[Imc] virus alert

Russell A Rybicki russrybicki01 at juno.com
Fri Sep 28 00:11:12 UTC 2001 

If you see a e-mail like this,  Delete at once!

Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM!

Message: 
Hi
iS iT A waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!

 
 
W32.Vote.A at mm
Discovered on: September 24, 2001 
Last Updated on: September 24, 2001 at 09:56:27 AM PDT 

W32.Vote.A at mm is a mass-mailing worm that is written in Visual Basic.
When executed, it will email itself out to all email addresses in the
Microsoft Outlook address book. The worm will insert two .vbs files on
the system, and it will also attempt to delete files from several
antivirus products. 

Type: Worm 

Infection Length: 55,808 Bytes 

Virus Definitions: September 24, 2001 

Threat Assessment: 

   
Wild: 
Low  Damage: 
High  Distribution: 
High  
 

Wild: 

Number of infections: 0 - 49 
Number of sites: 3 - 9 
Geographical distribution: Medium 
Threat containment: Moderate 
Removal: Moderate 
Damage: 

Payload: 
Large scale e-mailing: Emails everyone in the Microsoft Outlook
addressbook 
Deletes files: After reboot, the worm attempts to delete all files in the
Windows folder 
Modifies files: All files with the extension "htm" or "html" will be
overwritten. 
Compromises security settings: If the Backdoor.Trojan was successfully
downloaded and installed, anyone could gain full access to the computer. 
Distribution: 

Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! 
Name of attachment: WTC.exe 
Size of attachment: 55808 Bytes 

Technical description: 

W32.Vote.A at mm is a mass-mailing worm written in the Visual Basic
language. It requires the file Msvbvm50.dll to execute.

When executed, the worm will attempt to email itself to all contacts in
the Microsoft Outlook address book. The email will appear as follows.

Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM!

Message: 
Hi
iS iT A waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!

Attachment: WTC.EXE

Next, the worm will insert two .vbs files on the system:


\<Windows folder>\ZaCker.vbs 
\<Windows\System folder>\MixDaLaL.vbs

In addition, the worm will attempt to download and execute a file. This
file is detected as Backdoor.Trojan by Norton Antivirus.

Finally, the worm will attempt to delete all files from several folders.
These folders appear to be the default installation folders for several
antivirus products. For Norton AntiVirus, this worm will only attempt to
delete the files if Norton Antivirus is located in C:\Program
Files\Norton AntiVirus.

What the dropped files do

MixDaLaL.vbs
MixDaLaL.vbs is a Visual Basic Script file that is inserted in the
\Windows\System folder. This file is executed by the worm. As the file is
executed, it will look through all folders on all fixed drives and
network drives for files with the extensions .htm or .html. If such a
files are found, they are overwritten with the message:

AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>>
ZaCkEr is So Sorry For You

ZaCker.VBS
This file is inserted in the \Windows\System folder. It is not executed
by the worm. Instead, the value

Norton.Thar \Windows\System\ZaCker.vbs

is added to the registry key

HKEY_LOCAL_MACHINE\Microsoft\
Windows\CurrentVersion\Run

so that the file is executed when you start Windows.

When executed at the next restart, this file will attempt to delete all
files in the \Windows folder. Next, the worm will create or overwrite the
file C:\Autoexec.bat. Inside the file there will be a command that
formats the C drive. The Autoexec.bat file is executed on Windows
95/98/Me and DOS systems when you start the computer.

Finally, the worm will displays the message



The worm does attempt to shut down Windows after the message has been
displayed. However, because the files required for this event to occur
have been deleted from the \Windows folder, the computer probably will
not shut down.


Removal instructions: 


1. Run LiveUpdate to make sure that you have the most recent virus
definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to
scan all files. For instructions on how to do this, read the document How
to configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Vote.A at mm. If the worm has
run and Norton AntiVirus is installed in C:\Program Files\Norton
AntiVirus, you should reinstall Norton Antivirus.
5. If the computer has been rebooted after the infection, or if the
computer seems very unstable, it is recommended that you reinstall the
operating system.



Additional information: 

If the Backdoor.Trojan was successfully installed on the computer, it is
possible that your system has been accessed remotely by an unauthorized
user. For this reason it is impossible to guarantee the integrity of a
system that has had such an infection. The remote user could have made
changes to your system, including but not limited to the following:


Stealing or changing passwords or password files 
Installing remote-connectivity host software, also known as backdoors 
Installing keystroke logging software 
Configuring of firewall rules 
Stealing of credit card numbers, banking information, personal data, and
so on 
Deletion or modification of files 
Sending of inappropriate or even incriminating material from a customer's
email account 
Modifying access rights on user accounts or files 
Deleting information from log files to hide such activities

If you need to be certain that your organization is secure, you must
reinstall the operating system, and restore files from a backup that was
made before the infection took place, and change all passwords that may
have been on the infected computers or that were accessible from it. This
is the only way to ensure that your systems are safe. For more
information regarding security in your organization, contact your system
administrator.

I thought you would like to be warned about ths since it's a subject
we're concened about
Russ Rybicki

________________________________________________________________
GET INTERNET ACCESS FROM JUNO!
Juno offers FREE or PREMIUM Internet access for less!
Join Juno today!  For your FREE software, visit:
http://dl.www.juno.com/get/web/.

More information about the IMC mailing list