Hackers have launched a new worm, called W32.Hairy-A, which downloads a message of Potter's untimely death. The malware can automatically infect a PC when users plug in a malicious USB drive.
The malware follows a hacker’s claim that he breached the network of the series’ UK publisher, Bloomsbury Publishing, and uncovered the end of the seventh and last book in author J.K. Rowling’s series.
The claim, posted on a hacker website and mailing list, was quickly denounced as a likely fake by information security experts.
The malicious removable drives claim to have a copy of the last book in the blockbuster series, Harry Potter and the Deathly Hallows, in a Word document. The malware automatically downloads if users have USB drives set to auto-run.
The document itself contains only the simple phrase, "Harry Potter is dead."
After the worm infects PCs, it creates a number of new users — whose icons are visible at the XP operating system’s start screen — named for Potter, Hermione Granger and Ron Weasley, all main characters in the series.
Affected users are shown a message after start-up, reading, "The end is near; repent from your evil ways, o ye folks. Lest you burn in hell … J.K. Rowling especially. Press any key to continue…"
Infected PCs also have their Internet Explorer homepages reset to the Amazon.com page for a spoof book, Harry Putter and the Chamber of Cheesecakes.
Ron O’Brien, senior security analyst at Sophos, told SCMagazine.com that the worm’s complexity suggests that it is likely a side project of a hacker using his or her skills to make malware for financial gain.
"What was peculiar, when the labs got it, they didn’t necessarily see what the malware is before they grab it. In this case, they got the malware and they cracked it open and it says, "Harry Potter is dead." And then they did a little more looking, and it turned out to be a worm infecting the USB drive," he said.
"There are a number of things being done here that is interesting, and the intent is to make it appear like you’ve stumbled upon a real application."
Graham Cluley, senior technology consultant for Sophos, said Thursday that the malware takes advantage of public appetite for the series' conclusion.
"Much of the world is waiting with bated breach for the final Harry Potter novel, and the premiere of the new movie is looming too. There is a real danger that muggles will blindly allow their USB flash drives to auto-run and become infected by this worm," he said. "Using social engineering at this time is a trick dastardly enough for Lord Voldemort himself."
"Someone needs to get a little more sunshine in their diet and put their energies into a more positive pursuit than writing malicious code like this," he said.
Is Harry Potter dead? A flash drive worm says so
By Frank Washkuch on Jul 2, 2007 10:08AM