The virus, dubbed "Creative," carries no destructive payload, but automatically emails itself to a victim's entire email address book. It was first identified in Europe on Thursday, where it had been spreading slowly. But the worm began picking up steam in the United States by late Friday, according to McAfee's Anti-Virus Emergency Response Team (AVERT).
"Within the past two to three hours we've received 50 samples of the virus," said Vincent Gullotto, AVERT's senior director, who said the uptick in reports prompted the company to raise its risk assessment. He said he had rated the worm as a medium risk on Thursday after one company's desktop antivirus product manager called in to report an "outbreak" that had crippled its email system.
Even though the virus does not carry a destructive payload, it can crash email servers if it gathers enough steam, Gullotto warned, noting that much of the damage caused by the infamous "I Love You" virus was caused this way. He added, however, that the spread of the virus could be blunted over the weekend, when fewer employees have access to their work computers.
"Creative" comes in an email with the header "A great Shockwave flash movie," referring to a popular Internet animation format. It has several aliases, including Prolin, Shockwave, W32/Prolin@mm, TROJ_SHOCKWAVE and TROJ_PROLIN.
Prolin is short for "Pro-LINUX," so-called because the virus inserts harmless messages on victim computers plugging the open-source operating system.
Like numerous other recent viruses, Creative targets Microsoft's Outlook and Outlook Express email clients and spreads by sending itself to everyone in a victim's email address book. It also adds itself to the Windows operating system start-up menu.
Infected messages come with an attached file, "creative.exe," which is triggered only if a victim opens the file. It does not destroy files in the victim's computer but merely moves all ".zip" and ".jpg" files to the root directory. The virus appends the following text to the regular file extensions: "change atleast now to LINUX."
It also appends a message, "c:messageforu.txt", that contains the following text:
"Hi, guess you have got the message. I have kept a list of files that I have infected under this. If you are smart enough just reverse back the process. i could have done far better damage, i could have even completely wiped your harddisk. Remember this is a warning & get it sound and clear... - The Penguin"
The worm also sends a message to a Yahoo mail account, email@example.com, reading "Got another idiot."
Security experts were divided on their assessment of the risk of the virus, which seemed primarily aimed at educating computer users about the dangers of opening executable files attached to email messages.
F-Secure, a security company based in Finland, rated the virus "low risk," saying that security awareness has jumped this year among average computer users in the wake of several high-profile attacks, including the "I Love You" virus that brought down corporate systems worldwide in February.
Security experts have long warned email users not to open attached ".exe" files because of the risk of virus exposure. That message appears to be getting through, according to Pirkka Palomaki, director of product marketing at F-Secure.
"It's not going to spread that much," he predicted. "People are pretty cautious about opening '.exe' files these days, especially following the I Love You outbreak earlier this year."
Experts at security company Trend Micro disagreed, saying that many people may succumb to the temptation to click potentially dangerous files, and rated the risk of propagation "high." In a release, the company said it had been notified of infections in the United States.
"Many people will want to see the movie so they will click on the attachment, which is just what the virus writer is counting on," David Perry, Public Education Director for Trend Micro, said in a statement.
In raising its rating on the Shockwave virus late Friday, McAfee also warned of other potential viruses targeting Microsoft Windows-based machines, including a handful employing Christmas messages as a way to entice victims to activate infected files.
AVERT's Gullotto said a new variant of the recently discovered BleBla virus, also dubbed "Romeo and Juliet," uses a Christmas greeting.
"We've found four or five viruses buried in Christmas-type messages," he said.