Warning issued over latest back door virus

Security experts have warned of a virus that can give intruders access to a user's computer, in a similar way to the method believed to have been used in the attack on Microsoft's corporate network.

W32/Sonic-B or 'Sonic' is a multi-part virus with back door Trojan characteristics, and comes in two parts, according to UK antivirus software firm Sophos.

The first part of the virus is received via email in the form of a file attachment called Lovers.exe, said Sophos. If this file is run, the virus copies itself to the Windows system directory with the name GDI32.exe. The virus installs itself as a registry entry to automatically run on start-up.

After some delay, the virus connects to a website and tries to download its second part, which is then executed. This opens a back door on the computer, allowing access by remote users.

The virus also forwards its first part to contacts in the user's Outlook address book as an email with the subject header: 'Choose your poison'.

Graham Cluley, senior technology consultant at Sophos, said he had seen a few reports of the virus. "It shows that the weakest link is not the technology but the people as they are still opening up suspect emails," he said.

"This virus doesn't even try to disguise the fact that it is executable code. Users still need to be educated as they are playing Russian roulette with their data," he added.

Denis Zenkin, head of corporate communications at antivirus company Kaspersky Lab, said: "This is not the first case when we have discovered a malicious code with self-updating ability via the internet. Before Sonic, the Babylonia virus and the Resume worm had the same capabilities.

"However, this is not something that captures our attention at the moment. What is more disturbing is that this feature appears to have become a new standard for malicious programs since more and more of them can update themselves via the internet. This is a very dangerous trend as it allows hackers to extend their malware's [malicious code] abilities in real time with direct connection to the infected computers."

Sophos said it has also received reports of companies being hit by an internet worm called VBS/777-B, yet another Love Bug variant.

The worm, which arrives as an email with the subject line 'I hate you', has a similar payload to the Love Bug, deleting graphics and music files.

Updates for both viruses are available on the internet.

Separately, the QAZ worm, which the hackers that attacked Microsoft's network are believed to have used, was the fourth most reported virus in October, according to Sophos.