If you unexpectedly start playing the classic Russian arcade game ?Tetris? upon start-up of your Windows PC, it may be infected with a new worm that is doing the rounds.
The worm, nicknamed ?Cellery? (from a message it displays saying ?Chancellery?) is said to make changes to the Windows start-up settings of the infected PC to ensure that the game starts as soon as the machine is booted.
According to Brett Myroff, CEO of South Africa Sophos distributor NetXactics Communication SA (Pty) Ltd., the worm puts up a smokescreen while it attempts to infect network drives. He says that users are distracted by what looks like a copy of Tetris running on the PC with a very convincing MIDI soundtrack, while the worm continues to infect insecure connections.
?If your company has a culture of allowing employees to play games, staff may not be concerned by the game that starts up automatically on their PCs,? Myroff says. This should be treated as a major concern.
According to Sophos PLC, Cellery is not the first virus that puts up an arcade game as a smokescreen while it infects insecure PCs and networks.
?The ?Bibrog? worm posed as a shooting game, and the ?Coconut? worm (written by the famous female hacker Gigabyte) posed as a game where users would lob coconuts at pictures of members of the security community,? Myroff says.
New tactics
Embedding malicious code in a game or software program is unusual but not extraordinary. However, virus writers are using cleverer techniques to fool unsuspecting victims into unleashing a virus or worm on their PCs, whether this is a chain letter promising a free cell phone, a plea for tsunami aid, or a warning of unwanted material on the infected PC.
Last week another mass mailing worm (Baba-C) sent an e-mail, which warned users that their PCs had pornographic material stored in the system files, and which offered them an ?evidence removal tool?.
The attached Web link is, in fact, a malicious executable file, which infects the PC and opens various back doors, allowing hackers remote access to infected PCs, anti-virus vendors report.
While warnings have been issued on both the Cellery and Baba worms, they do not feature on either Symantec Corp. or McAfee Inc.?s virus warning lists. Sophos lists both the worms as low risk, labelling them more as curious irritations rather than the pandemics that Nimda or Blaster were.
Patches and virus definitions are available from the anti-virus vendors, which are appealing to users to update their security measures if they have not already done so. Vendors also recommend that users not open unsolicited mail and only surf trusted Web sites.