Bird Flu Inspires PC Virus

Security vendor warns of attachments disguised as information about avian flu.

John Blau, IDG News Service

Virus writers, forever in search of opportunities to distribute their malicious code, are exploiting interest in the avian flu by circulating an e-mail with an attachment that contains information about the bird flu epidemic–and a Trojan horse tucked inside.

The Naiva.A Trojan horse masquerades as a Word document with subject lines such as “Outbreak in North America” and “What is avian influenza (bird flu)?”

“Using the bird flu is a very clever way of drawing attention and enticing those PC users less knowledgeable or concerned about security to open the attachment,” said Jeanine Rother, a virus researcher at the German subsidiary of Panda Software, which is based in Spain. “Although users are constantly being told not to open attachments from unknown sources, some are likely to ignore these warnings because of their interest in the epidemic and potential threat to their own lives.”

Rother was unable to say how many computers have been so far infected with the Trojan horse, which the company detected in its virus lab.

Panda Software has given the malware a low-risk rating in its posted security update.
How it Works

The Trojan horse uses two Word macros to run and install a second threat on the computer. The first macro enables the Trojan horse to modify, create, and delete files. The second macro installs Ranky.FY on computers. Ranky.FY allows hackers to gain remote control of infected computers.

Panda Software urges users to set their macro security level at medium to receive a warning when a macro is run, or on high to stop macros from running altogether.

The Naiva-A Trojan comes on the heels of numerous spam e-mail distributions that promote the sale of Tamiflu, the drug believed to be most effective at protecting humans for the H5N1 strain of the bird flu virus.

How to avoid it:

When the Macro Security setting in Microsoft Word is set to Medium and this document is loaded the user will receive a warning that there are macros in it. When the setting is at high the macros will not run (only signed macros from trusted sources are allowed to run in that case). Different versions of Microsoft Word have different defaults, with the current 2003 version defaulting to High. Earlier versions defaulted to Medium. Anti-virus software can also detect and block this threat.

How to remove it:

Delete the document. Delete %WINDOWS%\UPDATE.EXE (the Ranky.FY Trojan).


One Response

  1. This is a great blog you got here but i can’t seem to find the RSS button.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: