McAfee Issues Controversial Bug Advisory

A leading maker of anti-virus software Thursday reported a resurgence of a password-stealing computer virus affecting users of America Online--a claim disputed not only by AOL but also by some independent Internet security experts.

McAfee.com, which sells computer security and anti-virus software, issued a news alert and reported on its Web site that more than 72 million computer files and as many as several million personal computers have been hit with the virus--known as APStrojan.qa--in the last 30 days.

The company said the computer bug was among the 10 most widespread reported by users of the company’s anti-virus software products, which can automatically notify McAfee via the Internet when a virus has been discovered on a PC. “PC users can protect themselves from the APStrojan and other viruses by visiting the McAfee.com anti-virus clinic” Web site, McAfee said.

America Online’s 22 million subscribers have long been an enticing target for malicious computer virus writers. But the McAfee alert drew skepticism and raised questions among independent observers about the reliability of virus reports by software makers that stand to gain financially from increased public concern about computer viruses.

SecurityPortal.com, a Web site that does not sell anti-virus software but tracks computer virus infections, did not list the APStrojan virus, which is more than a year old, in its top 20 virus list. There also appeared to be little recent discussion of the bug in online news groups or in independent Web sites checked by the Los Angeles Times.

Vincent Weafer, director of Symantec’s anti-virus research center in Santa Monica, said his company had declined to issue a general alert about APStrojan because it had seen “no noticeable increase” in the virus’ spread.

“We have pretty strict rules we use internally for publicizing a virus,” Weafer said. “If it’s something that’s very malicious and is destroying hard disks . . . then we issue an alert.” Otherwise, he said, the company contacts affected users and other anti-virus software makers.

Srivats Sampath, president of McAfee, said his company “went through a lot of due diligence” before issuing a “medium-risk advisory” after noticing that the number of AOL users infected by the APStrojan computer virus had doubled in the last three weeks.

“Most [computer] users are very naive,” Sampath said. “AOL did not have news about this on their home page--it was buried in the anti-virus section” of the online service.

“But we were seeing a 100% increase” in APStrojan activity, Sampath added. “For us, that is a red flag. We sent out an alert. . . . If you are a security company, you have to flag these threats.”