Reports are coming in of a new email-based worm variant that cleverly poses as a tool for removing evidence of pornography from the hard disk of recipients.

The mass-mailer, dubbed W32/Baba-C by anti-virus vendor Sophos, falsely claims in its subject line that it has detected adult-related material on a PC and suggests the user run the attached "evidence cleaner" to remove traces of it having been there.

Clicking on this installs the worm which then mails itself to people in the user’s various e-mail address books and opens a back-door for hackers to gain access to the compromised PC. If an infection has taken place, the worm communicates back to the point of origin to let them know a new PC has been hacked. The worm sender could then initiate data theft from this PC.

The worm is in its early stages, only affects Windows, and is believed to be small-scale at present, but the potential for it to spread further is clear. As ever, virus and Trojan writers are looking to play on anxieties. "Many people are worried about the adult material that inhabits areas of the internet, and don't want it to reach their PC. It's also clear that the Internet is widely used for accessing hardcore sexual material," commented Sohpos’s senior technology consultant and resident virus expert Graham Cluley.

"There is one type of person who doesn’t want this type of stuff [porn] on their computer. And there is the type of person who does." The clever part was that the worm could catch people from both groups unawares, he said. "We’ve seen viruses in the past that have scanned a hard disk for porn." This was the first example that had used anxieties about pornography to attempt infection, however.

The original Baba-A worm came to light last October and was believed to have originated at a South Korean university. It is not clear whether the Baba-C variant has come from the same source though the style of English used in the message body is not that of a native speaker.

Meanwhile, the virus "top 20" for December, published on Kaspersky Labs’ viruslist.com, put the W32/Zafi-d emailer as the most commonly-found virus with 17.8 percent of outbreaks, followed by Zafi-b on 13.4 percent and Netsky-G on almost 11 percent.


Find your next job with techworld jobs