[Imc] virus alert
Russell A Rybicki
russrybicki01 at juno.com
Fri Sep 28 00:11:12 UTC 2001
If you see a e-mail like this, Delete at once!
Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM!
Message:
Hi
iS iT A waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!
W32.Vote.A at mm
Discovered on: September 24, 2001
Last Updated on: September 24, 2001 at 09:56:27 AM PDT
W32.Vote.A at mm is a mass-mailing worm that is written in Visual Basic.
When executed, it will email itself out to all email addresses in the
Microsoft Outlook address book. The worm will insert two .vbs files on
the system, and it will also attempt to delete files from several
antivirus products.
Type: Worm
Infection Length: 55,808 Bytes
Virus Definitions: September 24, 2001
Threat Assessment:
Wild:
Low Damage:
High Distribution:
High
Wild:
Number of infections: 0 - 49
Number of sites: 3 - 9
Geographical distribution: Medium
Threat containment: Moderate
Removal: Moderate
Damage:
Payload:
Large scale e-mailing: Emails everyone in the Microsoft Outlook
addressbook
Deletes files: After reboot, the worm attempts to delete all files in the
Windows folder
Modifies files: All files with the extension "htm" or "html" will be
overwritten.
Compromises security settings: If the Backdoor.Trojan was successfully
downloaded and installed, anyone could gain full access to the computer.
Distribution:
Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
Name of attachment: WTC.exe
Size of attachment: 55808 Bytes
Technical description:
W32.Vote.A at mm is a mass-mailing worm written in the Visual Basic
language. It requires the file Msvbvm50.dll to execute.
When executed, the worm will attempt to email itself to all contacts in
the Microsoft Outlook address book. The email will appear as follows.
Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM!
Message:
Hi
iS iT A waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!
Attachment: WTC.EXE
Next, the worm will insert two .vbs files on the system:
\<Windows folder>\ZaCker.vbs
\<Windows\System folder>\MixDaLaL.vbs
In addition, the worm will attempt to download and execute a file. This
file is detected as Backdoor.Trojan by Norton Antivirus.
Finally, the worm will attempt to delete all files from several folders.
These folders appear to be the default installation folders for several
antivirus products. For Norton AntiVirus, this worm will only attempt to
delete the files if Norton Antivirus is located in C:\Program
Files\Norton AntiVirus.
What the dropped files do
MixDaLaL.vbs
MixDaLaL.vbs is a Visual Basic Script file that is inserted in the
\Windows\System folder. This file is executed by the worm. As the file is
executed, it will look through all folders on all fixed drives and
network drives for files with the extensions .htm or .html. If such a
files are found, they are overwritten with the message:
AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>>
ZaCkEr is So Sorry For You
ZaCker.VBS
This file is inserted in the \Windows\System folder. It is not executed
by the worm. Instead, the value
Norton.Thar \Windows\System\ZaCker.vbs
is added to the registry key
HKEY_LOCAL_MACHINE\Microsoft\
Windows\CurrentVersion\Run
so that the file is executed when you start Windows.
When executed at the next restart, this file will attempt to delete all
files in the \Windows folder. Next, the worm will create or overwrite the
file C:\Autoexec.bat. Inside the file there will be a command that
formats the C drive. The Autoexec.bat file is executed on Windows
95/98/Me and DOS systems when you start the computer.
Finally, the worm will displays the message
The worm does attempt to shut down Windows after the message has been
displayed. However, because the files required for this event to occur
have been deleted from the \Windows folder, the computer probably will
not shut down.
Removal instructions:
1. Run LiveUpdate to make sure that you have the most recent virus
definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to
scan all files. For instructions on how to do this, read the document How
to configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Vote.A at mm. If the worm has
run and Norton AntiVirus is installed in C:\Program Files\Norton
AntiVirus, you should reinstall Norton Antivirus.
5. If the computer has been rebooted after the infection, or if the
computer seems very unstable, it is recommended that you reinstall the
operating system.
Additional information:
If the Backdoor.Trojan was successfully installed on the computer, it is
possible that your system has been accessed remotely by an unauthorized
user. For this reason it is impossible to guarantee the integrity of a
system that has had such an infection. The remote user could have made
changes to your system, including but not limited to the following:
Stealing or changing passwords or password files
Installing remote-connectivity host software, also known as backdoors
Installing keystroke logging software
Configuring of firewall rules
Stealing of credit card numbers, banking information, personal data, and
so on
Deletion or modification of files
Sending of inappropriate or even incriminating material from a customer's
email account
Modifying access rights on user accounts or files
Deleting information from log files to hide such activities
If you need to be certain that your organization is secure, you must
reinstall the operating system, and restore files from a backup that was
made before the infection took place, and change all passwords that may
have been on the infected computers or that were accessible from it. This
is the only way to ensure that your systems are safe. For more
information regarding security in your organization, contact your system
administrator.
I thought you would like to be warned about ths since it's a subject
we're concened about
Russ Rybicki
________________________________________________________________
GET INTERNET ACCESS FROM JUNO!
Juno offers FREE or PREMIUM Internet access for less!
Join Juno today! For your FREE software, visit:
http://dl.www.juno.com/get/web/.
More information about the IMC
mailing list