A few days ago, I noticed a sudden flurry of viral email, featuring messages with subjects that either hinted at romance ("The Time for Love", "I Would Dream"), or war ("USA Just Have Started World War III", "Iran Just Have Started World War III") or malware mayhem ("Spyware Detected!", "Worm Detected!"). Then the new virus definitions kicked in and I didn't see them any more.

I should have paid more attention. The virus generating these, known by the usual variety of names including Trojan.Peacomm, Trojan.Small, and CME-711, is more generally known as Storm Worm. In January of this year, a Storm Worm-created botnet was used to launch a distributed denial of service attack on a number of sites including spamnation.info. The attack shut us down for a little over a week and forced a move to a new host with better DDoS mitigation.

Now our old friend is back in a newer and reportedly deadlier form. Postini claims that virus traffic is currently running 60 times higher than the average. This is bad news for all kinds of reasons. High traffic suggests a high rate of infection, which may mean that the developers of the worm are successfully building themselves a very large botnet. This botnet can be used for a variety of purposes, of which the most obvious is sending spam in huge quantities. The Storm Worm authors are linked to high volume spam campaigns focusing particularly on pharmacy and embedded image stock spam. As already mentioned, they have also used Storm Worm-infected machines to launch DDoS attacks on anti-spam sites and hosts operated by rival spam gangs.

As always, the question I always want to ask is Who are the suckers?. Who is clicking on these messages with their promises of love or threats of global destruction, and inviting Storm Worm to take over their computers? I would have expected that computer users in the English-speaking world had been so exposed to warnings about viruses that by now most people would know enough not to open attachments. Out of curiosity, I grabbed some samples out of the quarantine directory and ran the numbers.

The sample size is too small — 49 items — to really draw any conclusions, but the fact that almost 50% of the infected machines are in the US pretty much gives the lie to any idea that English speakers know better. Clearly, we're still clicking those attachments.

There may be another reason for the high volume of infected machines in the US. The current worm crop is targeted at English speakers. Users in non-English-speaking countries may assume that any message with an English (or Engrish) subject is spam or a virus. They probably delete the message without opening, just as we do with Japanese or Russian spam. It's hard to draw any conclusions about relative levels of gullibility from these numbers, but it's clear that the virus problem (and all the problems associated with it, such as spam) isn't going to go away until people stop opening email attachments. And there's no sign that they're ready to do that.

In the course of my investigation, I came across one interesting thing that gave me a new insight into the problem. One item that the virus-scanner had trapped was not generated directly by Storm Worm, although it contained a Storm Worm attachment. The message was actually a forward from one user to another. The first user had received a Storm Worm viral message with a subject line claiming it to be an anti-virus patch. She forwarded the whole thing to her colleague with a note that read:

Got this! Please apply.

It so happens that I know the person who did this. She is highly intelligent, an acknowledged leader in her field, with tremendous practical experience earned over many years of living in different cultures. She is unquestionably nobody's fool. Yet all it took was one little email marked "ATTN!" and she was ready to not only compromise her own machine but to do the virus-writer's work for him by forwarding the message on to her co-worker, advising them to do the same. You couldn't scam this woman in the real world, but on the Internet she's the easiest of marks. Something about technology seems to just switch off people's defences.

The virus problem isn't going away any time soon.