Users login

Create an account »


Users login

Home » Hacking News » Virus attacks Echelon

Virus attacks Echelon

by phiber on May 19th, 2001 UK-based anti-virus outfit Sophos is reporting a new variant of the LoveBug Outlook worm which contains a large amount of hidden text, apparently designed to attract the US National Security Agency's Echelon spy satellite network and overload it.

Comments within the executable file include large swaths of text such as:

"NSA national security agency code PGP GPG satellite cia yemen toxin botulinum mi5 mi6 mit kgb .mil mil base64 us defence intelligence agency admiral diplomat alert! BATF," and so on.

As for social engineering, this worm looks like a total non-starter. The subject line reads, !!!; the body reads, :-) MuCuX...; and then there's an attached file: echelon.vbs. We don't expect it to get very far.

Which is sort of a pity, really; the author has a few pertinent observations to make and questions to ask, such as "Stop Violence Pentagon. Why are you testing your new weapons on iraq? You are trying to protect children from porn but you are also killing them and other innocent people in iraq... ...and another thing... why are you using echelon type stupid things to listen around...?"

Why indeed, many reasonable people will wonder.

The virus was "written By Extirpater and beyin. (i am NOT from iraq, and not protecting iraq/islamic anyway)."

After introducing themselves, the authors then suggest, "hey others, lets fl00d the echelon..." and from there the whole slew of keywords commences.

These are believed to initiate an Echelon snoop session; but it's likely that Echelon relies on pattern-recognition rather than dictionaries, so loading millions of e-mails with tantalizing keywords really won't attract the machinery and bring the system down.

The new Outlook worm is also mildly destructive, and will over-write MP2 and MP3 files and .jpeg files by modifying their extensions; and, like the LoveBug which it resembles, mail itself to everyone on a victim's address list.

Also, "if the worm determines that mIRC (Internet Relay Chat) is installed on the system it will drop a mIRC script that will send the worm on via mIRC," Sophos says.

The company says they've had only one report of the worm in the wild, which is hardly a surprise considering its weak inducements to open the attachment.

Still, it's an amusing piece of work, if not much of a threat. And anyone who fears they might just be stupid enough to activate the attachment of an e-mail bearing the message, :-) MuCuX... is welcome to download Sophos' latest definitions.

By By Thomas C. Greene, The Register for SecurityFocus.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »