ESET says Slovakian internet prank turns into global infection

According to David Harley, ESET's director of malware intelligence, there is a widely held suspicion that the worm was intended to infect the PCs of fans of a motorcycle club in the central Slovakian Liptov region.

However, once the worm started infiltrating company networks it spread beyond this target group. At the beginning of the malware outbreak, only users in Slovakia were affected, accounting for over 90% of all infections.

At present, the greatest number of infected computers is in the United States, followed by Slovakia, Thailand and Spain, followed with Italy, Czech Republic and other European countries.

"In some ways it's a throwback to an earlier age, since it overwrites the Master Boot Record on drives attached to an infected system with its own data, so that data on the system becomes inaccessible without the use of specialised software", ESET's Harley said.

"Hopefully this won't spread too much further. But it's a useful reminder that while most current threats are more interested in stealing your data than trashing it, it's never a bad time to make sure your backup mechanisms are working properly", Harley added.

ESET reports that worm spreads in one of two ways: either via embedding in legitimate websites, in the form of a self-unpacking ZIP file or as an IQ test programme, or via exchangeable media, such as USB devices.

The fact that the worm relies on USB devices to propagate is probably reason for its rapid dissemination, says ESET. The worms overwrite the first 50Kb of all available drives with repeated 0x00 characters. Since this includes the Master Boot Record of the system's hard disk, the data stored on the user's computer is render inaccessible.

Restoration of corrupted data is complicated, says ESET, requiring specialised security software.

To complicate matters, if the correct removal method is not used, the worm shifts to its destructive mode. This is similar to making the right choice on which wire to cut, and in what sequence in a bomb-defusing operation.

What’s Hot on Infosecurity Magazine?