|
- December, 1999 - W32/MyPics.worm
This is apparently one of the first
"Y2K" virus/worms
that is written to trigger in the year 2000. It uses mass
mail for distribution, if executed. It appears to use code similar
to W97M/Melissa virus to distribute itself using MS Outlook to the first
50 email recipients, however emails created by this worm do not contain
a subject line, only the body:
"Here's some pictures for you !"
The email message also has the attached file
"Pics4You.exe" .
This file will copy itself to the local machine
and register itself to run from the registry at system startup from
either of these locations, depending on if the operating system is
Windows 9x or NT:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\Run
When the worm detects the year 2000 (i.e. Jan 1,
2000), the worm will insert and execute a file named CBIOS.COM. The worm
will also overwrite the autoexec.bat file.
The CBIOS.COM file is a 15-byte program written
in assembly and designed to overwrite the high byte of the two-byte CMOS
checksum value in the system BIOS. As a result, the computer will
display a system BIOS error such as:
"CMOS Checksum Invalid"
when it is next cold rebooted. This problem can
be corrected by launching the system BIOS setup utility and saving the
BIOS data again. This will rewrite and recalculate the BIOS checksum
value.
The worm will overwrite the autoexec.bat with
the following data:
ctty nul
format d: /autotest /q /u
format c: /autotest /q /u
The new autoexec.bat file size will be 64 bytes.
As a result, the data on both the C and D drives
will be formatted.
The other payload is the replacement of the
'Home Page' for Internet Explorer set to the following web location: http://www.geocities.com/SiliconValley/Vista/8279/index.html
- December, 1999 - W32/ExploreZip.Worm.Pack
This worm is a variant of Worm.ExploreZip (see
our alert on Worm.Explorer below). The difference is
Worm.ExploreZip(pack) is compressed but still allows the worm to be
executed normally and does not require any manual
uncompressing. Because of the uncommon scheme for
compression, the file size is different than the original
Worm.ExploreZip and therefore requires an update to your anti-virus
program in order to detect it.
-
This virus is a parasitic Win32 PE file virus that infects EXE, SCR and
OCX files Win9x, WinNT 4.0 by appending itself to the last PE section
of the file. The virus also overwrites the first 8 bytes of code at the
start of the program with a jump to the virus’s code.
When the virus is first run, it drops a file called FLCSS.EXE into the
SYSTEM folder, if this file does not already exist. This exe file is then
run as a separate process and becomes the resident portion of the virus.
The virus then directly infects all EXE, SCR, and OCX files in the folders
Program Files and WINDOWS/WINNT, including any sub folders. As the
default Windows shell Explorer.exe is kept in here, the virus is re-executed
whenever the system is restarted.
FunLove is the second virus to run as a service on WINNT. When the virus
runs as a service it can spread on the local drives without anyone logged
on the machine. That way the virus will be able to infect files that are
normally not accessible after the log on.
Under Windows NT, the virus uses a routine 'lifted' from the Bolzano virus
to patch the files NTOSKRNL.EXE and NTLDR if the current user is logged
in with administrator rights. This patch, which is activated after the next
system restart, allows all users full administrator rights to the system. This
allows the virus (and any low-level users) full, unrestricted access to all
the files on the system. The patched files are not recoverable and should
be restored from backup.
Periodically the virus scans any network shares with write access, and
infects any EXE, SCR and OCX files on any shared network drives.
When executed under DOS, the file FLCSS.EXE displays the message
"~Fun Loving Criminal~" and then tries to reset the machine in order to
load Windows.
- November, 1999 - - WORM/VIRUS: BUBBLEBOY
Bubbleboy is a "concept” virus that has no dangerous payload, meaning it doesn’t attempt to delete or alter files.
It does have the ability to create a mail storm as it sends copies of itself to every e-mail address in the victim’s address book.
BubbleBoy is a worm that works under Windows 98, Windows 2000 and other Windows operating systems with Windows Scripting Host installed.
The worm utilizes a known security hole in Microsoft Outlook to insert a script file, UPDATE.HTA, when the email is opened.
UPDATE.HTA is inserted into the Program-StartUp of the Start menu.
It is a script file that uses MS Outlook to send the worm email message to everyone in the MS Outlook address book.
If the security hole has not been patched (see Microsoft link below), BubbleBoy will
activate and send an email message to everyone in the MS Outlook address.
To remove this worm, simply delete UPDATE.HTA (usually in C:\WINDOWS\Start Menu\Programs\StartUp directory).
Microsoft has released a patch that eliminates security vulnerabilities
in two ActiveX controls. NH&A
recommends
that all users download and install the short file required to patch
your Outlook and/or Outlook Express program. This will not
only eliminate the possibility of Bubbleboy working but will also
eliminate other programs that attempt to take advantage of the security
holes that Microsoft has discovered.
The net effect of the vulnerabilities is that a web page could take
unauthorized action against a person who visited it. Specifically,
the web page would be able to do anything on the computer that the user
could do. Here is the link to find and download the patch
for your operating system:
http://www.microsoft.com/security/Bulletins/ms99-032.asp
Frequently asked questions regarding this vulnerability can be found
at
http://www.microsoft.com/security/bulletins/MS99-032faq.asp
Anti-virus programs have also released updates
for this worm. For more information on this virus visit:
http://www.sarc.com/avcenter/venc/data/vbs.bubbleboy.html
http://www.datafellows.com/v-descs/bubb-boy.htm
http://vil.nai.com/vil/vbs10418.asp
http://www.antivirus.com/vinfo/security/sa110999.htm
http://www.sophos.com/downloads/ide/index.html#bubblea
http://www.zdnet.com/pcweek/stories/news/0,4153,1018067,00.html
http://dailynews.yahoo.com/h/nm/19991110/ts/tech_virus.html
http://abcnews.go.com/sections/tech/CNET/cnet_bubbleboy991109.html
http://www.msnbc.com/news/333265.asp
- October, 1999 - WORM: Freelink, VBS.Freelink
VBS/Freelink is an e-mail worm written with the
VBScript language. Programs written with VBScript operate only under
Windows 98 and Windows 2000 (unless Windows Scripting Host has been
installed separately).
When the worm is executed, it drops an encrypted
script file to "C:\Windows\System\Rundll.vbs". After that VBS/Freelink
changes the registry in a such way that "Rundll.vbs" will be
executed each time when the system is restarted.
Next, the worm shows a dialog box with the
following text:
This will add a shortcut to free XXX links on
your desktop. Do you want to continue?
If the user presses the "Yes" button,
the worm creates an Internet shortcut named "FREE XXX LINKS"
to the desktop.
The worm also searches for mapped network
shares. If the worm can find any, it copies itself to the root of the
each network share. The worm uses Outlook application to mass-mail
itself to each recipient in each address book. The mass-mail part is
similar to W97M/Melissa, but this one doesn't infect Word documents and
it sends itself each time when it is executed.
The subject of the message is:
Check this
and the body of the message is:
Have fun with these
links.
Bye.
The worm attachs itself as "Links.vbs"
to the message. When the receiver double-clicks on the attachment, the
worm executes and it will mass-mail itself again. VBS/Freelink removes
the sent mail from user's "Sent Mail" folder. In that way it
tries to hide the mass mail from the user.
As address books typically contain group
addresses, the end result of executing the Freelink worm inside an
organization is that the first infected user sends the message to
everybody in the organization. After this, other users open the message
and send the message AGAIN to everyone else. This quickly overloads
e-mail servers.
http://www.sarc.com/avcenter/venc/data/vbs.freelink.html
http://vil.nai.com/vil/vbs10225.asp
http://www.datafellows.com/v-descs/freelink.htm
http://www.sophos.com/downloads/ide/index.html#freelink
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_FREELINK
http://news.cnet.com/news/0-1006-200-429558.html?tag=st.cn.1002newsfd.
October, 1999 - VIRUS: WinNT/Infis
Infis is a memory resident virus. It can
replicate under Windows NT 4.0 with Service Packs 2, 3, 4, 5 installed.
It does not work on systems running Windows 95/98, Windows 2000
The virus usually arrives in an infected EXE
file and being run installs itself to system. The virus copies its body
to INF.SYS file in Windows NT drivers folder WinNT\System32\Drivers.
Then it creates a key with three subkeys in Windows System Registry:
\Registry\Machine\System\CurrentControlSet\Services\inf
Type = 1 - standard Windows NT driver
Start = 2 - driver start mode
ErrorControl = 1 - continue system loading on
error in driver
As a result the virus in INF.SYS file will be
activated every time the operating system starts. When INF.SYS file is
activated the virus first infects Windows NT memory. When this is done
the virus takes control over some Windows NT internal undocumented
functions. The virus traps file opening routine and if any file is
opened it checks file name and file's internal format and then calls his
infection routine if PE EXE file is opened.
The virus infects only PE (Portable Executable)
EXE-files except CMD.EXE (Windows NT command processor). When infecting
the virus increases file length by the length of its "pure
code" - 4608 bytes. The virus doesn't infect files twice. It
recognizes already infected files by "date and time" stamp
changed to -1 (FFFFFFFFh) value upon first infection.
The Infis virus does not have any destructive
payload. However, it has bugs that could result in corrupting of some
files upon infection. When a corrupted file is run the standard Windows
NT application error message is shown.
http://www.sarc.com/avcenter/venc/data/wnt.infis.4608.html
http://vil.nai.com/vil/vpe10391.asp
http://www.datafellows.com/v-descs/infis.htm
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=PE_INFIS.4608
http://www.sophos.com/downloads/ide/index.html#infs4608
http://www.avpve.com/viruses/winnt/infis.html
http://news.cnet.com/news/0-1003-200-810978.html?tag=st.cn.1002newsfd.
VIRUS: W97M.Melissa.U
The "W97M.Melissa.U (Gen1)" virus is a
modified variant of the infamous W97M.Melissa.A virus that wreaked havoc
worldwide in late March 1999.
Characteristics of Infection
The document infected with W97M.Melissa.U (Gen1)
will arrive in an email with the following Subject line and body with a
Word document attachment:
Subject: pictures USERNAME
Body: whats up?
USERNAME will be the name registered in the
local copy of Word. For example, it may be "Subject: pictures John
Doe". If you receive such an email, you should notify your system
administrator immediately. Do not attempt to open the attached document.
Payload
There are three payloads.
As its primary payload, the virus will attempt
to use Microsoft Outlook to e-mail a copy of the infected document to up
to four email addresses. The email addresses are selected from Outlook's
address book. Please note that a mailing-list (a list comprising more
than one email address) within Outlook Address Book can be selected by
the virus, which will then cause a larger distribution of email to be
spammed. Corporations using Microsoft Exchange are the primary target of
W97M.Melissa.U(Gen1) because the virus searches for Outlook's Address
Book. This payload will only be executed once on each machine.
The second payload will insert the following
text into the active document:
>>>>>Please Check Outlook Inbox
Mail<<<<<
If you see such text in any of your documents,
please be certain to scan your system using the latest virus
definitions.
The third payload will delete the following
files when the infected file is opened (making the system un-bootable):
c:\command.com
c:\io.sys
d:\command.com
d:\io.sys
c:\Ntdetect.com
c:\Suhdlog.dat
c:\Ntdetect.com
d:\Suhdlog.dat
http://www.sarc.com/avcenter/venc/data/w97m.melissa.u.gen1.html
http://vil.nai.com/vil/vm10385.asp
http://www.sophos.com/downloads/ide/index.html#melissau
http://www.zdnet.com/zdnn/stories/news/0,4586,2374755,00.html
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=W97M_MELISSA.U
October, 1999 - VIRUS: W97M.Melissa.V
Detected As: W97M.Melissa.A or
W97M.Melissa.Variant
Infection Length: one VBA5 module named MP
Area of Infection: Microsoft Word 97 documents
Likelihood: Rare
Region Reported: None
Characteristics: Macro, MS Outlook, Worm
Description
W97M.Melissa.V is a modified variant of
W97M.Melissa.A virus. The key changes made from the original
W97M.Melissa.A virus are the virus module name (now called
"MP?"), the email subject/message, and a malicious payload
which deletes some files.
Payload
As its primary payload, the virus will attempt
to use Microsoft Outlook to e-mail a copy of the infected document to up
to 40 other people. When a user opens or closes an infected document,
the virus first checks to see if it has done this mass e-mailing once
before, by checking the following registry key:
"HKEY_CURRENT_USER\Software\Microsoft\Office\"
as "MP?" value.
If this key has a value "MP" set to
the value "...by 22" then the mass e-mailing has been done
previously from the current machine. The virus will not attempt to do
the mass mailing a second time, if it has already been done from this
machine.
If it does not find the registry entry, it will
do the email payload just like W97M.Melissa.A. The difference is that it
only sends to up to 40 addresses, the subject line is "My Pictures
USERNAME" where USERNAME is taken from MS Word setting, and the
email message is now blank.
The second payload now replaces the currently
selected text of the document with:
Opening Microsoft Outlook...
Hint: Get Norton 2000 not McAfee 4.02
It also displays a message box with the
following message:
Please Check Your OutLook Inbox E-Mail!
This variant also has a malicious payload that
attempts to delete files from the root directory of drive F, H, I, L, M,
N, O, P, Q, S, X, and Z.
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=W97M_MELISSA.MP
http://www.sarc.com/avcenter/venc/data/w97m.melissa.v.html
http://vil.nai.com/vil/vm10386.asp
http://www.sophos.com/downloads/ide/index.html#melissav
July, 1999 - TROJAN ALERT -
Back Orifice 2000
Aliases: Back Orifice 2000, BO2K
Area of Infection: Microsoft Windows 9x and NT
Released on: July 10, 1999
Region Reported: US
Characteristics: Backdoor Trojan Horse
Description: BO2K is a program that, when
installed on a Windows computer, allows the computer
to be remotely controlled by another user. Remote control software
is not malicious in
and of itself; in fact, legitimate remote control software packages are available for use by
system administrators. What is different about BO2K
is that it is intended to be used for malicious purposes, and includes stealth behavior that has no purpose
other than to make it difficult to detect.
Back Orifice 2000 is a new version of
BackOrifice. Trojan. When installed on a Microsoft
Windows system, this backdoor trojan horse program allows others to gain full access to the system.
Similar to the original BackOrifice, it consists of
two pieces: a server and a client application. Unlike the old version,
both applications now
run under Windows NT. The client application, running on one machine, can be used to monitor and
control a second machine running the server application
remotely. Anyone remotely running the client half of the Back Orifice software can then control the user’s
computer to do anything they could do
while sitting in front of it, including reading and/or deleting all
files on the computer.
Back Orifice 2000, the latest in a
string of Remote Access Trojans (RATs), is a Windows
9x and NT program that acts as a hack tool. When executed, Back Orifice turns a user’s system into an open
client, giving virtually unlimited remote access
to the system over the Internet.
How do I prevent having BO2K installed
on my machine?
You don't need to take any
extraordinary precautions. Just follow normal safe computing
practices:
Never share your password, and always
lock your computer when you walk away from it.
Never run software from untrusted sources.
Always keep your anti-virus and other security software up to date.
http://www.microsoft.com/security/bulletins/bo2k.asp
http://www.news.com/News/Item/0,4,38977,00.html
http://www.antivirus.com/vinfo/alerts.htm
http://www.datafellows.com/v-descs/bo2k.htm
http://vil.nai.com/asp_set/anti_virus/alerts/vabo2k.asp
http://www.sarc.com/avcenter/venc/data/back.orifice.2000.trojan.html
http://www.sophos.com/downloads/ide/index.html#bo2k
- June, 1999 - Worm.ExploreZip
Virus Name: Worm.ExploreZip
Infection Length: 210,432 bytes
Area of Infection: C:\Windows\System\, Email Attachments
Characteristics: Worm, Trojan Horse
Description:
Worm.ExploreZip is a worm that contains a malicious payload. The worm
utilizes MAPI commands and Microsoft Outlook on Windows systems to
propagate itself. The worm e-mails itself out as an attachment with the
filename "zipped_files.exe". The body of the e-mail message
may appear to come from a known e-mail correspondent, and contains the
following text:
"Hi (Recipient Name)!
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
bye"
The worm determines whom to mail this message to
by going through your received messages in your Inbox. Once the
attachment is executed, the user will be presented with a fake error
message that says:
"Cannot open file: it does not appear to be
a valid archive. If this file is part of a ZIP format backup set, insert
the last disk of the backup set and try again. Please press F1 for
help."
The worm proceeds to copy itself to the
c:\windows\system directory with the filename "Explore.exe",
and then modifies the WIN.INI file so the program is executed each time
Windows is started. The worm then utilizes your e-mail client to harvest
e-mail addresses in order to propagate itself. You may notice the e-mail
client start when this occurs.
Payload:
The Worm has a payload, it will search the drives C through Z for the
following file types, and when it finds them, it will destroy them by
making them 0 bytes long. This can result in non-recoverable data and/or
computer system:
.c
.cpp
.asm
.doc
.xls
.ppt
New Functionality: Once the virus infects
one machine
in
a corporate network, the worm will start to look for other Windows
workstations
in the network. If another user has shared
directories from his machine for others, the
virus
will try to infect this machine over the network.
This means that your machine can get infected with the ZippedFiles worm
even
if
you're very careful with your e-mail, do not open attachments, or you
even
stop
using e-mail completely. You will not notice the infection, but your
machine
will start to automatically reply to all e-mails received thereafter.
The
replies contain an infected attachment and will spread the worm further.
In
addition, the worm will start to overwrite files on local and network drives.
Repair Notes: To remove this worm, you
should perform the following steps:
1. Remove the line run=C:\WINDOWS\SYSTEM\Explore.exe from the WIN.INI
file
2. Delete the file "C:\WINDOWS\SYSTEM\EXPLORE.EXE". If the file
is currently in use, you may need to reboot first.
Symantec
NAI
Data Fellows
Trend
AVP
CNN
CERT Advisory
ZDNet
- March, 1999 - Melissa Macro Virus
This virus is an extremely rapidly spreading virus in corporate
networks and by others using using Word 97 or Word 2000 with Outlook 97, 98 or
2000. It is also a rapidly spreading news in the news media and on the
internet. Currently, the damage it causes is on overwriting the first macro in
open documents and in the normal.dot template with the macro virus code. It turns
off macro detection in Word. It sends copies of the infected document to up to 50
people from each of your Outlook address books.
If you do NOT open the message in Word, you will not infect
your system except that the document received will contain the virus. This is
true of all Word Macro viruses and any other virus received via e-mail. If you
copy the attachment to a temporary directory, you can scan it with the most current
versions of anti-virus programs (see list below) and see if it is infected BEFORE you open
it. This, again, is true for any attachments received via e-mail.
Additionally, you can start Word and turn OFF Macros by following the instructions in the
"Microsoft" link below. Then you will never get a Word Macro virus
but you will be turning off a functionality of Word that some people use.
The following is a sequence of what the virus does:
When the infected document is opened, the virus checks for a setting in the registry to
test if the system has already been infected. If the system hasn't been infected, the
virus creates an entry in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Office\"Melissa?"=
".. by Kwyjibo"
If this key exists the email process will not execute, the virus
will still infect.
An email message is created and sent to the first 50 recipients
programatically all the address books, one at a time. The message is created with the
subject "Important Message From -<USERNAME>" The virus will use WORD User
Registration to retrive the username.
The message body of text reads "Here is that document you
asked for ... don't show anyone else ;-)"
The active infected document is attached and the email is sent.
However this is NOT the only document that can be sent or received. Once the
system is infected all documents that are opened are infected. As any document can
be sent, a user that receives the infected document, who hasn't been infected, can become
infected with this document, and the process will continue.
The virus does have a payload. If the day equals the minute value,
and the infected document is opened this text is inserted at the current cursor position:
"Twenty-two points, plus triple-word-score, plus fifty points
for using all my letters. Game's over. I'm outta here."
Most anti-virus programs already have a detection
and removal for this virus.
Links to additional information:
Microsoft
CIAC
Data Fellows
Symantec
Trend Micro
Sophos
Network
Associates
Norman Data Defense
Cheyenne (Computer
Associates)
PC Week
CNN
ZDNET
Note: NH&A has collected and compiled a set of
extra drivers and merged them into one single driver for the benefit of our Dr. Solomon
customers. This extra driver (EXTRA.DRV)
enables detection of the following viruses:
W97M/Caligula
W97M/Ethan
W97M/Madcow
W97M/Marker
W97M/Marrauder
W97M/Melissa
W97M/Melissa.b.intd
W97M/Melissa.dam
W97M/Nail
W97M/Ping
W97M/Syndicate
W97M/Tristate
W97M/Voltron
W97M/Zerg
X97M/Laroux.ho
X97M/Papa
X97M/Tristate
XM/Laroux.ho
If you have questions, please contact support@nha.com.
- January, 1999 - New Office 2000 Virus
The first known Office 2000 virus has harmful effects. When an infected
document is opened, it checks to see if the day and minute values coincide and, if so, it
inserts between one and seventy geometric figures of random shapes and colors, which are
placed over the text in such a way that they prevent viewing the contents of the document.
The virus checks all documents the user opens to see whether or
not they are already infected in order to avoid the re-infection of files. If they are
clean, the virus infects the document when closed and automatically saves it.
The virus uses the polymorphism technique. In other words, it is a
mutant, changing its appearance each time it is run, modifying each of the variables it
uses, even function names. The variable value is calculated at random and changes for each
document infected.
The user will not be able to close the document while the shapes
are generating. After it has completed displaying the shapes, the virus will ask if the
user wants to save changes to the document. Then it will close the current document
whether the user clicked "yes" or "no". Upon payload activation, the
virus will also change the "Security Level" to "Low" by modifying the
Windows registry
("HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security").
Infection is based on the W97M/PSD virus for Office 97 but, it is
a virus specifically designed for Office 2000 as it infects documents created in Word 9.0,
which have a format different to those created in Office 97.
Links to additional information:
http://www.pandasoftware.com/inet5646.htm
http://www.antivirus.com/vinfo/security/sa011999.htm
Current
Alerts
Alerts 1999
Alerts 1998
|
