X

Clinton worm eats files

A destructive new worm continues to spread in the guise of an e-mail message containing a caricature of former President Bill Clinton.

David Becker Staff Writer, CNET News.com
David Becker
covers games and gadgets.
See full bio
David Becker
3 min read
A destructive new worm continued to spread Monday in the guise of an e-mail message containing a caricature of former President Bill Clinton.

The MyLifeB worm's bait The worm, known as MyLifeB or Caric, was discovered last week and appears to be spreading at a modest pace; antivirus software leader Symantec recently raised its assessment of the worm's threat to a 3, on a scale of 1 to 5.

And e-mail screening company MessageLabs listed MyLifeB at No. 3 on its rundown of the most-active viruses as of Monday morning, with more than 600 infected messages intercepted in the past 24 hours.

The worm arrives in an e-mail message with the subject line "bill caricature." The body of the message reads: "Hiiiii How are youuuuuuuu? look to bill caricature it's vvvery verrrry ffffunny :-) :-) i promise you will love it? ok buy." The message ends with "No viruse found: MCAFFE.COM," an apparent attempt to dupe people into believing that the message was screened by McAfee antivirus software.

If the recipient clicks on the attachment, named "cari.scr," a Clinton caricature does indeed appear. In the background, however, the worm mass-mails itself to all e-mail addresses in the PC's Microsoft Outlook address book. If the infected PC is rebooted between 8 a.m. and 9 a.m., according to the time set on the PC, the worm also deletes all files in the root directory of the PC's hard drive, plus certain types of system files.

The worm is somewhat unusual in that it actually delivers what it promises. April Goostree, virus research manager for McAfee, said the appearance of the promised Clinton cartoon could make owners of infected PCs slow to pick up on the threat.

"You do get what you expect to get, which may not tip people off that something's wrong," Goostree said. "If you open an attachment and get nothing, that raises some red flags."

Goostree said it's common for worms to use the names of companies such as Microsoft or Intel to legitimize themselves, but this is the first time the McAfee name has been hijacked by a virus.

"That whole piggybacking on an antivirus company's name to further propagate a virus is pretty old," Goostree said. "But it is new for McAfee, which is why we went all out with the effort to alert people about this."

Moderately computer-savvy people should pick up on the hoax quickly, however, as corporate antivirus software only alerts e-mail recipients when a virus has been intercepted.

"Anybody who uses antivirus software realizes that's not the way we deliver our services," Goostree said.

And spelling counts, said Steve Trilling, director of research at Symantec Security Response, noting that MyLife's fractured English is typical of many viral communiques.

"It's written in a way that ought to be recognizable to recipients as not typical of the way people in the company write to them," Trilling said. "There's certainly a lot there to make someone suspicious enough to just delete it."

Which leads to the usual advice for dealing with MyLife or any other worm: Never open unsolicited e-mail attachments, and make sure your PC is running up-to-date antivirus software.