Shockwave virus hits European businesses

Several major European businesses have been infected by an internet worm believed to have been spread by pro-Linux virus writers.

The worm - dubbed ProLin (after the message it executes) or Shockwave (it arrives in the guise of a Shockwave file named creative.exe) - has been branded a high risk by antivirus vendor Network Associates and medium risk by other vendors including Symantec, Kaspersky Labs, Trend Micro and Sophos.

Developed by an unknown hacker calling him or herself The Penguin, it arrives attached to an email with the subject line: 'A great Shockwave Flash movie.' Once the program is run, the virus emails itself to everyone in the user's Outlook address book.

The program copies itself to the disk C: root directory and to the Windows start-up folder. It then sends the message 'Got yet another idiot' to a yahoo.com email address.

As a coup de grace, it searches a local hard drive for files with .Zip and .JPG extensions, and moves them to the C: directory, adding 'change at least now to Linux' to the file names.

"We upgraded it to high risk late on Friday after it infected a number of global companies based in the US," Jack Clark, European product manager at Network Associates, told vnunet.com.

"In the past, when these companies have become infected the virus soon reaches Europe, and sure enough our labs have reported six European corporates have been infected. At the moment we're seeing a steady rate of infection, but it could turn into an outbreak," he added.

"Managers should scan content to stop these executable files at the gateway."

Vendors have warned there is likely to be an increase in the number of virus infections in the run-up to Christmas as authors try to capitalise on festive staff dropping their guard. Worms based on Christmas cards and Christmas carols have already been seen.