Helping people with computers... one answer at a time.

A recent worm is using breaking news to peak your interest. Don't fall for it.

QAn # 'MUq|걟HAU{PzH0l)͑F<[aUӚv{H0; VwQuE TTeծC0 *Vu0)0 PFc7L#B\v/*d8&=L2:7< ~I(卅3^P~'O76V Lr8{'k2_r9\XUg.:Dr5_zꠚkNŪ7wցR1.<


This is Leo Notenboom for

This week millions of email users began receiving email with subject lines relating to current and breaking news, such as "230 dead as storm batters Europe" accompanied by an attachment with a promising name like "Full Clip.exe".

Regardless of the subject of the email or the name of the attached executable, it's a worm. Apparently it's become one of the larger outbreaks in recent years.

What's new about this particular worm is its use of social engineering and current events to entice you to open its attachment. More commonly in the past email borne malware has been fairly generic, with standard and often easily recognizable come-ons or fractured English. This new breed of malware takes some news event - often while it's happening, as in the case of the European storm - and relies on people's intense interest in the story to get them to forget about their normal caution regarding attachments.

Other versions I've seen this week have been even more provocative by building on, or even fabricating, news based on current events. "Sadam Hussein safe and sound!" with an attachment "Full Text.exe". This example simply makes up news that is so sensationalistic based on the recent execution of the former Iraqi leader that it almost begs to be opened. Or "Russian missile shot down USA aircraft." with an attachment "Read More.exe". This is based on China's recent successful test, shooting down one of their own satellites with a ground based missile. I've now seen several versions of that headline with more and more changes: who shot the missile varied; who's satellite was shot down changed; even wether it was a satellite, a plane or something else entirely was different in different versions of this worm.

The only thing they had in common was that they were primarily a headline with an executable attachment whose name promised more.

And if you open the attachment, you'll get more alright - just not the more you were expecting.

All this should serve as a reminder to us all that email based malware is out there, and sometimes they can look pretty darned enticing.


Breaking news isn't going to get distributed by random email from people you've never heard of. And even if it is from a familiar name, it's still best to avoid it. There are plenty of places on the web where you can go and ask for the latest headlines. Not only will they be accurate, but they won't infect your computer with who knows what.

I'd love to hear what you think. Visit and enter 11087 in the go to article number box and leave me a comment. While you're there, search over 1,000 technical questions and answers on the site.

Till next time, I'm Leo Notenboom, for

Article C2905 - January 21, 2007 « »

Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

January 24, 2007 8:39 AM

Useful warning and quite a good idea to add the transcript: for non English mother tongue it makes understanding sure without re-listening while improving the capability of listening. Just a minor shortcoming, I had to open two windows to keep the transcrip on the screen.

January 26, 2007 7:39 PM

Leo, why and how (not too detailed) do people make these viruses and worms? How do get distributed so widely? Are people forwarding them? Is there some database of emails that malicious people have. What do they gain by sending worms and viruses? Thanks.

E. Kroon
January 27, 2007 3:31 AM

A piece of advice for many people: Make sure that in Windows Explorer the option hide extensions for known filetypes is not checked (tools/folder options/view). Then at least you will see that an attachement has an .exe extension and be warned not to open it.

Leo Notenboom
January 27, 2007 2:03 PM

Ashrey: even a short answer to that one is long. I'll try and post a full article on that some time.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.