Worm masks itself as an alert from Symantec

Symantec has confirmed the existence of the worm, known as VBS.Hard.A@mm, VBS/Hard-A or VBS/Hard@mm, and created software to detect it. So far, the virus has not spread far geographically and has infected only a small number of sites, according to a Symantec report published earlier this week.

The worm--like the earlier LoveLetter and Homepage worms--distributes itself as an attachment to an e-mail message.

Worms, unlike viruses, don't infect files, but entire disks or computer systems. Because worms can't rely on file-to-file transfers to spread their code, they need to have a way of sending themselves to other computer systems. The most common way today is via e-mail.

The e-mail message that VBS.Hard.A@mm sends is called "FW: Symantec Anti-Virus Warning" and claims to contain a description of a (nonexistent) worm in an attached file.

When the attached file, "www.symantec.com.vbs," is activated, it changes the Microsoft Internet Explorer home page to a fake Web page, warning against a (nonexistent) worm called VBS.AmericanHistoryX_II@mm. It also causes Outlook to send copies of the fake virus warning to all users in the address book.

Every Nov. 24, the computer will display the enigmatic message, "Don't look surprised! It is only a warning about your stupidity. Take care!"

The worm is relatively nondestructive. To undo its effects, Symantec recommends deleting several files, making changes to the Windows registry, and resetting the Explorer home page.

Microsoft has come under repeated criticism for allowing worms, such as VBS.Hard.A@mm and LoveLetter, to proliferate by leaving the Visual Basic scripting tool active in the operating system, even though it is rarely used. Even when they cause relatively little damage, such worms can bring down entire corporate networks by sending thousands of e-mails.

Staff writer Matthew Broersma reported from London.