'Obama worm' probably a student prank, experts say

Worm that spreads via USB drives and network shares and only displays picture of president on Mondays appears to be more of a nuisance than a real threat, security watchers say.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills

A new Internet worm that displays an image of President Obama is likely a prank by a student, several security experts speculated on Thursday.

Walling Data, a distributor of AVG security software, said the worm it discovered on computers at an Illinois grade school spreads via external devices like USB drives and network shares. Once a week, on Mondays, it displays a photo of President Obama's face in the lower right corner of screens on infected computers, but otherwise appears to be more of a nuisance than a threat.

The worm looks like a variant of MAL_OTORUN code that spreads using thumb drives and network shares, said Jamz Yaneza, a senior threat analyst and researcher at Trend Micro.

"Someone played around with one of the many number of DIY malware kits and just added this small social engineering bait of Obama's picture," he wrote in an e-mail. Given that it lacks a malicious payload, "it is probably some prank by a student since today's 'serious' malware, as you may have noticed, would have at least installed a keylogger to steal some information."

Roger Thompson, owner of Thompson Security Labs who said he was informed about the worm from AVG, wrote on his Thompson Cyber Security Labs blog a note to administrators at the school where the worm was found: "There's some chance one of your students wrote it. Find your smartest, geekiest, dweebiest kid, and look hard at him. Remember, the geek shall inherit the earth."

Once a week, the Obama worm displays a picture of the president's face on infected PCs. Walling Data/Roger Thompson