See also:
So Many Worms, So
Little Info New Worm a Marketing
Ploy? Infostructure
strengthens your backbone
Read more
Technology news
It's hard not to see the "Noped" worm as a sort of illegal social
service, said Andrew Antipass, of the British security firm
TechServ.
But Antipass is not necessarily convinced that the worm is able
to reliably identify porn, and worries that the government may be
inundated with false alerts.
"Noped is programmed to look for a list of files that contain
offensive images which are available at certain websites and Usenet
newsgroups," he said. "But if your image files happen to have been
named with the same names as the porn files, the worm will identify
you as possessing child pornography.
"It's not a sophisticated worm, although it's a bit brighter than
most. But it's simply looking for specific names of files, not
analyzing the files contents," Antipass said.
Vigilinx, a security assessment firm, said in a statement that
the specific criteria Noped uses to identify the .jpg and .jpeg
files as child pornography is not yet known.
But if the criteria used are similar to those employed by most
search mechanisms, Noped identifies files based on specific keywords
or phrases. This could result in the identification of many files on
individual and organization systems that do not relate to child
pornography in any way, according to Vigilinx's statement.
Vigilinx's statement also noted that, regardless of the worm
developers' motivations, Noped is not really a good thing.
It illegally penetrates a computer system, violates a users
privacy by creating a list of files on the system, and is "likely to
cause mass mailing system problems" if the worm begins to circulate
widely and clogs servers with increased traffic.
Noped is a Visual Basic Script (VBS) worm that arrives as an
e-mail attachment.
The worm is coded to encrypt itself, a method of hiding its code
in an effort to allow it to slip through antiviral software.
The e-mail containing the worm arrives with a subject header
"Help us ALL to END ILLEGAL child porn NOW." The message text reads
"Hi, just a quick e-mail. Please read the attached document as soon
as you can. Thanks."
The name of the attachment, which contains the worm, is "END
ILLEGAL child porn NOW.TXT." The .VBS file suffix may not appear,
depending on a user's preference settings in Outlook, but the
standard VBS file icon, a small scroll, is displayed on the
attachment.
When a PC user running the e-mail program Outlook clicks on the
attachment, the worm opens Notepad and displays a text file.
The text file displayed by Notepad contains information about the
legal definition of child pornography, warns that any sexually
explicit photographs of anyone 17 years of age or younger is child
pornography and advises the users of the infected machines of the
penalties for possessing or transmitting such images.
The worm also changes the user's specified home page in Internet
Explorer to the virus creator's home page, makes some changes to
Windows registry, and then proceeds to search all connected drives
for specific .jpg or .jpeg file names.
If the worm finds any of the files it is looking for, it sends a
message to one random recipient from a pre-programmed list of
government agencies.
The worm, as is typical with VBS worms, also sends itself to all
e-mail addresses in an infected user's Outlook address book. Noped
also disables event and alert sounds.
To remove Noped from an infected system, delete files detected as
"VBS.Noped.A@mm" and then undo the changes that it made to the
registry, suggest the engineers at Symantec, an antiviral software
company. Specific information on how
to do this is available on Symantec's website.
Users can then restore their sound alerts through the system
control panel and reinstate their preferred home page in Internet
Explorer preferences.
Have a comment on this article? n*@wired.com?subject=New Worm Takes On Kiddie Porn.
Printing? Use this version.
E-mail this to a
friend.
Related Wired Links:
New Worm a Marketing
Ploy?
May 9, 2001
So Many
Worms, So Little Info
April 10,
2001
Palestinian Crackers
Share Bugs
Dec. 2, 2000
Feedback
| Help | About
Us | Jobs |
Advertise
Editorial Policy
| Privacy
Statement | Terms and
Conditions
Copyright ©
2001 Wired Digital Inc., a Lycos Network site. All rights reserved.
Get Wired News delivered to
your 
Get The
