Happy New Worm

By Matthew Broersma
Posted on ZDNet News: Jan 2, 2004 8:15:00 PM

Antivirus experts are warning of a troublesome, Christmas-themed e-mail worm and a virus that spreads via MSN Messenger, the popular instant-messaging application.

The Jitux.A virus is not destructive but has already begun to spread via MSN Messenger, according to Panda Software. When executed, the file becomes resident

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

in memory and sends messages to other MSN Messenger users every five minutes, prompting them to download the virus' code, contained in a file called jituxramon.exe.

The virus started to spread more rapidly Friday, affecting mainly Portugal, Spain and Mexico, said Panda Software. It affects Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP. Users can remove the virus simply by scanning their PCs with antivirus software that has up-to-date virus definitions, from Panda, Symantec, McAfee or others.

More troublesome is the PE_QUIS.A worm, according to antivirus company Trend Micro; it is also called W32.HLLP.Belzy@mm by Symantec and has been detected in the past few days by several other companies. Quis spreads itself via Outlook as an e-mail containing a destructive payload. The worm affects Windows 95, 98 and ME.

The worm infects all .exe files in the My Documents and C:\progra˜1\mirc folders. Among its less disruptive effects, it overwrites ring-tone files (using the extension .rtx) with the tune "Jingle Bells" and subjects the user to a quiz.

The worm arrives in an e-mail with the subject line, "Merry Christmas!" The body reads: "You've probably received enough e-cards. Here's a nice Christmas screensaver instead :)," and the message carries an attachment called xmas.scr.

Removal involves identifying infected files with an antivirus program, deleting them and then undertaking the tricky process of removing autostart entries from the registry. Detailed instructions can be found on Trend Micro's Web site. Updated virus definitions can be obtained from Trend Micro, Symantec and others.

When an infected system is restarted, Windows automatically runs an application called "startup.exe", which begins by informing the user that the PC is infected. The pop-up message reads, in part: "Your computer is infected with Win32.HLLP.Quizy. However, if you complete the quiz, you may be able to disinfect it."

The quiz contains such seasonal questions such as "Which animal would Santa have if he actually existed?" (reindeer) and "Which season do I hate the most?" (winter). The virus writer's nationality is signposted in some questions, such as, "In which country do I live?" (Belgium) and "Which keyboard layout is used in Belgium?" (azerty).

Other questions are technical, such as "Which chipset does a U.S. Robotics 22Mbps Wireless PC Card have?" (acx100), or whimsical, such as "What does antivirus person Graham Cluley have between his toes?" (cheese).

Upon completion of the quiz, the program executes the infection code again, and directs the user to a Web site which promises information on how to remove the worm.

Matthew Broersma of ZDNet UK reported from London.