can still carry on in dark and dingy corners of the Internet," said Sophos technical consultant Graham Cluley. "Like missiles without guidance systems," the worms can continue, reaching random target after random target for years on end.

The virus' wandering nature -- and its age -- makes Cluley and other experts seriously skeptical about an intentional infection of the Muslim group.

"If I wanted to attack Muslims in America, I wouldn't use a virus that's a year old. And I wouldn't use a (subject line) that's known to contain a virus," Cluley said. "This leads me to think it's not a deliberate attack."

Added Tom Liston, of Hackbusters.net, "I believe it's far more likely to have been a dumb mistake than a deliberate act."

Staffers at the American Muslim Council argue otherwise. They've contacted the FBI about the infection of the approximately 10,000-member list. One unlucky recipient got more than 3,000 copies of the Snow White message.

"We call this criminal activity," said council spokesman Raymond Busch. That the infection happened on a Friday, the Muslim holy day, makes it no coincidence, Busch added.

"We're not trying to be over-reactionary," Busch continued. "But other possibilities are equally as possible."

These are jumpy times for the Muslim group.

"There's a lot of pressure on American Muslims because of developments in the news," Busch said. "There are questions about whether Islam stands for peace or something else. We're seeing more negativity."

So even the most innocuous queries can be viewed as a threat.

When asked for a contact at U.S. Net — the company hosting the Council mailing list — Busch replied, "You think I would make this up? That's interesting."