http://www.reuters.co.uk/newsArticle.jhtml?type=internetNews&storyID=2372247 13 Mar 2003 SAN FRANCISCO (Reuters) - Hackers claiming to be from India have launched their latest strike in a cyber-spat with Pakistan by unleashing a new variant of the "Yaha" Internet e-mail worm, anti-virus firm Sophos says. The worm, written by a group calling itself the Indian Snakes, does not appear to be spreading or causing any damage, said Chris Wraight, a technical consultant at U.K.-based Sophos. The Yaha-Q worm, the latest in a string of Yaha worms released by hackers from both countries since December, leaves a back-door on an infected machine and sends itself to people listed in the e-mail address book, Wraight said. It also tries to disable anti-virus software and commands the computer to launch a denial-of-service attack on five Pakistani Web sites, he said. Such an attack is designed to shut down a Web site by sending so many repeat requests to the Web server that it becomes overloaded. The Pakistan Web sites it tries to attack are those of the main government Web site, the government's Computer Bureau, a community "portal" site, Internet service provider Comsats and the Karachi Stock Exchange, according to Sophos. Yaha-Q arrives in an e-mail attachment but also can spread via shared network drives, such as at corporations. It tries to sneak past firewalls and other security software to get onto Web servers directly, Wraight said. In addition to storing taunting messages against Pakistan on the computer, it sends messages to Roger Thompson, technical director of malicious code research at TruSecure in Herndon, Virginia, and to a female virus writer known as "Gigabyte," Sophos said. Gigabyte wrote a virus in January to counter an earlier version of Yaha that was designed to attack her Web site. "I do not plan on writing a new 'counter attack' or getting further involved with these people in any way," she wrote in an e-mail. Thompson said he has commented in the past that previous versions of Yaha were politically motivated. The worm is not spreading because it is being blocked by anti-virus and other security software, and people are becoming more suspicious of e-mail and not clicking on mysterious attachments, Wraight said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Mar 13 2003 - 03:19:09 PST