Back to top
Protect your Address Book:
Help ensure you don't send
out a virus through your emails:
When/if a worm virus gets into
your computer it heads straight for your e-mail address book and sends
itself to everyone in there, thus infecting all your friends and business
colleagues. The following won't keep the virus from getting into your
computer, but it will stop it from using your address book to spread
further, and it will alert you to the fact that the worm has gotten
into your system.
What to do: open your address
book and click on "new contact" just as you would do if
you were adding a new friend to your list of e-mail addresses. In
the window where you would type your friend's first name, type in
!000 (that's an exclamation mark followed by 3 zeros). In the window
below where it prompts you to enter the new e-mail address, type in
WormAlert. Then complete everything by clicking add, enter, ok, etc.
Here's why it works: the "name"
!000 will be placed at the top of your address book as entry #1. This
will be where the worm will start in an effort to send itself to all
your friends. But when it tries to send itself to !000, it will be
undeliverable because of the phony e-mail address you entered (WormAlert).
If the first attempt fails (which it will because of the phony address),
the worm goes no further and your friends will not be infected. Here's
the second great advantage of this method: if an e-mail cannot be
delivered,you will be notified of this in your Inbox almost immediately.
Hence, if you ever get an e-mail telling you that an e-mail addressed
to WormAlert could not be delivered,you know right away that you have
the worm virus in your system. You can then take steps to get rid
of it.
Back
to top
November
25, 2001: A new variant of Badtrans has been discovered. While
the virus is being seen and stopped at corporate gateways and mailservers,
the home user segment has become infected. This is due to the fact
that home users tend to update their DAT files less frequently. This
new variant of Badtrans drops a password stealing trojan. Your risk
of infection is higher if you do not have the 4168 DAT files or above.
Badtrans.a details: This mass
mailing worm attempts to send itself using Microsoft Outlook by replying
to unread email messages. It also drops a remote access trojan.
When run, the worm displays a message box entitled, "Install
error" which reads, "File data corrupt: probably due to
a bad data transmission or bad disk access." A copy is saved
into the WINDOWS directory as INETD.EXE, an entry is entered into
the WIN.INI file to run INETD.EXE at startup, KERN32.EXE (a backdoor
trojan) and HKSDLL.DLL are written to the WINDOWS SYSTEM directory,
and a registry entry is created to load the trojan upon system startup.
Once running, the trojan attempts
to mail the victim's IP Address to the author. Once this information
is obtained, the author can connect to the infected system via the
Internet and steal personal information such as usernames, and passwords.
The next time Windows is loaded, the worm attempts to email itself
by replying to unread messages in Microsoft Outlook folders. The worm
will be attached to these messages using one of a variety of filenames:
The message body may contain
the text:
Take a look to the attachment.
This mass mailing worm attempts
to send itself using Microsoft Outlook by replying to unread and read
email messages. It also mails itself to email addresses found within
files that exist on your system. This trojan logs keystrokes for the
purpose of stealing personal information (such as credit card and
bank account numbers and passwords). This information is later emailed
to the virus author(s).
When run, this variant copies
itself to the WINDOWS SYSTEM directory as KERNEL32.EXE and creates
a registry run key to load itself at startup. Additionally, the virus
prepends the return address used with an "_" (underscore).
Thus replying to an infected message will fail to reach the intended
recipient.
Another message subject is
typically: "Re:"
The message attachment name
will be one of a variety of names. This new variant uses the iframe
exploit and incorrect MIME header to run automatically on unpatched
systems. See Microsoft Security Bulletin (MS01-020) for more information
and a patch.
Method Of Infection of Badtrans.a variant:
This worm utilizes MAPI messaging to mail itself to regular email
correspondence. It will arrive as an attachment that is 13,312 bytes
in length and uses one of a number of various names.
Badtrans.b variant:
This worm utilizes MAPI messaging to mail itself to regular email
correspondence. It will arrive embedded in an email message which
often has the subject "Re:". Exploiting a MIME header vulnerability,
the virus can execute upon viewing the email message. The message
body is empty. It will arrive as an attachment that is 29,020 bytes
in length and uses one of a number of various filenames.
Removal Instructions
All Windows Users:
Use current engine and DAT files for detection and removal.
Install the Microsoft Security
Bulletin (MS01-020) patch
EXTRA.DAT files:
The following Extra.DAT and Super Extra.DAT files are also available:
EXTRA.DAT
SUPER EXTRA.DAT
Manual Removal Instructions
(Disclaimer: This is for information purposes only. If you aren't
aware enough of how to do this, you should ask your systems administrator)
WINDOWS 95/98/ME
Restart Windows in Safe Mode
(reboot your computer, just before the large WINDOWS startup screen
comes up, hit the F5 key). You can recognize that you're in Safe Mode
by the text Safe Mode in the 4 corners of the desktop.
Click START | RUN, type %WINDIR% and hit ENTER
Delete the INETD.EXE file (if present)
Click START | RUN, type %WINDIR%\SYSTEM
and hit ENTER
Delete the following files (if they exist):
KERN32.EXE
KERNEL32.EXE
KDLL.DLL
HKSDLL.DLL
Click START | RUN, type REGEDIT
and hit ENTER
Click the (+) next to HKEY_LOCAL_MACHINE
Click the (+) next to SOFTWARE
Click the (+) next to MICROSOFT
Click the (+) next to WINDOWS
Click the (+) next to CURRENTVERSION
Click RUNONCE
Click on KERNEL32 on the right
and hit DELETE on the keyboard
Restart the computer
WINDOWS NT/2000/XP
Type CTRL-ALT-DEL at the same
time
Choose TASK MANAGER and then choose the PROCESS tab
Locate the KERNEL32.EXE process, click it, and choose END PROCESS
Click START | RUN, type %WINDIR% and hit ENTER
Delete the INETD.EXE file (if present)
Click START | RUN, type %WINDIR%\SYSTEM32
and hit ENTER
Delete the following files (if they exist):
KERN32.EXE
KERNEL32.EXE
KDLL.DLL
HKSDLL.DLL
Click START | RUN, type REGEDIT
and hit ENTER
Click the (+) next to HKEY_CURRENT_USER
Click the (+) next to SOFTWARE
Click the (+) next to MICROSOFT
Click the (+) next to WINDOWS
NT
Click the (+) next to WINDOWS
If INETD.EXE is found on the
right panel, Double Click on RUN on the right and delete the INETD.EXE
value
Additional Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected
files automatically to the C:\_Restore folder. This means that an
infected file could be stored there as a backup file, and VirusScan
will be unable to delete these files. These instructions explain how
to remove the infected files from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer
icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse
the the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step
5 remove the check mark next to "Disable System Restore".
The infected file's are removed and the System Restore is once again
active.
Back
to top
W32/Nimda@MM High Risk Virus
Discovered: 9/18/01
Virus Characteristics:
This threat can infect all unprotected users of Win9x/NT/2000/ME
Its main goal is simply to spread over the Internet and Intranet,
infecting as many users as possible and creating so much traffic that
networks are virtually unusable.
All end users and administrators running Microsoft Internet Explorer
(ver 5.01 or greater), are advised to install this patch for the Incorrect
MIME Header Can Cause IE to Execute E-mail Attachment vulnerability.
All IIS administrators should also install the August 15, 2001 Cumulative
Patch for IIS.
This is a mass-mailing worm,
which also spreads via open shares, the Microsoft Web Folder Transversal
vulnerability (also used by W32/CodeBlue), and a Microsoft content-type
spoofing vulnerability. It also attempts to create a share (c:), and
checks for the presence of the trojan dropped by the W32/CodeRed.c
worm The email attachment name varies and may use the icon for an
Internet Explorer HTML document.
The most significant methods
of propagation are as follows:
The email messages created by the worm specify a content-type of audio/x-wav
with an executable attachment type. Thus when a message is accessed,
the attachment can be executed without the user's knowledge. When
infecting, it appends HTML documents with javascript code which opens
a new browser window containing the infectious email message itself
(taken from the dropped file README.EML). Thus when this infected
HTML is accessed (locally or remotely) the machine viewing the page
is then infected.
Once infected, your system
is used to seek out others to infect over the web. As this creates
a lot of port scanning, this can cause a network traffic jam. It copies
itself to the WINDOWS SYSTEM directory as LOAD.EXE and creates a SYSTEM.INI
entry to load itself at startup:
Shell=explorer.exe load.exe -dontrunold
Additional events are:
- A MIME encoded version of the work is created in each folder on
the drive (often as README.EML, can also be .NWS files)
- Certain executable files are selected by the worm and altered.
The virus contains the string : Concept Virus (CV) V.5, Copyright
(C) 2001 R.P.China
Removal Instructions:
This threat can infect all unprotected users of Win9x/NT/2000/ME Infected
systems must apply these patches prior to cleaning or reinfection
may take place.
All end users and administrators running Microsoft Internet Explorer
(ver 5.01 or greater), are advised to install this patch for the Incorrect
MIME Header Can Cause IE to Execute E-mail Attachment vulnerability.
Customizing the program file
extension list using VirusScan 4.5 (and higher) may result in a lack
of protection against this trojan. As always, AVERT recommends that
users configure VirusScan to scan all files. If this is not an option
in your environment, the default extension list should be used.
This provided Extra Dat should
be used for detection and removal.
Extra.Dat (Ver 3)
Nimda3.Exe (Ver 3)
This includes detection and removal for infected .ASP, .DLL, .EML,
.EXE, .HTM, .HTML, and .NWS files (with ALL files being scanned).
Note that when repairing infected .ASP, .HTM, and .HTML files, they
are properly truncated to remove the infectious javascript call. The
dropped copies of the worm are deleted, and infected .EXE files are
also repaired.
Aliases: W32/Minda@MM
W32/Hybris.gen@MM
Virus Information
This worm will be received in an email message which may contain
the following information:
From: Hahaha [hahaha@sexyfun.net]
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very
educated and polite with Snowhite. When they go out work at mornign,
they promissed a *huge* surprise. Snowhite was anxious. Suddlently,
the door open, and the Seven Dwarfs enter...
Attachment: sexy virgin.scr
or joke.exe or midgets.scr or dwarf4you.exe
When first executed, this worm
tries to infect the WSOCK32.DLL file in the WINDOWS\SYSTEM directory.
First it tries to infect the WSOCK32.DLL file directly. If it fails
because the file is already in use, then it creates an infected copy
on the WSOCK32.DLL in a new file. This new file goes by an extensionless
filename made up of 8 random characters. A line is then created in
the WININIT.INI file to rename this newly created file to WSOCK32.DLL,
thus overwriting the original WSOCK32.DLL file. This change takes
place the next time the system is booted. A registry value under Software\Microsoft\Windows\CurrentVersion\RunOnce\(default)
is also created to run the worm at the next bootup, in case the previous
attempts to infect WSOCK32.DLL fail.
The modified WSOCK32.DLL file watches all Internet activity and attempts
to mail a copy of the worm, in the form of a .EXE or .SCR file, to
any valid e-mail address sent over the Internet connection, whether
part of a e-mail message, web page, or newsgroup posting. AVERT cautions
all users to delete unexpected attachments. W32/Hybris.gen@M is sent
unknowingly by the infected user.
This Internet worm originally
downloaded encrypted update components from an Internet web site,
similar to the method first used by W95/Babylonia, but the site hosting
the virus was taken down. The original plugins were:
HTTP.DAT
NEWS.DAT
ENCR.DAT
PR0N.DAT
SPIRALE.DAT
SUB7.DAT
DOSEXE.DAT
AVINET.DAT
Currently this virus downloads
plugins from alt.comp.virus. The virus contains an internal list of
several news servers it can access. It searches the newsgroup for
any plugins that it doesn't have, or has older versions of. Since
the worm searches all Internet activity for e-mail addresses, people
who post to alt.comp.virus using their real e-mail address may get
many copies of the worm when Hybris searches alt.comp.virus for new
plugins.
When a full moon occurs according to the computer's internal clock,
the virus will randomly post its plugins to the alt.comp.virus newsgroup.
It uses a mail-to-news gateway at anon.lcs.mit.edu to send plugins
with a fake return address of root@microsoft.com.
This Internet worm contains
the text:
HYBRIS
(c) Vecna
Indications Of Infection:
Mail recipients claiming they received an attachment from you when
one was never sent. Depending on plugins installed, spiral graphic
on the screen, inability to access antivirus sites.
Method Of Infection:
The format of the newsgroup-posted message is as follows:
anon.lcs.mit.edu!nym.alias.net!mail2news
Message-ID: 20001113080521.28781.qmail@nym.alias.net
From: [USE-AUTHOR-ADDRESS-HEADER@[127.1]]
Author-Address: anonymous [AT]anon [DOT]lcs [DOT]mit [DOT] edu
Subject: http [code containing upper- and lower-case letters]
Mail-To-News-Contact: postmaster@nym.alias.net
Organization: mail2news@nym.alias.net
Newsgroups: alt.comp.virus
Lines: 46
KUWJGJWCVICGIWIWCZIWHCFXCHB [continues]....
[more coded lines]
[terminated by four asterisks]
****
The plugins are saved to the WINDOWS\SYSTEM directory with a random
name consisting of a name consisting of eight random letters and an
extension consisting of three random letters. The plugins are signed
using public-key cryptography. That means that all the copies of the
worm carry a public key which will only accept plugins digitally signed
by the private key. Only the virus author has the private key so only
plugins that he approves will be accepted by the virus. Some of the
current plugins are:
@@@@ or SPIRALE - This creates a file which displays a graphic of
a "spiral" that cannot be closed or stopped. The file has
a name consisting of eight random letters, and is loaded using the
run= line of the [windows] section of win.ini. This spiral graphic
is launched by this Internet worm on September 24th, or when the number
of minutes are equal to 59 in the year 2001.
I_RZ - Adds a copy of the worm to ZIP and RAR archives containing
EXE files. The original EXE file is renamed to an EX$ extension, and
a copy of the virus takes the place of the original EXE file.
AVIP or AVINET.DAT - Blocks the infected computer from visiting certain
antivirus websites by IP address, similiar to the W95/MTX virus.
SUB7 - Searches for computers infected with the BackDoor-G trojan,
and copies and executes itself on infected machines.
ENCR or POLY - Encrypts the virus with a polymorphic routine. Note
that in spite of the polymorphic routine, VirusScan detects all of
the permutations of the virus when using updated engine and DAT files.
TEXT or PR0N - This creates the message that the virus is sent with,
depending on the language installed on the infected system:
English:
From: Hahaha [hahaha@sexyfun.net]
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very
educated and polite with Snowhite. When they go out work at mornign,
they promissed a
*huge* surprise. Snowhite was anxious. Suddlently, the door open,
and the Seven Dwarfs enter...
Attachment: sexy virgin.scr or joke.exe or midgets.scr or dwarf4you.exe
French:
From: Hahaha [hahaha@sexyfun.net]
Subject: Les 7 coquir nains *or* Blanche neige et ...les sexe nains
Body: C'etait un jour avant son dix huitieme anniversaire. Les 7 nains,
qui avaient aidé 'blanche neige' toutes ces années après
qu'elle se soit enfuit de chez sa belle mère, lui avaient promis
une *grosse* surprise. A 5 heures comme toujours, ils sont rentrés
du travail. Mais cette fois ils avaient un air coquin... Attachment:
blancheneige.exe or sexynain.scr or blanche.scr or nains.exe
Spanish:
From: Hahaha [hahaha@sexyfun.net]
Subject: Enanito si, pero con que pedazo!
Body: Faltaba apenas un dia para su aniversario de de 18 años.
Blanca de Nieve fuera siempre muy bien cuidada por los enanitos. Ellos
le prometieron una *grande* sorpresa para su fiesta de compleaños.
Al entardecer, llegaron. Tenian un brillo incomun en los ojos... Attachment:
enano.exe or enano porno.exe or blanca de nieve.scr or enanito fisgon.exe
Portuguese:
From: Hahaha [hahaha@sexyfun.net]
Subject: Branca de Neve pornô!
Body: Faltava apenas um dia para o seu aniversario de 18 anos. Branca
de Neve estava muito feliz e ansiosa, porque os 7 anões prometeram
uma *grande* surpresa.
As cinco horas, os anõezinhos voltaram do trabalho. Mas algo
nao estava bem... Os sete anõezinhos tinham um estranho brilho
no olhar...
Attachment: branca de neve.scr or atchim.exe or dunga.scr or anão
pornô.scr
A later version of the plugin creates e-mails by choosing random words
from "Anna" "Raquel Darian" "Xena" "Xuxa"
"Suzete" "famous" "celebrity rape" "leather"
and "sex" "sexy" "hot" "hottest"
"cum" "cumshot" "horny "anal" "gay"
"oral" , etc.
Note
that the infected e-mails do not actually come from the sexyfun.net
domain, they are sent unknowingly with a fake return address by infected
users.
If Hybris does not have a plugin capable of generating message text,
it will send a message with no subject or sender and a copy of itself
with a name consisting of eight random letters.
DOSEXE.DAT or EXEI- Infects DOS EXE files to contain a virus dropper.
These files can be repaired by VirusScan as W32/Hybris.exe.
I_PE - Infects PE files without increasing their size. It also adds
data so that some checksumming algorithms will generate the same checksum
before and after infection. These files cannot be repaired.
HTTP - This downloaded plugins from a website before it was shut down.
NEWS - This plugin posts plugins and downloads new ones from alt.comp.virus
as described above.
Because plugins can change the virus behaviour so quickly, infected
users are urged to use the latest engine and DAT files, and to set
their antivirus software to scan all files. VirusScan will repair
the infected wsock32.dll as W32/Hybris.gen.dll@M, but we recommend
users restore it from the original disks to be certain.
Removal Instructions:
Use specified engine and DAT files for detection and removal.
Windows 95/98 systems require rebooting to MS-DOS mode and scanning
with the command line scanner SCANPM in order to clean such files
as EXPLORER.EXE and TASKMON.EXE. Use the command line scanner such
as
"SCANPM.EXE C: /CLEAN /ALL"
The WSOCK32.DLL file can be restored from backup. This can be done
by:
Windows ME:
NOTE: Windows ME utilizes a backup utility
that backs up selected files automatically to the C:\_Restore folder.
This means that an infected file could be stored there as a backup
file, and VirusScan will be unable to delete these files. These instructions
explain how to remove the infected files from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse
the the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility,
follow steps 1-9 and on step 5 remove the check mark next to "Disable
System Restore". The infected file's are removed and the System
Restore is once again active.
Use SFC to recover WSOCK32.DLL using instructions below for Windows
98/2000.
Windows 98/2000
- Click the START MENU|RUN, type SFC and click OK.
- Choose Extract one file from the installation disk
- Type C:\WINDOWS\SYSTEM\WSOCK32.DLL in the box and click Start.
- In the Restore from box type C:\WINDOWS\OPTIONS\CABS or browse to
the Win98 directory on your Windows98 CD-ROM
- Click OK and follow remaining prompts
Wsock32.dll file exists within the Precopy1.cab cabinet file on the
Windows 98 CD-ROM.
Windows95
WSOCK32.DLL can be found in the following CAB files:
Win95_11.cab on the Windows 95 CD-ROM
Win95_18.cab on the Windows 95 OSR2 CD-ROM
Win95_12.cab on the Windows 95 DMF disks
Win95_19.cab on the Windows 95 non-DMF disks
Below is an example for standard Windows 95
- Click the START MENU|SHUT DOWN choose RESTART IN MS-DOS MODE
- Type: EXTRACT /A C:\WINDOWS\OPTIONS\CABS\WIN95_11.CAB WSOCK32.DLL
/L C:\WINDOWS\SYSTEM
or
- Insert your Windows95 CD-ROM and type:
EXTRACT /A D:\WIN95\WIN95_11.CAB WSOCK32.DLL /L C:\WINDOWS\SYSTEM
Where D: is your CD-ROM drive
WindowsNT 4.0
Rename the Wsock32.dll file in the Windows\System32 folder to Wsock32.old.
For information about how to rename a file, click Start, click Help,
click the Index tab, type renaming, and then double-click the ''Renaming
files'' topic.
Click Start, point to Programs, and then click Command Prompt.
Type cd\, and then press ENTER.
Insert the Windows NT CD-ROM into the CD-ROM drive, and then close
the Windows NT screen if it appears.
Type the following line at the command prompt, and then press ENTER.
expand <drive>:\i386\wsock32.dl_ c:\<windows>\system32\wsock32.dll
where <drive> is the drive letter assigned to your CD-ROM drive,
and where <windows> is the name of the folder in which
Windows NT is installed.
Type exit, and then press ENTER to return to windows.
Aliases: dwarf4you.exe, Hybris, I-Worm.Hybris , I-Worm.Hybris.b, Snowhite
and the Seven Dwarfs, TROJ_HYBRIS.A, W32/Hybris.dll@M , W32/Hybris.plugin@M,
W95.Hybris.Gen.dr, W95/Hybris.worm, Win98.Vecna.23040
Disclaimer:
again, if you are not confident that you know what you're doing, have
your IT person do this. DON'T OPEN attachments from people you don't
know or attachments in emails with no message or messages you find
strange. Make sure you have an anti-virus program on the hard drive
of all your machines, AND keep it updated. Scan your machine often.
Enjoy all of the many benefits e-mail brings to all of us, but exercise
caution.
Back to top
Code
Blue
Virus Information
The infamous "Code Red" worm, which, together with its
variants, caused millions of dollars in damage during July and August,
has apparently spawned a cousin dubbed "Code Blue" which
could spread across the globe.
Similar to the Code Red worms,
the Code Blue variant is already striking computers in China, said
a worker at the police-run Computer Virus Treatment Center in Tianjin,
about an hour's drive outside of Beijing.
Code Red worms caused about US$2.4 billion in estimated cleanup costs,
according to Computer Economics. Michael Erbschloe, a vice president
at Computer Economics, reported that it's too early to tell if the
alleged Code Blue is really nothing more than a variant of the Code
Red viruses. "We continue to get reports of new worms, but most
of them are directly related to the first Code Red," Erbschloe
said.
The first Code Red worm infected more than 250,000 systems in the
United States in only nine hours on July 19th, shortly after it was
first reported, according to the FBI-affiliated National Infrastructure
Protection Center. In August, a second version of the worm was discovered,
preying on computers and servers linked to the Internet and running
Microsoft (Nasdaq: MSFT) Internet Information Server (IIS) software.
Code Red II faded quickly as people downloaded free patches from Microsoft's
Web site that plugged the hole the worm used to enter computers. The
origin is still unknown, but the U.S. General Accounting Office --
a nonpartisan arm of Congress -- said in written testimony that the
worms were created at a university in Guangdong, China. Chinese government
officials have vehemently denied having anything to do with the virus
outbreak.
Besides the cost, which is calculated to be the highest ever caused
by a computer virus, some U.S.-based firms have suffered poor public
relations and a loss of customers. Subscribers to Qwest's (NYSE: Q)
DSL service have been knocked out repeatedly by the worms, but the
company has stood pat on refusing to offer refunds. The earlier worm
self-propagated in a manner quite similar to the more famous Code
Red. It also targeted the White House Web site.
Back to top
W32/magistr.b@mm
Virus Information
A growing number of systems have become infected with the W32/magistr.b@mm
worm in Europe and South America. Currently, there is a low incidence
of this worm in North America. This is a medium risk virus that is
spread via email. The messages sent by the worm contain varying subject
headings, body text, and attachments. The body of the message is derived
from the contents of other files on the victim's computer. It may
send more than one attachment and may include non-EXE or non-viral
files along with an infectious .EXE file.
Five minutes after the virus
is activated, it attempts to send copies of itself to email addresses
found in the Windows Address Book, and in the Outlook Express, Netscape
and Eudora mailboxes on the hard drive.
The virus payload may also cause the following:
* Erasure of CMOS/BIOS info
* Destruction of sectors on the hard disk
* Deletion of all .NTZ files on the machine
* Termination of Zone Alarm firewall program
* Creation of a SYSTEM.INI [boot] shell value to run itself at startup
* Overwrites the WIN.COM/NTLDR
=============
The infected email can come from addresses that you recognize. The
messages sent by the worm contain varying subject headings, body text,
and attachments. The body of the message is derived from the contents
of other files on the victim's computer. It may send more than one
attachment and may include non-EXE or non-viral files along with an
infectious .EXE file.
The virus proceeds by infecting
32-bit PE (Portable Executable) type .EXE files found in the WINDOWS
SYSTEM directory and subdirectories. The viral code is encrypted,
polymorphic, and uses anti-debugging techniques to make it difficult
to detect.
Five minutes after the virus is activated, it attempts to send copies
of itself to email addresses gathered from the Windows Address Book,
Outlook Express mailboxes, Netscape mailboxes, and Eudora mailboxes.
These addresses are saved to a hidden .DAT file somewhere on the hard
disk (varies). It may also attach .GIF files found on the hard drive
to the emails it sends out.
Update your anti-virus software, and perform a scan on your hard drive.
If W32/Magistr.b@MM is found, use the delete option to remove it.
Back to top
CodeRed.a
Virus Information
Discovery Date: 07/17/2001
Origin: Unknown
Type: Internet Worm
Risk Assessment: High
Virus Characteristics
UPDATE July 30, 2001:
Users may see reissued alerts by other security organizations as well
as additional media coverage of this threat over the next 24-48 hours.
This threat does not generally affect an end-user's PC, but rather
it attacks unpatched administrator's Microsoft IIS web servers. However,
all Internet users can feel the effects of this worm, such as requested
web pages being defaced or unavailable, due to the actions of this
worm.
Your environment is at High Risk if:
1) You have Microsoft Index
Server 2.0, or Indexing Service installed with Windows 2000 or IIS.
2) You have not updated these
components with the latest patch from Microsoft.
The exploit, a buffer overflow,
is used to spread this worm (Unchecked Buffer in Index Server ISAPI
Extension Could Enable Web Server Compromise).
It exists in memory only
and no written file ever exists on the hard disk.
It spreads through TCP/IP transmissions
on port 80. By making use of this exploit, the worm is able to send
itself as a TCP/IP stream directly to the its victims, which in turn
scans the web for other systems to infect. Once infected, this viral
code checks for the existence of C:\notworm. If the file C:\notworm
is present the worm stops seeking other machines to infect.
Affected English language
web servers have their web pages defaced with the message:
Welcome to http://www.worm.com !
Hacked By Chinese!
Method Of Infection
This worm makes uses of a Microsoft Index Server buffer overflow exploit
to execute itself in memory.
Removal Instructions
Install the patch from Microsoft. For more information and to obtain
a patch for this vulnerability, visit Microsoft's website.
Note that on top of applying
the patch, rebooting of the server is also required to remove the
worm from memory. Without the patch, the machine will simply become
reinfected using the same vulnerability.
The worm does NOT affect Desktop
or NT file servers.
As always, make sure you have
the latest anti-virus software running on your machine.
Aliases
Name - Code Red
W32/Bady.worm
Back
to top
W32/CodeRed.c
Virus Characteristics:
This threat only affects Microsoft Windows 2000 running web servers.
Although WinNT is vulnerable to this exploit, the worm crashes on
WinNT.
Your environment is at HIGH
RISK if:
1) You have Microsoft IIS server installed with Windows 2000.
2) You have NOT updated this server with the latest patch from Microsoft.
The exploit, a buffer overflow,
is used to spread this worm.
This Virus exists in memory
only (however, the .C variant does write a trojan program to the hard
disk). As such, the trojan can be detected with the latests DATs and
engine, but the virus can not.
The virus spreads through TCP/IP
transmissions on port 80. By making use of this exploit, the worm
is able to send itself as a TCP/IP stream directly to the its victims,
which in turn scans the web for other systems to infect.
This is a rewrite of the W32/CodeRed.a.worm
This variant does not deface web pages or contain a DDoS payload.
It uses the atom "CodeRedII" for self-recognition and thus
does not reinfect already infected systems.
It checks whether Chinese is
the language installed on the system. If it is Chinese, it creates
600 threads and spreads for 48 hours. On a non-Chinese system it creates
300 threads and spreads for 24 hours. After that, it reboots the system.
On 12am Oct 1, 2001 GMT, it reboots the computer, thus clearing the
worm portion from memory. However, since not all clocks are set correctly,
the computer will almost immediately get reinfected and reboot the
computer again and again and again.
It tries to copy %windir%\CMD.EXE
to the following files:
c:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe.
It also tries to create a backdoor
trojan (detected as W32/CodeRed.c trojan with the 4152 DATs) which
it saves to c:\explorer.exe and d:\explorer.exe. This exploits the
"Relative Shell Path" Vulnerability, which states that Windows
will run c:\explorer.exe before %windir%\explorer.exe. So, the trojan
can be run where EXPLORER.EXE is called. The trojan does nothing more
than write certain values to the registry every 10 minutes. It is
these registry values that opens a security hole in your system.
On the next reboot, the trojan
carries out its payload and then calls the original explorer.exe.
The trojan adds a value to the following registry key, to disable
local file system security:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\
Winlogon\SFCDisable
Two values are added to the
following key to enable a remote attacker to have access to the C:
and D: drives, via a web browser:
HKLM\SYSTEM\CurrentControlSet\Services\
W3SVC\Parameters\Virtual Roots.
Also under this key, the /SCRIPT
and /MSADC values are configured to allow read/write access to the
paths associated with these values.
These changes allow a remote
attacker to carry out shell function on the local system by sending
commands to it via a URL.
Indications Of Infection:
Presence of the files:
c:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe.
Method Of Infection:
This worm makes uses of a Microsoft Index Server buffer overflow exploit
to execute itself in memory.
Removal Instructions:
Microsoft has released a tool to "eliminate the obvious effects
of the Code Red II worm"
-- Trojan Removal --
To detect and remove the trojan, update to the 4152 DATs. If the trojan
is detected it will be deleted, and the registry keys which allow
a remote attacker to have access to the C: and D: drives, via a web
browser, will be deleted as well.
Additionally, administrators need to remove the /C and /D virtual
shares through the Internet Services Manager, and if necessary should
restore the permissions on the /SCRIPTS and /MSADC virtual directories
for each virtual website. The Windows File Protection/System File
Checker registry value should be restored to the desired setting (0
is the default):
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\
Winlogon\SFCDisable
Delete the following files:
c:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe
-- Virus Removal --
Install the patches from Microsoft. For more information and to obtain
the patches for these vulnerabilities, visit Microsoft's sites:
Unchecked Buffer in Index Server ISAPI Extension Could Enable Web
Server Compromise
"Relative Shell Path"
Vulnerability
Note that on top of applying the patch, rebooting of the server is
also required to remove the worm from memory. Without the patch, the
machine will simply become reinfected using the same vulnerability.
The worm does NOT affect desktop
systems or pure file servers.
Disclaimer: Remember that this
information -- as with all information on this website -- is provided
as a public service to help you understand Viruses, Worms, and Hoaxes.
Check with your Internet Manager for his or her recommendations; Make
sure your have an Anti-Virus program running on your machine; Scan
your system regularly; Don't open files from people you don't know;
Check the websites of vendors of your software for patches.
Back
to top
W32/SirCam@mm (Sir
Cam Virus)
A growing number of computers
are being infected with W32/SirCam@MM. This is a High Risk Virus for
Consumers! The infected email can come from addresses that you recognize.
Attached is a file with two different extensions. The file name itself
varies.
The email message can appear
as follows:
Subject: [filename (random)]
Body: [content varies]
---ENGLISH VERSION---
Hi! How are you?
I send you this file in order
to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I sendo you
or This is the file with the information that you ask for
See you later. Thanks
---SPANISH VERSION---
Hola como estas ?
Te mando este archivo para
que me des tu punto de vista
or Espero me puedas ayudar con el archivo que te mando
or Espero te guste este archivo que te mando
or Este es el archivo con la información que me pediste
Nos vemos pronto, gracias.
The virus searches for .GIF,
.JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP files in
the MY DOCUMENTS folder and attempts to send copies of these documents
to email recipients found in the Windows Address Book and addresses
found in cached files.
PREVENTION:*
Don't open attachments from people you don't know, no matter how appealing
they may look!
* Get protected. If you don't already have virus protection software
on your machine, you should. If you're a home or individual user,
it's as easy as downloading any of these top-rated programs then following
the installation instructions. If you're on a network, check with
your network administrator first.
* Scan your system regularly. If you're just loading anti-virus software
for the first time, it's a good idea to let it scan your entire system.
It's better to start with your PC clean and free of virus problems.
Often the antivirus program can be set to scan each time the computer
is rebooted or on a periodic schedule. Some will scan in the background
while you are connected to the Internet. Make it a regular habit to
scan for viruses.
* Update your anti-virus software. Now that you have virus protection
software installed, make sure it's up-to-date. Some antivirus protection
programs have a feature that will automatically link to the Internet
and add new virus detection code whenever the software vendor discovers
a new threat. You can also scan your system for the lastest security
updates.
=====================
Back
to top
W32.Marijuana
(W32.Mari)
W32.Marijuana
(W32.Mari) is a non-destructive
worm with an agenda that will leave you dazed and confused. If you
click on the attachment, Marijuana spreads to everyone listed in that
user's Outlook address book. It will also change your default Internet
Explorer page to a pro-marijuana Web site. At the moment, Marijuana
is a low-threat, and currently ranks as 4 on the ZDNet Virus Meter.
How
it works Marijuana arrives as an e-mail with the following information:
Subject: check this out!!!
Once installed, Marijuana sends copies of itself to all the
address found in the infected computer's Outlook address book. The
worm also puts a marijuana leaf icon on the system tray. If the infected
user clicks on the icon, a pop-up dialog box displays with the following
text:
I
think i speak for every pot smoker in North America when i say: *Legalize
Marijuana*...I mean if people with AIDS, Cancer and other deaises
can use it then why cant the rest of us (pot smokers) use it?,I don't
think that's very fair (Do you?). If it's legal to grow and use in
places like: Australia (for personal use) then why not in North america?
If doctors are useing it as a treament for illness then it must no
be *THAT* harmful (So why can't other people use it?). I really do
think the federal government should consider legalization of marijuana.
Well that's really all i have to say on the matter, but i do hope
somebody, somewhere listens to what i have to say and does not just
regard this as just another *virus* because it's more than that, it's
a message, a message for freedom, the freedom to smoke up and have
the chose to do so *WITHOUT* fear of punishment from the law and the
government. Thank you for your time.
What
It Does Marijuana changes the default home page of Internet Explorer
to a Web site promoting the legal use of marijuana, changes the Windows
registration to "I'm a Pot Head," and the company to "Stoner's
Pot Place."
Marijuana also triggers every afternoon at 4:20 with another dialog
box that reads, "The Marijuana Virus!!" and includes the
text, "It's 4:20, Time to toke up :)."
Removal Most antivirus software companies are expected to update their
signature files to include Marijuana. For more information on removing
Marijuana from your system, see Sophos.
Prevention
Here are the basic steps for containing the latest worm:
* Download Microsoft's Outlook Security Patch. If you haven't already
installed it, download the Outlook 98 Security Patch or the Outlook
2000 Security Patch. Please note that this patch does not include
Outlook Express.
* Turn off Windows Scripting Host. Recent virus outbreaks have exploited
known vulnerabilities in Visual Basic Scripting under Windows. To
limit your risk of infection, you should turn off Windows Scripting
Host.
* "Don't open attachments!" One of the best ways to prevent
virus infections is not to open attachments, especially when viruses
such as this virus are being actively circulated. Even if the e-mail
is from a known source, be careful. A few viruses take the mailing
lists from an infected computer and send out new messages with its
destructive payload attached. Always scan attached files first for
viruses. Unless it's a file or image you are expecting, delete it.
* Get protected. If you don't already have virus protection software
on your machine, you should. If you're a home or individual user,
it's as easy as downloading any of these top-rated programs then following
the installation instructions. If you're on a network, check with
your network administrator first.
* Scan your system regularly. If you're just loading anti-virus software
for the first time, it's a good idea to let it scan your entire system.
It's better to start with your PC clean and free of virus problems.
Often the antivirus program can be set to scan each time the computer
is rebooted or on a periodic schedule. Some will scan in the background
while you are connected to the Internet. Make it a regular habit to
scan for viruses.
* Update your anti-virus software. Now that you have virus protection
software installed, make sure it's up-to-date. Some antivirus protection
programs have a feature that will automatically link to the Internet
and add new virus detection code whenever the software vendor discovers
a new threat. You can also scan your system for the lastest security
updates.
Back
to top
=====================
The virus
Acid.A was intended to propagate by infecting Word Documents
in Microsoft WORD Version 97 on Windows platforms. The virus consists
of the macro(s): AUTOOPEN, FILENEW, FILESAVE, FILESAVEAS, FILEPRINT,
FILEPRINTPREVIEW, TOOLSMACRO, VIEWVBCODE, FILETEMPLATES, KILLBAV,
TIMER, ACID, ACID2
in an infected document. The macros are
stored in a module ACID.
Indications Of Infection:
The virus will copy the viral code to the users NORMAL.DOT, but it
hasn't proven successful in infecting document files. Future variants
might replicate properly and have nearly identical features to this
variant. On an infected system the virus hides the TOOLS|MACRO, FILE|TEMPLATES
and VIEW|VBCODE functionality. The virus changes Microsoft Word in
the main application title bar to ULTRAS. When opening a file, the
virus searches for the following file group and deletes the files
where possible:
C:\Program Files\AntiViral Toolkit Pro\*.*
C:\Program Files\Command Software\F-PROT95\*.*
C:\Program Files\McAfee\VirusScan\*.*
C:\Program Files\Norton AntiVirus\*.*
C:\Program Files\FindVirus\*.*
C:\f-macro\*.*
C:\Tbavw95\*.*
When opening a file on the 1st, a MessageBox
like
- ULTRAS X
You Infected WM97.ACID by ULTRAS
OK
is displayed. Then the active document is
saved with the password ACID BY ULTRAS and this text is also inserted
in the document in 65-Point blue letters.
When opening a file on the 9th, the same
MessageBox is displayed. The virus saves the file with the password
ULTRASand this text is also inserted in the document in 140-Purple
letters.
When opening a file on the 17th, the virus
inserts ULTRAS into the document and the virus searches for the following
file group and deletes the files where possible:
C:\Autoexec.bat
C:\Config.sys
C:\Command.com
When opening a file on the 25th, the virus
inserts ACID BY ULTRAS into the document and the virus searches for
the following file group and deletes the files where possible:
C:\Windows\*.ini
C:\Windows\System\*.dll
Method Of Infection:
As this is an intended virus, there is no method of infect. It does
not infect.
Removal Instructions:
Script,Batch,Macro and non
memory-resident:
Use specified engine and DAT files for detection and removal.
PE,Trojan,Internet Worm and memory resident:
Use specified engine and DAT files for detection. To remove, boot
to MS-DOS mode or use a boot diskette and use the command line scanner:
SCANPM /ADL /CLEAN /ALL
Additional information for Windows ME users:
NOTE: Windows ME utilizes a backup utility that backs up selected
files automatically to the C:\_Restore folder. This means that an
infected file could be stored there as a backup file, and VirusScan
will be unable to delete these files. These instructions explain how
to remove the infected files from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the
Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse
the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step
5 remove the check mark next to "Disable System Restore".
The infected file's are removed and the System Restore is once again
active.
================
W32/APost@mm
("APost" or "New Backdoor") worm has been spreading
through the Microsoft Outlook email program. The infected email can
come from addresses that you recognize and may contain the following
information:
Subject: As per your request!
Body: Please find attached file for your
review. I look forward to hear from you again very soon. Thank you.
Attachment: README.EXE
Running the attachment causes
the worm to copy itself to the Windows directory and send a copy of
itself to every entry in the user's Microsoft Outlook Address Book.
It will then display a small dialog box titled "Urgent!".
This dialog box contains one single large button labeled "Open".
If this button is pressed then the worm sends out further copies of
itself, displays an error message box with the title "WinZip
SelfExtractor: Warning" and then terminates
================
Back
to top
Top and/or New Viruses include:
W32/Badtrans@MM,
W32/Matcher@MM, W32.Magistr.24876@mm,
W32/MTX@MM, Win32Invalid
1. W32/Badtrans@MM
is a mass-mailing worm that spreads via the email program MS Outlook.
This worm creates an Outlook object that sends an infected document
as a reply to all unread email messages. If the attachment is opened,
the worm displays a message box:
Title: Install error
Message: File data corrupt: probably due to a bad data transmission
or bad disk access. Once running, the Trojan attempts to mail the
victim's IP Address to the author. When this information is obtained,
the author can connect to the infected system via the Internet and
steal personal information such as usernames, and passwords. In addition,
the Trojan is capable of capturing other vital information such as
credit card and bank account numbers.
========================
2. W32/Matcher@MM
is a mass-mailing worm that spreads via MS Outlook.
Once running, the program attempts to email itself to everyone in
the Outlook Address book repeatedly, until the worm is removed from
the system. The email message appears as follows:
Subject: Matcher
Body: Want to find your love mates!!! Try this its cool... Looks and
Attitude Maching to opposite sex.
Attachment: Matcher.exe
Virus Characteristics: This threat is detected heuristically with
the current engine and 4096 DATs (released in September, 2000) as
"New Backdoor". Specific detection is included in the 4134
DATs.
Aliases: Matcher (F-Secure), Troj_Matcher.A (Trend), W32.Matcher (NAV),
W32/Matcher (Panda, Sophos) , Win32.Matcher.Worm (CA)
This mass mailing worm requires the Visual Basic 6 (or higher) runtime
library to function. When run, it copies itself to the WINDOWS SYSTEM
directory as Matcher.exe and creates a registry run key to load the
worm at startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\(Default)=%SysDir%\matcher.exe
Once running, the program attempts to email itself to everyone in
the Outlook Address book using the following information:
The worm also attempts to modify the AUTOEXEC.BAT file as follows:
@echo off
echo from: Bugger
pause
Indications Of Infection
- Email correspondence informing you that you have sent them an attachment
when you did not
- Presence of Matcher.exe in the WINDOWS SYSTEM directory
- Presence of the registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\(Default)=%SysDir%\matcher.exe
Method Of Infection:
Executing the email attachment Matcher.exe will infect the local machine.
The worm mails this attachment to all recipients in the Outlook Address
Book repeatedly, until the worm is removed from the system.
Removal Instructions:
Use specified engine and DAT files for detection and removal.
Manual Removal Instructions
Delete the registry keys as mentioned
Restart the computer
Delete the files mentioned
=====================
3. W32.Magistr.24876@mm
is a virus that has email worm capability. It is also network aware.
It infects Windows Portable Executable (PE) files, with the exception
of .dll system files, and sends email messages to addresses that it
gathers from the Outlook/Outlook Express mail folders (.dbx, .mbx),
the sent items file from Netscape, and Windows address books (.wab),
which are used by mail clients such as Microsoft Outlook and Microsoft
Outlook Express,. The email message may have up to two attachments,
and it has a randomly generated subject line and message body.
Also Known As: I-Worm.Magistr, PE_MAGISTR.A, W32.Magistr@mm
Large scale e-mailing: Uses email addresses from the Windows Address
Book files and Outlook Express Sent Items folder.
Causes system instability: Overwrites hard drives, erases CMOS, flashes
the BIOS.
Releases confidential info: It could send confidential Microsoft Word
documents to others.
Subject of email: Randomly generated text that can be up to 60 characters
long.
Name of attachment: One randomly named infected executable and several
randomly selected text or document files
Target of infection: All Windows PE files that are not .dll files.
Technical description:
When a file that is infected by W32.Magistr.24876@mm is executed,
it searches in memory for a readable, writable, initialized section
inside the memory space of Explorer.exe. If one is found, a 110-byte
routine is inserted into that area, and the TranslateMessage function
is hooked to point to that routine. This code first appeared in W32.Dengue.
When the inserted code gains control, a thread is created and the
original TranslateMessage function is called. The thread waits for
three minutes before activating. Then the virus obtains the name of
the computer, converts it to a base64 string, and depending on the
first character of the name, creates a file in either the \Windows
folder, the \Program Files folder, or the root folder. This file contains
certain information, such as the location of the email address books
and the date of initial infection. Then it retrieves the current user's
email name and address information from the registry (Outlook, Exchange,
Internet Mail and News), or the Prefs.js file (Netscape). The virus
keeps in its body a history of the 10 most recently infected users,
and these names are visible in infected files when the virus is decrypted.
After this, the virus searches for the Sent file in the Netscape folder,
and for .wab, .mbx, and .dbx files in the \Windows and \Program Files
folders.
If an active Internet connection exists, the virus searches for up
to five .doc and .txt files and chooses a random number of words from
one of these files. These words are used to construct the subject
and message body of the email message. Then the virus searches for
up to 20 .exe and .scr files smaller than 128 KB, infects one of these
files, attaches the infected file to the new message, and sends this
message to up to 100 people from the address books. In addition there
is a 20-percent chance that it will attach the file from which the
subject and message body was taken, and an 80-percent chance that
it will add the number 1 to the second character of the sender address.
This last change prevents replies from being returned to you and possibly
alerting you to the infection.
After the mailing is done, the virus searches for up to 20 .exe and
.scr files, and infect one of these files. Then there is a 25-percent
chance, if the Windows directory is named one of the following:
Winnt
Win95
Win98
Windows
that the virus will move the infected file into the \Windows folder
and alter the file name slightly. Once the file is moved, a run= line
is added to the Win.ini file to run the virus whenever the computer
is started. In the other 75 percent of cases, the virus will create
a registry subkey in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The name of this subkey is the name of the file without a suffix,
and the value is the complete file name of the infected file. The
virus then searches all local hard drives and all shared folders on
the network for up to 20 .exe and .scr files to infect, and add the
run= line if the \Windows folder exists in that location.
If the computer has been infected for one month and at least 100 people
have been sent an infected file, and if at least three files contain
at least three examples from a list of words, then
the virus will activate the first of its payloads.
This payload is similar to
that of W32.Kriz, and it does the following:
Deletes the infected file
Erases CMOS (Windows 9x/Me only)
Erases the Flash BIOS (Windows 9x/Me only)
Overwrites every 25th file with the text YOUARESHIT as many times
as it will fit in the file
Deletes every other file
Displays the following message:
Overwrites a sector of the first hard disk
This payload is repeated infinitely.
If the computer has been infected for two months, then on odd days
the desktop icons are repositioned whenever the mouse pointer approaches,
giving the impression that the icons are "running away"
from the mouse:
If the computer has been infected for three months, then the infected
file is deleted.
For files that are infected by W32.Magistr.24876@mm, the entry point
address remains the same, but up to 512 bytes of garbage code is placed
at that location. This garbage code transfers control to the last
section. A polymorphic encrypted body is appended to the last section.
The virus is hostile to debuggers and will crash the computer if a
debugger is found.
To remove this worm:
1. Run LiveUpdate to make sure that you have the most recent virus
definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making
sure that NAV is set to scan all files.
3. If any files are detected as infected by W32.Magistr.24876@mm,
choose Repair.
NOTE: This virus contains bugs which will corrupt some files while
attempting to infect them, as well as when the first payload activates.
These files cannot be repaired; they must be restored from backup.
=====================
4.
W32/MTX@MM is a combination of a Virus, Worm
and Backdoor. Removal of this virus requires
4095 DAT files. This virus was discovered Aug 23, 2000.
This is a 32bit PE file infector
for Windows 9x/NT systems. This virus modifies WSOCK32.DLL in an effort
to hook SMTP traffic as an attachment. This virus searches for available
shares through Network Neighborhood in an effort to transfer to host
systems.
-Worm/Backdoor part: As it has mailing capabilities
users may receive an e-mail with a file attachment, the name of the
attachment is variable, but it may be like: I_am_sorry_doc.pif, or
zipped_files.exe etc. Regardless of the deceiving filename and extension,
the attached file as such is in fact a 32 bit "pe" file.
(Portable Excutable file, common on win9x/winNT).
-Virus part: the virus also modified 32
bit pe files, like .EXE and .DLL, in the windows folder. It might
search local mapped drives for target files.
When this virus sends itself via email,
it could be one of the following file names, randomly picked. For
removal instructions, check here.
Back
to top
5. August 30, 2001 Win32.Invalid.A@mm
It has just come in that a new Internet
worm called Win32.Invalid.A@mm is being sent out in an email purporting
to be from Microsoft Technical Support.
The worm is dangerous and encrypts .exe
applications with a random key, rendering them unusable. It also checks
that there is an Internet connection open and searches for files with
the extension ".ht*" in your My Documents folder, takes
the email addresses and forwards itself, reports anti-virus company
Central Command.
It appears as follows:
From: "Microsoft Support" support@microsoft.com
Subject: Invalid SSL Certificate
Hello,
Microsoft Corporation announced
that an invalid SSL certificate that web sites use is required to
be installed on the user computer to use the https protocol. During
the installation, the certificate causes a buffer overrun in Microsoft
Internet Explorer and by that allows attackers to get access to your
computer. The SSL protocol is used by many companies that require
credit card or personal information so, there is a high possibility
that you have this certificate installed. To avoid of being attacked
by hackers, please download and install the attached patch. It is
strongly recommended to install it because almost all users have this
certificate installed without their knowledge.
Have a nice day,
Microsoft Corporation
Attachment: sslpatch.exe
The worm may be especially dangerous since many people are upgrading
to Internet Explorer 6 and Media Player 7 at the moment, not to mention
Windows XP.
Rumors that it isn't a worm
at all but a service pack with a new "feature" that cuts
out the middleman and screws up the computer have been vigorously
denied by MS spokesgoblins. ®
=====================
