WM/PolyPoster Virus Steals User Documents And Posts Them on Usenet Newsgroup Boards

SAN JOSE, CA/ESPOO, FINLAND, June 18, 1998--Data Fellows, one of the world's leading data security development companies, has discovered an important new macro virus known as WM/PolyPoster.

The new virus uses advanced replication methods to spread within Microsoft Word documents. Once a machine becomes infected by the virus, all Word documents manipulated in it will become infected and the virus will spread within them to new machines.

However, the most disturbing part of the virus is in it's activation routine. The virus activates at random times, and will try to send the user's Word documents to Usenet newsgroups. As an end result, the virus could post, for example, company confidential data or highly personal material in an open cyber-forum.

Data Fellows has updated its Anti-Virus product, F-Secure Anti-Virus, to handle the WM/PolyPoster virus. Additional information on the new virus and its prevalence is available. The virus does not seem to be widespread at this time.

The messages posted by the virus look like they are coming from the real user of the machine, complete with the user name and signature. The virus contains a list of newsgroups where it will attempt to post the messages. These include popular discussion groups which attract thousands of readers, including alt.hacker, alt.binaries.pictures.erotica, alt.fan.hanson, alt.windows95 and alt.skinheads.

To top it all, the posted documents are always infected by the virus, and users who view them in Word will thus get infected, allowing the virus to spread from their machines.

"This is something we've been expecting for quite some time", comments Data Fellows' Manager of Anti-Virus Research, Mr. Mikko Hyppönen. "Viruses which activate by simply deleting data are easy to recover from--by using backups. However, there is no way to recover from an incident where a virus posts confidential documents publicly to the Internet." "We have to understand that traditional security methods like firewalls or Windows NT security settings will not prevent attacks like this from happening", Mr. Hyppönen continues. "Viruses like WM/PolyPoster will arrive to users through normal e-mail document attachments, and will further spread from the company's network with e-mail or standard Usenet newsgroup postings. Most firewalls won't prevent this from happening."

The virus has been analyzed in detail by Data Fellows Virus Researcher, Ms. Katrin Tocheva. "This is just the beginning", she says. "We will see viruses with similar but more advanced features in the future. WM/PolyPoster still has many limitations which will restrict it's spread. For example, it is only able to post the messages to newsgroups if the user has a particular newsreader application installed."

About Data Fellows

Data Fellows is one of the world’s leading developers of data security products with offices in San Jose, California and Espoo, Finland. Its groundbreaking F-Secure product family is a unique combination of revolutionary anti-virus and globally available strong encryption software. The fully integrated F-Secure product range provides complete security solutions for enterprises of all sizes. It includes file encryption and IPSec communication encryption products, VPN gateways, SSH based secure remote management software, and a full range of anti-virus products for workstations, servers and gateways. Data Fellows is also the developer of the award winning F-PROT Professional anti-virus, which has become an integral part of the multi-engine structure of F-Secure Anti-Virus.