Security news
Security news20 January 2003
Sophos counters Welsh virus writer's "caused no damage" claims
Sophos experts have countered Welsh virus writer Simon Vallor's claims that the viruses he spread were not damaging.
Vallor, 22, is to be sentenced at Southwark Crown Court in London on Tuesday 21 January for spreading the computer viruses W32/Redesi, W32/Gokar and Admirer. The prosecution claims that over 27,000 computers in 42 countries were infected by his viruses.
But in a newspaper interview published last week Vallor, a web designer from Llandudno, was reported to have said: "The one upside I suppose is it didn't have a damaging payload. It wasn't going out to delete data or overwrite files. It was a nuisance, there's no denying that but it wasn't damaging. It could have been worse."
However, an analysis by Sophos experts of the viruses created by Vallor has found this to be incorrect.
For instance, W32/Redesi-B deliberately attempts to wipe the user's hard drive of all data on 11 November 2001, displaying the text "Bide ye the Wiccan laws ye must, In perfect love and perfect trust.".
Users were infected by W32/Redesi-B after receiving an email which claimed to come from Microsoft technical support, and lured into running the attachment. The emails could come with a variety of subject lines including:
"FW: Important news from Microsoft."
"FW: Stop terrorists computer viruses reign."
"FW: Terrorists release computer virus."
"FW: Terrorist Emergency. Latest virus can wipe disk in minutes."
Contained inside the virus is a message from Simon Vallor to his intended victims, taunting them that they don't know his phone number and bragging that his virus was made in Wales:
"When misfortune is enow, wear the blue star on thy brow. True in love ye must ever be, lest thy love be false to thee. These words the Wiccan Rede fulfill: An ye harm none, do what ye will. Rede(c)Si 2001 ... heh, want my phone number too ?!? Sick of all thes 3rd world gits spreading worms. Time for a bit of Welsh stuff :)"
"It's clear from the subject lines that Vallor used and the destructive payload contained within the virus that Vallor was exploiting people's fear of terrorist cybercrime in the wake of 11 September 2001", said Graham Cluley, senior technology consultant at Sophos Anti-Virus. "For him to claim that his virus was not damaging is ridiculous. It was intentionally designed to cause as much harm to a user's data as possible."
Another virus written by Simon Vallor, W32/Gokar-A, deliberately attempts to overwrite the main page on the websites of infected companies. Innocent users visiting the changed web page may find a copy of the virus is downloaded onto their PC.
