Fortnight F worm has porn payload

Reports are coming in of a new variant on the Fortnight worm spreading via Outlook email.

An alert for Fortnight F has been released by Sophos and firms are starting to come across infections, even though Microsoft released a security patch three years ago to fix the hole that the worm uses.

"It's silly that this is still out there, three years on," said Neil Barratt, technical director of International Risk Management.

"It illustrates the change in mind-set needed over patching. Some administrators are still treating their servers like cars and only budgeting the time and money needed for a major patching session once in a blue moon."

The new variant uses JavaScript and Java applets to spread via Outlook emails that are set to carry and read HTML.

A hidden web page link is built into the signature file of the email. Once the mail is opened the link is opened as well, and the computer downloads the worm code using a flaw in Microsoft VM ActiveX.

The worm attempts to change registry keys and adds three new favourites to its victim's browser: Nude Nurses.url, Search You Trust.url and Your Favorite Porn Links.url.

Virus companies are releasing virus identity files for download from the web. The Microsoft patch is available here.