Walling Data, North America’s top distributor of AVG Internet Security Products, discovered a new computer threat this week that exhibits interesting symptoms, including a pop up of President Barack Obama’s face in the bottom right hand corner of infected computers, according to a statement that the Claremont-based firm released on Thursday.

Ironically, the worm was discovered on the network of a K-12 school in the president’s home state of Illinois.

Obama is the first president with a Facebook page and a YouTube channel. The president has 1 million “MySpace” friends and 3.7 million Facebook supporters, and his campaign database boasts the e-mail addresses of 13 million supporters.

So is it any surprise that hackers have taken advantage of the new president’s online popularity?

“From what we can tell so far, the good news is that this worm is nothing more than a major nuisance. This threat spreads via external devices, such as flash drives, attacking where a network is typically most vulnerable – from the inside,” said Luke Walling, president of Walling Data.

“We first discovered the worm in the course of some support work we were providing to the school,” added Walling. “It seems this threat was developed in an off-the-shelf development environment often used for the production of simple games. The version we have seems to have last been modified in December 2008.”

Walling also noted that the threat is unlikely to be an isolated incident, as it can be easily spread through the use of external devices, like USB flash drives. Schools are especially susceptible because they often allow the use of such devices to move class work back and forth between home and school.

As of today, the worm is not detected by any security product worldwide based on data obtained from virustotal.com and internal testing.

Are you infected?

  1. The threat appears to have been introduced to the school’s network via the use of a USB flash drive or possibly from e-mail.
  2. The Obama worm replicates via USB storage devices and network shares.
  3. The worm’s behavior indicates that it is more of a nuisance than a threat to sensitive data, as there are changes to exe/bat/vbs shell extensions (i.e. breaking exe files) and it replicates to a large number of folders on the local computer.
  4. On Mondays only, it will depict Obama’s face in the lower right corner.

Lessons learned

Walling suggests two things that could prevent this threat and others like it from wreaking havoc on a network:

  1. Make sure all machines are “patched up.”
  2. Prohibit the use of external devices. Define and enforce usage policies diligently.