Establishing Digital Trust: Don't Sacrifice Security for Convenience
"This seems to be a poor attempt from a wannabe virus writer to exploit the commemoration of September 11", said Mikko Hypponen, manager of anti-virus research at Finland-based F-Secure. "However, as the worm seems to crash regularly, it won't go far".
The worm, which is called "Chet" and was discovered on September 10th, tries to spread via an attachment file called 11september.exe. When this file is executed, the worm will attempt to send an e-mail to each address found from the Windows address book. The e-mail would always have "email@example.com" as the sender and "All people!!" as the subject.
The e-mail tries to explain that the attached "11september.exe" file contains proof of a conspiracy between US government and Al-Qaeda, while repeatedly declaring that attachments are not viruses.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i The e-mail states: "There is a friendly dialogue between Bin Laden and the secretary of a state security of USA in the given photos. In the following photo you'll see, how FBI discusses how to strike over New York to lose people as much as possible. And the document representing the super confidential agreement between CIA and Al-Qaeda is submitted to your attention."
If a user executes the file, nothing visible happens while the worm tries to send itself to every e-mail address listed in the computers address book.
If the infected computer has a modem, the worm tries to call a predefined phone number. The number is believed to most likely be a local number in some country, though neither the owner of the number or the purpose of the call is known.
F-secure said that due to serious bugs contained in Chet, the worm will fail to function on most systems and can not be considered to be a major threat at this time. In fact since the worm crashes relatively early, attempts to dial out are never actually activated.
The security firm noted that many things inside the worm's code suggest that the worm originates from Russia.