Worm Poses as Porn-hiding Tool

Worm Poses as Porn-hiding Tool
Matt O'Conner
LYNNFIELD, Mass. – A new worm is making the rounds by tricking users into believing it will help them mask evidence of adult content from their computers.

Lynnfield-based antivirus vendor Sophos this week issued an advisory warning users about the worm, which it calls W32.Baba-C.

Sophos said the Baba-C worm sends an email message falsely allerting users that “Windows Evidence Checker” has detected adult material on their computers and that an attached program called “Evidence Cleaner” will help them conceal the material.

The approach is a novel twist on the widely used practice of masking malware as adult material. But the end result is much the same. Clicking on the Baba-C mailer installs the worm, which then mails itself to people in the user's various email address books while also opening up backdoor access to their Windows system.

If an infection is successful, the worm communicates back to the point of origin to let it know the computer has been hacked.

The worm, apparently still in its early stages, is believed to only affect computers running Windows.

“The Internet is widely used for accessing hardcore sexual material,” said Graham Cluley, senior technology consultant at Sophos. “There is one type of person who doesn't want this type of stuff on their computer; and there is the type of person who does.”

What makes this worm unique, he said, is its ability to catch the attention of users from both groups.

While Sophos in the past has seen exploits that scan a hard disk for adult material, Cluley said Baba-C is the first worm he has encountered that uses the anxieties of people who aren’t interested in such material to attempt infection.