A computer virus that destroys documents and spreads to other networks recently infected computers at the Pentagon, the Defense Information Systems Agency (DISA) said on Thursday.
One of the Pentagon’s hundreds of networks “recently identified an infection after having issues opening Word and Excel documents,” DISA said in a statement.
The agency urged all network administrators to initiate software countermeasures to ensure that networks “are protected from [this] new threat.”
The Pentagon said the software security firm McAfee provided details on the virus, which was most likely spread from spam email messages.
Dmitri Alperovitch, a computer security specialist, told the Free Beacon, that the sophisticated attack software most likely originated from a foreign government, possibly China.
“This definitely looks like a nation-state actor but I can’t tell if it’s China without doing deeper analysis,” Alperovitch said.
China is known to be the source of major computer attacks on Pentagon, U.S. government, and private computer networks.
Secretary of State Hillary Clinton, who visited China this week, said she discussed the topic of computer security during meetings with Chinese officials.
After meeting Chinese Foreign Minister Yang Jiechi, Clinton said she “raised the growing threat of cyber attacks that are occurring on an increasing basis.”
“Both the United States and China are victims of cyber attacks. Intellectual property, commercial data, national security information is being targeted,” she said. “This is an issue of increasing concern to the business community and the government of the United States, as well as many other countries, and it is vital that we work together to curb this behavior.”
According to an Aug. 31 McAfee threat alert, the virus has two names: W32/XDocCrypt.a, and W32/XDocCrypt.b, that “parasitically infects” Microsoft Office Word, Excel, and related executable files.
The virus appears to be designed to destroy or disable documents by first encoding its contents using an encryption program, and then replacing the document with a malicious software file that the encrypted data attached to it. The original data is eventually deleted if the infection is not detected and steps are not taken to recover the documents.
The virus also replicates itself and spreads to other computers.
“The infection routine searches for files with ‘.doc’, ‘.xls’ or ‘.exe’ in the file name, and tries to infect them,” the report said.
To prevent digital infections, the security firm recommended blocking five Internet addresses: 18.104.22.168, 22.214.171.124, attow.com.br, www.zugo-bikes.com, forum.perfect-privacy.com.