End users may have finally learned about the dangers of blindly opening e-mail attachments, and systems administrators may have heeded calls to better protect their e-mail servers. Whatever the reason, security analysts said the Homepage e-mail worm that struck this week appears to have done minimal damage in North America.
Some antivirus software vendors have been reporting that the self-propagating worm has been responsible for sending out tens of thousands of e-mail messages. But analysts in the U.S. said they haven’t seen a big impact from Homepage, which is the latest in a long line of Visual Basic Script (VBS) worms that target users of Microsoft Corp.’s Outlook software.
For example, the CERT Coordination Center at Carnegie Mellon University in Pittsburgh said it has received only three direct reports of users being hit by the worm. And there were only a handful of postings about Homepage this morning in the online security discussion forums run by SecurityFocus.com Inc. in San Mateo, Calif.
Network administrators who haven’t put some basic security measures in place may have left their systems open to Homepage, said Eric Hemmindinger, an analyst at Aberdeen Group Inc. in Boston. But companies that are screening and blocking .vbs files at their e-mail gateways should “in effect [be] immune to this,” he added.
Security measures in other countries may not be as stringent, Hemmindinger said, noting that most of the reports of problems being caused by the worm came from Europe, Asia and Australia. That fact “might mean that companies are better prepared here,” he said.
Homepage began spreading itself late Tuesday by luring unsuspecting users to open an attachment that supposedly contains a “really cool” Web page. Instead, the attachment launches one of four pornographic Web sites and then attempts to send itself to all of the users listed in a victim’s Outlook address book.
“This thing really is very unoriginal,” said Ryan Russell, an analyst at SecurityFocus.com. One reason the risk of spreading and causing damage is relatively minimal, he added, is that the worm’s code was encrypted, which should enable most antivirus software tools to block Homepage from infiltrating e-mail systems.
In fact, one systems administrator said in a posting to the SecurityFocus.com forum that he was more concerned about the reaction of end users at his company than he was about the worm itself. The biggest fear, he wrote, was that the publicity surrounding Homepage would result in “users running around like Chicken Little.”
Homepage appears to have been written with the same virus tool kit that was used to create the AnnaKournikova.jpg.vbs worm earlier this year. Similar to its predecessor, which promised recipients a picture of tennis player Anna Kournikova, the Homepage worm is said to not carry destructive payloads that could damage infected computers.
The greatest threat to users, aside from the embarrassment of opening a pornographic Web site at work, is that the worm could clog corporate e-mail servers. London-based Baltimore Technologies PLC said Homepage had infected one out of every 55 e-mail messages it tracked, nearly four times more than the Kournikova worm’s hit rate but well below the one-in-four level produced by last year’s “I Love You” worm.