11 May 2006

The worm tries to send pictures of an owl to attached network printers.

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have discovered a worm that attempts to send a photograph of an owl to attached network printers.

The W32/Hoots-A worm is written in Visual Basic and spreads via network shares. Once it has infected a computer it attempts to send a graphical image of an owl with the legend "O RLY?" to a number of predefined print queues.

"This isn't the work of a professional virus writer. Most malware authors these days encrypt their executables with packers in an attempt to make them harder to detect, this one does not. It is also written in Visual Basic, which is unusual for a virus today. But the smoking gun is that the worm has hardcoded within it the specific network paths to almost 40 different printers," said Graham Cluley, senior technology consultant for Sophos. "It appears this malware was written for a specific organization, by someone who had inside knowledge of their IT infrastructure."

The phrase "O RLY?" is internet slang for "Oh really?", and is often accompanied by a picture of a snowy white owl.

"Why the author should want to print out pictures of an owl is, of course, anybody's guess," continued Cluley.

Sophos has only received reports of the malware from one customer, and is working with the organization to provide more information which may help identify the creator of the worm.

Sophos recommends companies put in place a consolidated solution to defend against viruses, spyware and spam, and ensure that it is automatically updated as new threats emerge.