USB Flash Drive worm from the “good guys”

Sophos has discovered a worm which copies itself onto removable drives, such as USB flash drives, in an attempt to spread information about AIDS and HIV.

The LiarVB-A worm hunts for removable drives such as floppy disks and USB memory sticks, as well as spreading via network shares, and then creates a hidden file called autorun.inf to ensure a copy of the worm is run the next time it is connected to a Windows PC. Once it has infected a system, it drops an HTML file containing a message about AIDS and HIV to the user’s drive.

“Much of the malware we see is designed to generate income for the hackers, but this worm is different in that respect – it appears that the motive was to spread information about AIDS instead,” said Graham Cluley, senior technology consultant at Sophos. “Even though the persons responsible for this worm aren’t set on filling their pockets with cash, and may feel that they are spreading an important message, they are still breaking the law. In the future we might see more graffiti-style malware being written on behalf of political, religious and other groups looking for a soapbox to broadcast their opinions.”

At the bottom of the HTML file there is a message which claims the worm causes no harm. It reads as follows:

‘This file Doesn’t make harmful change to your computer. This File is NOT DANGEROUS for your Computer and FlashDisk (USB). This File Doesn’t Disturb any Data or Files on your computer and FlashDisk (USB). So Dont be affraid, and Be Happy !’

“It’s nonsense to say that this worm doesn’t harm computers – it makes changes to a PC’s settings and overwrites files,” continued Cluley. “There is no such thing as a useful virus. Companies should be allowed to decide for themselves what code runs on their computers rather than virus writers thinking it’s okay to inject whatever code they like into corporate networks.”

This is not the first piece of malware to be associated with information about AIDS. In 1989, Dr Joseph Popp distributed an AIDS information floppy disk to more than 20,000 people. The Trojan horse program on the floppy disk would trash users’ disks if they did not send money to a rented post office box in Panama. Popp’s creation is considered one of the very first examples of ransomware.




Share this