New Worm Takes On Kiddie Porn
A new e-mail worm that's just beginning to wiggle its way across the Internet scours infected computers for
image files containing child pornography, and alerts government agencies if any suspicious files are
discovered.
The alert e-mail contains an attached copy of one of the files that allegedly contain child pornography
discovered during the worm's search of infected hard drives, and also identifies the porn possessor's e-mail
address.
It's hard not to see the "Noped" worm as a sort of illegal social service, said Andrew
Antipass, of the British security firm TechServ.
But Antipass is not necessarily convinced that the worm is able to reliably identify porn, and
worries that the government may be inundated with false alerts.
"Noped is programmed to look for a list of files that contain offensive images which are
available at certain websites and Usenet newsgroups," he said. "But if your image files
happen to have been named with the same names as the porn files, the worm will identify
you as possessing child pornography.
"It's not a sophisticated worm, although it's a bit brighter than most. But it's simply looking
for specific names of files, not analyzing the files contents," Antipass said.
Vigilinx, a security assessment firm, said in a statement that the specific criteria Noped uses
to identify the .jpg and .jpeg files as child pornography is not yet known.
But if the criteria used are similar to those employed by most search mechanisms, Noped
identifies files based on specific keywords or phrases. This could result in the identification of
many files on individual and organization systems that do not relate to child pornography in
any way, according to Vigilinx's statement.
Vigilinx's statement also noted that, regardless of the worm developers' motivations, Noped is
not really a good thing.
It illegally penetrates a computer system, violates a users privacy by creating a list of files
on the system, and is "likely to cause mass mailing system problems" if the worm begins to
circulate widely and clogs servers with increased traffic.
Noped is a Visual Basic Script (VBS) worm that arrives as an e-mail attachment.
The worm is coded to encrypt itself, a method of hiding its code in an effort to allow it to
slip through antiviral software.
The e-mail containing the worm arrives with a subject header "Help us ALL to END ILLEGAL
child porn NOW." The message text reads "Hi, just a quick e-mail. Please read the attached
document as soon as you can. Thanks."
The name of the attachment, which contains the worm, is "END ILLEGAL child porn
NOW.TXT." The .VBS file suffix may not appear, depending on a user's preference settings in
Outlook, but the standard VBS file icon, a small scroll, is displayed on the attachment.
When a PC user running the e-mail program Outlook clicks on the attachment, the worm
opens Notepad and displays a text file.
The text file displayed by Notepad contains information about the legal definition of child
pornography, warns that any sexually explicit photographs of anyone 17 years of age or
younger is child pornography and advises the users of the infected machines of the penalties
for possessing or transmitting such images.
The worm also changes the user's specified home page in Internet Explorer to the virus
creator's home page, makes some changes to Windows registry, and then proceeds to
search all connected drives for specific .jpg or .jpeg file names.
If the worm finds any of the files it is looking for, it sends a message to one random recipient
from a pre-programmed list of government agencies.
The worm, as is typical with VBS worms, also sends itself to all e-mail addresses in an
infected user's Outlook address book. Noped also disables event and alert sounds.
To remove Noped from an infected system, delete files detected as "VBS.Noped.A@mm" and
then undo the changes that it made to the registry, suggest the engineers at Symantec, an
antiviral software company. Specific information on how to do this is available on Symantec's
website.
Users can then restore their sound alerts through the system control panel and reinstate
their preferred home page in Internet Explorer preferences.
