Known as W32/Coronex-A, the mass-mailer worm forwards itself to all contacts in Outlook address books and attempts to dupe innocent computer users into opening an attachment offering details on the current SARS epidemic. The Coronex worm uses a variety of subject lines, message bodies and attachment names to entice users into double-clicking including: "Severe Acute Respiratory Syndrome", "SARS Virus" and Hongkong.exe.
"The worm has been deliberately coded to exploit the public's genuine concern about SARS, and is just a further demonstration of the ways that virus writers attempt to use psychological trickery to spread their creations," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "It is important that people call this virus by its proper name, Coronex, rather than 'the SARS virus'. If they don't it will only add to the confusion and panic. In particular, anti-virus firms should act responsibly in the way they communicate news of this virus to the public by ensuring their products, alerts and press releases do not refer to this computer virus as 'SARS'".
"As ever the advice to users is simple: practice safe computing, keep anti-virus software up to date and patch against operating system vulnerabilities. This will dramatically reduce the risk of becoming infected by a new virus," continued Cluley.
Sophos recommends companies consider blocking all Windows programs at their email gateway. It is rarely necessary to allow users to receive programs via email from the outside world. There is so little to lose, and so much to gain, simply by blocking all emailed programs, regardless of whether they contain viruses or not.
More details of the Coronex worm are available at