Where in the past malware file names would have ‘interesting’ names such as “Anna Kournikova" or “Britney Spears Naked", many things happened but seeing a picture of the two aforementioned idols was not one of them. The VBS/VBSWG.J@mm virus (popularly called the Anna Kournikova virus) arrived as an attachment pretending to be a picture. When the user would click on the attachment, the virus would copy itself to the Windows directory and then send itself out to all contacts in the address book. Besides attacking a Dutch computershop website on 26 January, this virus does not do anything else.

Similar tricks are used with other celebrities where the file names usually indicate an attractive feature, and besides installing harmful applications or causing destruction, the user gets disappointed by the lack of image.

On Friday 10 March 2006, a new phenomenon was introduced by malware: the use of child porn in a piece of malware named W32/Agent.ULL.

The Norman Sandbox Information Center (NSIC) received a file with the special filename childpornf*******movie.mpeg.exe. As most people run Windows Explorer in the default settings, the extension “.exe" would be hidden as a feature of Windows and the file shows as a movie, of course with a Windows Media File icon.

While this would disgust most people there are a number (and a growing number at that) that would view this as desirable content. This, coupled with curiosity on the part of some that would by default find this sick, and that the file name isn’t static and so can be changed to something more generally acceptable, and the file is opened. When executed, the Trojan actually does show a child-porn movie (a little girl performing oral sex) hiding its true activity: downloading and installing a range of other malware such as the fake antispyware programs SpySherrif and BraveSentry, as well as adware like Tibs, an adware downloader for pornographic websites. While the movie is playing, the human curiosity takes over from logic and people loose attention to other activity. And of course this curiosity is a shock, even further accomplishing the masking of the background activity.

On 18 March 2006, NSIC received another Trojan again using the same technique to hide the same purpose. Although the movie shown is identical, a different variety of other malware is downloaded and installed. This shows the lengths that spyware and adware vendors are willing to go to, to get their creatures distributed and installed: a clear sign that it is all about profitability.

Possessing and distributing child pornography is illegal everywhere in the world. Within the antivirus industry, it is common to share malware with bonafide competing vendors, all in the name of the cause. But suddenly this industry is facing a legal situation: Are we breaking any law sharing this Trojan with our competitors for them to add detection, thus limiting the spread of the Trojan, fully knowing and realizing this Trojan contains actual child pornographic footage?

By the letter of the law, we would be breaking it, even by having it on our malware collection server. The latter is ‘easily’ solved by keeping the file in an encrypted form and only people with a serious need to have can get access to it. For the first common sense must apply: it is better to share it with competing vendors guaranteeing widespread detection to minimize the potential spread of the child porn movie rather than not to act like that.

Needless to say that this area needs to be examined by legal forces to come up with new laws and rules, especially since more and more crime goes Internet. Preferably this should be a law honored everywhere in the world, but this may be a utopia: let’s settle for Europe first.