"Pentagone" virus tours Europe

The mass-mailing e-mail worm that broke out Tuesday but slowed as companies took antivirus measures is still roaming the computers of Europe.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
4 min read
The Pentagone worm, which appeared and spread quickly on Tuesday, slowing near the end of the day as companies took measures to prevent infections, was still finding its way into systems in Europe on Wednesday morning.

"Goner is one of the most incredibly fast moving and potentially dangerous e-mail viruses we've seen," said Mark Sunner, chief technology officer of U.K.-based MessageLabs. Relatively few infections had been reported in Asia as of Wednesday, but security experts said the worm was still active in Europe.

"It's still in the wild and it's still spreading," said Raimund Genes, European vice president of sales marketing for antivirus software maker Trend Micro.

Genes said one Trend Micro customer had to purge 50 infestations from its e-mail network per hour Wednesday morning. Trend Micro reported that 38,000 computer workstations and 80,000 e-mail networks around the world had been affected as of Wednesday morning.

Antivirus experts had expected infections of the Visual Basic Script program--also known as Goner and Gone--to surge again Wednesday when employees and home PC users opened infected e-mail, thus allowing the spread of the virus to continue.

"With a consumer attack, (the infection rate) goes higher for a couple of days and then goes down," said Vincent Weafer, senior director of Symantec Security Response. The BadTrans.B worm followed just such a trend, peaking during the day, with each peak rising higher for the next three days.

Experts said there were signs that the Pentagone infestation was slowing from its breakout Tuesday, but that it was likely to persist into next week. An antivirus consultant for Sophos Anti-Virus in the United Kingdom said it was likely the number of victims would be in the hundreds of thousands before the worm disappeared from view.

The worst hit regions have been the United States, France, Germany and the United Kingdom.

The worm affects only computers running Microsoft Windows and spreads through Outlook e-mail clients. Macs and computers running Linux or other Unix-like operating systems are unaffected.

By late Tuesday afternoon, Symantec had received more than 1,000 reports of Pentagone worm infections--each report representing anywhere from a single user to an entire company.

MessageLabs intercepted more than 39,000 Pentagone-infected e-mails Tuesday, a much larger haul than the first four days of December's worst-hitter, BadTrans.B.

"We are kind of seeing it follow the sun at the moment," Sunner said Tuesday. "It has been waiting in in-trays of people coming into work."

See related story: Goner worm facts The worm arrives in a message with the subject "Hi" and the following text in the body of the e-mail:

How are you?
When I saw this screensaver, I immediately thought about you.
I am in a harry, I promise you will love it!

Attached to the message is what appears to be a screensaver file, Gone.scr, a compressed copy of the worm.

When the file is opened, Pentagone will infect the victim's PC, attempt to stop a variety of antivirus and security applications and then, if successful, delete all the files in the folders containing those applications. AtGuard's Personal Firewall, ConSeal's PC Firewall, Kaspersky Lab's AVP, Network Associates' McAfee VirusScan, Symantec's Norton Antivirus and Zone Labs' ZoneAlarm are among the programs that the worm attempts to deactivate.

The technique fails to eliminate the security in many instances. Zone Labs claims that, while the user interface component of ZoneAlarm may be deleted, the main program will continue to run.

"It is really hard to shut us down," said Gregor Freund, president and CEO for Zone Labs. "These guys are bloody amateurs. At best, they might delete the help system."

Next, the worm opens up a dialog box containing its name, Pentagone, and the handles of its creators. The dialog box also includes acknowledgements to other people on the Net, in a style similar to that of online vandals who deface Web sites.

The worm then installs a backdoor program linked to mIRC, a popular Internet Relay Chat program. The backdoor can be used to execute denial-of-service attacks against IRC servers.

In addition, the virus attempts to spread using e-mail and ICQ.

How a denial of service attack works

Because Pentagone cons people into opening the infected file just like dozens of previous viruses, David Perry, global director of education for Trend Micro, has concluded that computer users may never be security-conscious enough to avoid getting infected.

"Every time enough time goes by that people forget to be wary of these things, it pops up again," he said. "Apparently, we have to resign ourselves to the fact that education doesn't work."

Such PC users are a weak link, through which company networks can be attacked, said Mitch Bartlett, a technical analyst for computing services at business-information provider SPSS.

"It hit, and our exchange server actually blocked it because we have antivirus software," he said. "The people who got it were those who were getting their personal mail and their Web mail."

Telecommuters and employees checking their personal e-mail infected their work PCs with the worm, which then inundated the internal network with more mail. By the end of the day Tuesday, Bartlett said, the company had Pentagone under control.

"It is no longer troubling us; we have cleaned out everybody," he said.

Pentagone isn't the only virus spreading significantly. Variants of the Nimda virus and a variant of the BadTrans virus are topping virus charts this month.

Reuters contributed to this report.