The Beginning of the Arabic Virus Era

If a virus uses a language other than English, it is most oftenChinese, German, Spanish, Portuguese or Russian, and sometimesIndonesian/Malay, Japanese or Thai. It is rare to find an Arabic-awarevirus. At least we've thought so until now.

In the current trend where a worm that spreads through removablemedia is easily created and many types of Trojan horses such asInfostealer and Downloader are armored with worm capability, thisbeginner's worm has started to be developed in every corner of theworld. Such a worm just spreads and does not get much attention fromvirus analysts, so we often give it a trivial name such as W32.SillyFDC.

W32.Alnuh,discovered on June 1, is a kind of W32.SillyFDC, as all it does isspread and then terminate some programs to protect itself. What is newis that it checks for some Arabic window titles to close as well asEnglish ones. W32.Alnuh shows an English message "Please try to open -TaskManager - now" at the beginning. If you run Task Manager on Englishor Arabic Windows, Task Manager will be promptly terminated. W32.Alnuhcloses Windows Task Manager, Registry Editor, Command Prompt and theFolder Options of Windows Explorer. These character strings are both inEnglish and Arabic. The existence of English text made it easier toguess what was intended.

W32.Alnuh looks like just an experiment by the author. After theyhave done their "homework", they might step to the next stage to make amore complicated virus. There might be more Arabic-aware viruses in thewild than we think, simply because many of us do not notice Arabicwords. But we are seeing more Arabic-aware viruses than a year ago.Before it becomes a surge, like the case of Chinese viruses, bothsecurity vendors and computer users in Arabic-speaking countries shouldprepare themselves.