NakedWife virus hits U.S. military, companies

A virus advertising itself as an e-mailed photo of someone's wife is infecting computers, and may have started spreading from the military, experts say.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
A virus advertising itself as an e-mailed photo of someone's wife has started infecting computers in Europe and the United States and may have started spreading from the U.S. military, antivirus experts said Tuesday.

Four different antivirus software companies have reported that at least 68 organizations have computers infected by the virus.

"At the onset, (those infected were) strictly military," said Patrick Nolan, an antivirus researcher with McAfee's Antivirus Emergency Research Team, adding that three of the 18 organizations so far infected with the virus were part of the U.S. military.

Rival software maker Trend Micro said that of its first three customers reporting the virus, one had been military. As of Tuesday morning, Trend had a total of 10 corporate and military customers--all in the United States--reporting the virus. Antivirus company Symantec said it had 30 organizations report infections.

The virus, known as a Trojan horse because it poses as a seemingly harmless e-mail attachment, appears as an attachment called "NakedWife.exe" in an e-mail from a known person with the subject line "FW: Naked Wife" and the following in the body of the message:

My wife never looked like that :)
Best Regards,
(sender's Outlook username)

If the attachment is opened, NakedWife displays what is apparently a Shockwave Flash window with the logo for online media company JibJab and the word "loading" beneath. While the window is open, the virus deletes any files in the Windows and system directories with DLL, INI, EXE, BMP and COM extensions, removing numerous critical system files.

Because of the text in the window, some antivirus companies refer to the Trojan horse as JibJab. But John Nugent, vice president of production for the company, said, "We have nothing to do with the virus."

The author of the virus may have inadvertently left a clue to his identity, however, said Richard Smith, chief technology officer for the Privacy Foundation. In the e-mail's attachment, he found several text strings, including a person's name and that of a company in Brazil.

Is it the author's name? "There are a whole lot of possibilities," he said. "It could be fake. It could be the author and he works at the company. It's too early to tell, but one thing's for certain: It's a hell of a clue."

The virus also uses Microsoft Outlook to spread, sending itself to everyone listed in the address book including groups. Because it uses mass-mailing techniques, NakedWife is considered a worm as well.

After sending the e-mail, the virus displays a dialog box titled "Flash" and the contents, "You're now F***ED! ?2001 by BGK (Bill Gates Killer)."

While initial reports of infections came from military organizations, Nolan said there could be other explanations.

"It is not known at this time if it originated with the military," he said. "It may be that the first person to be infected knew someone in the military."

The spread of Trojan horses seems to indicate that despite warnings and high-profile outbreaks such as the AnnaKournikova virus, a small number of people are still more than willing to open attachments, said Susan Orbuch, spokeswoman for Trend Micro.

"Maybe for viruses, social engineering is more effective than new technology," she said.

Trend Micro, Symantec and McAfee planned to post updated virus definitions to detect the virus on their sites later in the day.

Computer services company Computer Associates said 10 of its corporate customers had also reported infections but would not discuss whether any customers were military.