More than 800 computers have been infected with the SubSeven Defcon8 2.1 back-door virus, according to Internet Security Systems Inc. This virus, known as a "Trojan horse," is spreading rapidly and has the potential for widespread damage, prompting the security firm to rate its threat at level 4. A rating of 5 is most dangerous.

The Trojan has been distributed on Usenet newsgroups with various file names, including SexxxyMovie.mpeg.exe. According to ISS, hackers are using infected systems to test new distributed denial-of-service attack methods and strategies. This program points to the growing use of back doors and denial-of-service attacks by hackers.

"Over the past couple of months, we have noticed a dramatic increase in the number of 'zombies' waking on our systems," says a security manager who requested anonymity. "Based on the activity we've seen here, I'm certain we're on the cusp of seeing another wave of attacks."

Chris Rouland, am ISS research director, agrees that more attacks are imminent. "This is a bellwether sign of the state of Internet security," he says, adding that distributed denial-of-service developers are becoming more sophisticated. "They've developed this so that it can't be detected by antivirus software. And we are seeing more of these Trojans take advantage of communications through IRC and use encryption to make them more difficult to detect," he says. "No one knows for sure, but it would be reasonable to think that there will be DDOS attacks against E-commerce sites during the holiday season." - George V. Hulme

Detailed recovery is provided by each of the following links to anti-virus information and updates:

Trend:
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_STAGES.A

RESUME - The Resume virus (also known as Melissa.BG) is a very dangerous Word Macro virus because it attempts to spread to everyone in available address books and tries to delete all files in the following directories and drives:

Attached is my resume with a list of references contained within.
Please feel free to call or email me if you have any further questions regarding my experience. I am looking forward to hearing from you.

___________
Actions Required:
The correct action is to ensure no one opens the attachment and, better, if you have the skills, to set up email filters that stop any offending messages. Tell people to deactivate their executive summary feature in Microsoft Outlook, and only then delete the e-mail without opening.

Valuable data from the top virus vendors (those involved in maintaining the Information Security DEW Line [Digital Early Warning Line]):

F-Secure:
http://www.f-secure.com/v-descs/resume.htm

KAK - Fifty thousand systems received the KAK virus on May 24.  See: http://www.msnbc.com/news/412717.asp

The story, in brief, is that 50,000 clients of Shoppingplanet.com received an infected email newsletter (not an attachment) and those who previewed or read the email in Outlook Express almost certainly became infected.

The worm sends copies of itself to everyone in your Outlook address book. It chooses a random file and uses that name for the attachment and email subject. For example, if it chooses song.mp3, it will send an email titled "FW: song.mp3" with an attachment named song.mp3.vbs.

This polymorphic Loveletter variant will overwrite ALL files that are not currently in use regardless of extension.  It arrives as an email message with a subject of "FW:  FILENAME.EXT" and an attachment named "FILENAME.EXT.VBS" (where FILENAME.EXT is derived from the infected user's recently opened documents list.)   For example, a file named report.doc will be replaced with a copy of the virus named report.doc.vbs.  If no documents have been used recently, this name is randomly generated.  If the message has been generated by a system running Windows NT or Windows 2000, then the filename will be omitted and the subject of the message will be "FW: .EXT" and the attachment name will be ".EXT.VBS" (again, the file extension will vary depending on the recently opened documents list of infected machines.)

The filename attached will have one of the following extensions:

Doc.Vbs
Xls.Vbs
Mdb.Vbs
Bmp.Vbs
Mp3.Vbs
Txt.Vbs
Jpg.Vbs
Gif.Vbs
Mov.Vbs
Url.Vbs
Htm.Vbs

Symantec has a web page on the NewLove.A Virus virus here.   

Trend also has information on the virus here and a fix already from that link.

A Sophos Anti-Virus identity file (IDE) can be downloaded from
http://www.sophos.com/virusinfo/analyses/vbsnewlovea.html
Users who have disabled Windows Scripting Host (WSH) on their computers will not be infected by this virus.   Details on how to disable WSH are conveniently published by Sophos at http://www.sophos.com/support/faqs/wsh.html
and by F-Secure at: http://www.f-secure.com/virus-info/u-vbs/

Users who are blocking any Visual Basic Script filename (the infected message always arrives with end suffix of ".Vbs" on the filename) will not be affected. 

NAI (McAfee) has information at:  http://vil.nai.com/villib/newlove.asp and extra.drv fixes linked from that site.

F-Secure has information at: http://www.f-secure.com/v-descs/newlove.htm and has the fsupdate.exe at: USA ftp server  or European ftp server

Symantec has updates for NAV at: http://www.symantec.com/avcenter/download.html

The Virus Bulletin has a page here on the New Love Bug.    Also, if your anti-virus developer is not listed above, please check here for links to many anti-virus developers.

CNET is providing a location to download a free utility-VBProtect.exe to intercept/block execution of .VBS files.   

We, at NH&A, do recommend you immediately download and install VBProtect.EXE on susceptible PCs and alert users of it's use.   The utility puts itself between your user and the automatic execution of a .VBS script.   It allows you the choice to "Execute Script" or to just "Exit" and not allow the script to execute.   Other choices are to "Install" or "Remove" the utility.   When installed anti-virus programs have appropriate solutions for this virus, then this utility can be removed.  Keep in mind this utility only protects against .VBS scripts and there are other extensions that can execute programs on your PC.

Since many antivirus vendors web sites are being swamped with download request for patches for the Love Letter, we have downloaded and made available the fixes at the following location:

http://www.nha.com/support/LoveBugfix/     (note capitalization)

Please note that Microsoft has a fix for Exchange Server Administrators in the MS Outlook directory of the above link.

Here are some recent links for information on the Love Bug and it's variants.   These sites may have more up-to-date fixes than ours.

Virus Bulletin  F-Secure  Sophos  Symantec  NAI  Trend

---Here is the information as it came in or we discovered it---

The following analysis is the work of the researchers at Frisk Software
International, primarily Dr. Vesselin Bontchev and Peter Ferrie.

The worm poses a risk to users that have Windows Scripting Host (including Win '98 users, users who have installed IE 5.x in default mode, users who have installed WSH specifically, and probably users of Windows 2000).

The worm will only spread from infected machines that have Outlook '98
or Outlook 2000 installed, but it will damage/overwrite files even if 
Outlook is not in use.

The worm is received either as an e-mail attachment or via IRC. If the
user does not open (double-click on) the attached file, the worm will not
run or do any damage.

If it is received via e-mail, the Subject: of the message
is "ILOVEYOU" and the body of the message says

kindly check the attached LOVELETTER coming from me.

The name of the attachment is LOVE-LETTER-FOR-YOU.TXT.vbs
(which, if the system is configured not to show the
extensions of the files, will look like a TXT file to the
user). 

If it is received via IRC, it resides in a file named
LOVE-LETTER-FOR-YOU.HTM.

When executed, the worm makes copies of itself under
the names MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs
in the Windows System directory and under the name
Win32DLL.vbs in the Windows directory. Then it modifies
the Registry, so that the files Win32DLL.vbs and
MSKernel32.vbs will be executed every time Windows is
started.

Then the worm modifies the Registry, changing the
startup page of the Internet Explorer, so that when IE
is started, it will download a file named WIN-BUGSFIX.exe
from one of 4 possible places on http://www.skyinet.net
(randomly selected) and the Registry is modified, so
that this file is executed the next time Windows is
started.

Then the worm creates an HTML version of itself, in a
file named LOVE-LETTER-FOR-YOU.HTM in the Windows System
directory.

Next, the worm starts a copy of Outlook in the
background (only Outlook 98 or 2000 will work - not
Outlook 97 or Outlook Express). It examines all Outlook
Address Books and, if an Outlook Address Book contains
more addresses than the Windows Address Book, the worm
mass-mails itself to all addresses in that Outlook
Address Book. (The worm does NOT mass-mail itself to
any addresses in the Windows Address Book.)

Finally, the worm examines all directories on all hard
and network drives. If a file has one of the following
extensions: VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, MP2,
MP3, JPG or JPEG the worm overwrites the file with a
copy of itself. If the extension was not VBS or VBE, the
worm adds the extension VBS to the name of the file -
so that, for instance, PICTURE.JPG becomes
PICTURE.JPG.vbs. In case a MP2 or MP3 file was
overwritten, the worm also sets its file attribute to
ReadOnly.

If, during this directory traversal, any of the following
files is found: mirc32.exe, mlink32.exe, mirc.ini,
script.ini or mirc.hlp, the worm drops in that directory
a file named SCRIPT.INI which begins with the comments

;mIRC Script
; Please dont edit this script... mIRC will corrupt, if mIRC will
corrupt... WINDOWS will affect and will not run correctly. thanks
;
;Khaled Mardam-Bey
;http://www.mirc.com

This file tries to send the file LOVE-LETTER-FOR-YOU.HTM
from the Windows System directory via IRC's command /DCC
to all users joining the IRC channel which the infected
user is on.

The worm sets or modifies the following Registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

The file WIN-BUGSFIX.exe is a Backdoor created in the
Phillippines which collects the network passwords cached
by Windows and sends them to an attacker's site when the
infected user connects to the Internet.
-- 
Fridrik Skulason Frisk Software International phone: +354-5-617273
Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274

---------------------------

F-SECURE WARNS ABOUT LOVE LETTER EMAIL WORM
New Melissa-like worm went world-wide in hours

ESPOO, Finland, May 4th, 2000, F-Secure is warning users about a new e-mail worm called VBS/LoveLetter. This worm spread by e-mailing a file called LOVE-LETTER-FOR-YOU.TXT.vbs around.

VBS/LoveLetter is written in the VBScript language. By default, programs
written in VBScript operate only under Windows 98 and Windows 2000.
However, Windows 95 and NT 4 users are vulnerable as well if they have
installed version 5 of Microsoft Internet Explorer.

The worm was most likely written in the Philippines. It was first spotted
on early morning of Thursday the 4th of May.

The worm arrives to users in e-mail message attachments named
LOVE-LETTER-FOR-YOU.TXT.vbs. On a default Windows system, the ".vbs"
extension is not visible, and users might mistake the file to be a harmless
text file (.TXT). If the recipient open the attachment, the worm will use
Microsoft Outlook (if installed) to send a message to everyone in any
address books (including global access books of the organization - these
typically contains hundreds or thousands of addresses). The messages look
like this:

From: Name-of-the-infected-user
To: Random-name-from-the-address-book
Subject: ILOVEYOU

kindly check the attached LOVELETTER coming from me.

Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

As address books typically contain group addresses, the end result of
executing the VBS/LoveLetter worm inside an organization is that the first
infected user sends the message to everybody in the organization. After
this, other users open the message and send the message again to everyone else. This quickly overloads e-mail servers.

"This worm spreads amazingly fast", comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation, "we got the first report
around 9:00 on Thursday morning from Norway, and by 13:00 we had reports from over 20 countries. We estimate that total number of infected machines is already in tens of thousands of macihnes."

In addition to spreading over e-mail, the worm also tries to use companion
techiques by greating new script files next to existing JPG and MP3 files
and by overwriting existing local script and HTML files with its own code. 

The virus contains this text: 

barok -loveletter(vbe) <i hate go to school>
by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines

A technical description of the virus is available in the F-Secure virus
description database at:
http://www.F-Secure.com/v-descs/love.htm
Sample pictures of e-mail messages generated by VBS/LoveLetter are
available in the F-Secure virus screenshots center at:
http://www.F-Secure.com/virus-info/v-pics/

-- 
Sami Rautiainen F-Secure Corporation
Sami.Rautiainen@F-Secure.com http://www.Europe.F-Secure.com
+358 9 8599 0656 (direct) +358 9 859 900

-------------------------
FROM NAI for GROUPSHIELD:

Detecting/blocking the new vbs_love letter virus with Groupshield Exchange.

Groupshield Exchange 4.5
--------------------------------------

With Groupshield Exchange 4.5, this virus can be blocked simply by using
Groupshield's new attachment blocking feature:

Load Exchange Admin and double-click on the Groupshield Exchange object
under the Server.

On the 'On-Access' tab, select 'Specified attachments' from the 'Attachment blocking' box and then click on 'Select...'

In the 'Name Based Options' box, click on 'Block Filenames' and then
'Change'

Click on Add and enter the filename: 'LOVE-LETTER-FOR-YOU.TXT.vbs'. Click OK, OK again and OK one more time to return to the Groupshield menu.

Groupshield Exchange will now block the vbs attachment and so prevent
further infections. This will work without the extra.dat.


Groupshield Exchange 4.0.4
-----------------------------------------

Download the extra.dat from our online resources. It should be available at:  http://www.drsolomon.com

Ensure that you are using the latest dat files available.

Place the extra.dat in the \Program files\Network Associates\Groupshield
Exchange\i386 folder if Groupshield is running on an Intel machine or place
the extra.dat in \Program files\Network Associates\Groupshield
Exchange\Alpha if Groupshield is running on an Alpha machine.

Stop and restart the Groupshield Exchange service from the Control Panel.

Groupshield Exchange will now detect this virus and so prevent further
infections.

------------------------------------------

TEQ provides a fix at:

http://www.teq-international.com

the above fix apparently has a minor bug which needs a fix as follows:

This cleaner downloaded from www.teq.nl has a bug in it, it does not scan
the ROOT of any drive. To fix: Add the line in the function as shown below:

sub folderlist(folderspec)
On Error Resume Next
dim f,f1,sf

set f = fso.GetFolder(folderspec)

REM ADD LINE BELOW TO CLEAN THE ROOT
CleanFiles(folderspec)

set sf = f.SubFolders
for each f1 in sf
cleanfiles(f1.path)
folderlist(f1.path)
next

end sub

________

Symantec provides the following information:

BACKGROUND

This is preliminary information. It is subject to change as we learn more
about this virus.

There is a mass breakout of a new virus, a worm, which the Symantec
AntiVirus Research Center is currently calling VBS.LoveLetter.A.

It was discovered a few hours ago in Europe, and has already hit several
large European Corporations.

It is likely to hit the US quickly. Symantec European tech support has
already received many calls from corporations ht by this new virus and SARC believes it could be as bad as the Melissa virus that hit last year.

Although SARC does not yet have a cure for this worm, we hope by providing this preliminary information, it will help admins make email configurations which can filter for the subject line and attachment name. SARC is currently working on a new virus definition for this.

For current information, please check the SARC web site:

http://www.symantec.com/avcenter

TECHNICAL DATA

VBS.LoveLetter.A is an email worm, mIRC worm, and file infector.

Threat Assessment: High

Payload:
Large scale e-mailing: All the addresses in Microsoft Outlook address book
degrades performance: May clog mail servers

Distribution: email

Subject of e-mail: ILOVEYOU

Name of attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

Size of attachment: 10307

SARC recommends Administrators filter on the attachment name
And Subject line immediately.

VBS.LoveLetter.A will use Microsoft Outlook and email
itself out as an attachment with the above subject line and attachment name. The body of the message will be kindly check the attached LOVELETTER coming from me.

The virus will also infect files with the following extensions: vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, and mp2  

The virus will drop the following files:

MSKernel32.vbs in the Windows System directory
Win32DLL.vbs in the Windows directory
LOVE-LETTER-FOR-YOU. TXT.vbs in the Windows System
WinFAT32.EXE in the Internet download directory
script.ini in the mIRC directory

SARC recommends Administrators filter on the attachment name and Subject line immediately.

Removal: Delete found infected files.

UPDATE

The Symantec AntiVirus Research Center (SARC) has posted the following

special definition sets for detection of VBS.Loveletter.A:

SARCx86.EXE

- Norton AntiVirus 4.0 for Windows 95/98
- Norton AntiVirus 5.0 for Windows 95/98
- Norton AntiVirus 2000 for Windows 95/98/2000
- Norton AntiVirus 4.0 for Windows NT
- Norton AntiVirus 5.0 for Windows NT
- Norton AntiVirus Corporate Edition 6.0/7.0
- Norton AntiVirus 4.0 for NetWare
- pcANYWHERE 32, 7.5 for Windows NT
- Norton Utilities 3.0 for Windows 95/98
- Norton NT Tools
- Norton Utilities 2.0 for Windows NT

SARCi32.EXE

- Norton AntiVirus 4.0 for Windows 95/98
- Norton AntiVirus 5.0 for Windows 95/98
- Norton AntiVirus 2000 for Windows 95/98/2000

SARCi16.EXE

- Norton AntiVirus for DOS and Windows 3.x
- NT Tools
- NT Scanner

These special definitions include detection only.

The special definitions can be downloaded from the ftp server:

ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/specdef

 Please Note: The SARC Web site is experiencing problems this morning.  We apologize for the inconvenience. Our Global Information Services group is working on the problem.

---------------------------------

TREND VIRUS ALERT INFORMATION

This VBScript virus like Melissa uses Microsoft Outlook to send email with an attachment file "LOVE-LETTER-FOR-YOU.TXT.vbs" to all email addresses listed in the address list. It also propagates using mIRC by modifying the "script.ini."

After connecting to a chat server using mIRC, the virus initiates a DCC send to all the users in the current channel and sends a copy of itself.

This virus is currently spreading rapidly and Trend advises all customers to download the latest pattern file #693 or use HouseCall to scan and clean their PCs.

NOTE: There have been some reports that Lotus Notes users may also be affected.

Details are not available at this time.

PRESS RELEASE:

For Immediate Release

Major Virus Outbreak Alert from Trend Micro – VBS_LOVELETTER Hits Users

Worldwide

Free on-line scanning service, HouseCall, allows users to clean their systems – Trend Micro customers can update their protection now

Cupertino, California- 4 May 2000 - Trend Micro (Nasdaq:TMIC), a leading provider of Internet content security, announced that protection for a new and quickly spreading VB Script "worm" type virus VBS_LOVELETTER is available now.

Trend Micro first detected this early this morning European time and had a solution available within 15 minutes. During a two-hour period several hundred phone calls were received from major European customers within Government, industry and trade including ISPs, infected with the new virus.

Trend Micro customers are strongly recommended to update their virus protection software with a new emergency virus update pattern update number 693 as follows:

1. Download pattern 693 from www.antivirus.com/download/pattern.asp
2. Ensure that both in and outbound mail is scanned
3. Proceed with manual scan to clean up any affected mail servers, PCs and file servers.

It is recommended that non-customers download an evaluation copy of ScanMail plus pattern update 693 to install and clean mail/groupware servers.

Trend Micro is currently updating its free on-line scanning service, HouseCall, at http://housecall.antivirus.com. Concerned users who are not currently using Trend Micro software can take advantage of this free on-line service to ensure that their systems are not infected. Trend Micro expects to have HouseCall updated shortly.

About VBS_LOVELETTER

This computer worm, once executed will modify the registry and will drop files for it to spread. It replicates using Microsoft Outlook by sending an email with an attachment file "LOVE-LETTER-FOR-YOU.TXT.vbs" to ALL email addresses listed in the address list. It will also propagate using mIRC by modifying the "script.ini". After connecting to a chat server using mIRC, the virus will initiate a dcc send to all the users in the current channel and send a copy of itself. It has also the capability to infect files with specific extensions.  The worm will search for files with the following extensions. When it finds one, it will overwrite the whole file with its virus codes and change the filename to <filename.extension> + .vbs. This subsequently destroys the original file.

.vbs
.vbe
.js
.jse
.css
.wsh
.sct
.hta
.jpg
.jpeg
.mp3
.mp2

How to reduce risk of infection

Trend Micro cautions users to be wary of opening email attachment with the subject line reading "ILOVEYOU" with a phrase in the message body reading "kindly check the attached LOVE LETTER coming from me" - even if they recognise the name of the person sending the message, since this is how the virus is spread.  Savvy users can create a rule in Outlook to delete emails with the mentioned text in the subject line or the body of the message.

-------------------------------

To disable VBScripts entirely:

"Love-you-letter" virus is a VBScript. VBScript is installed by default
by IE 5.0 and higher. I'm not sure about other software, but IE 4.0 and
Office 97 for sure do not install VBScript.

Before the antivirus companies provide new signatures, and if your users
do not need to run VBScripts, here is how to disable running ANY
VBscripts:

1) with REGEDIT, browse to HKEY_CLASSES_ROOT\VBSFile\ScriptEngine
2) Change the entry "VBScript" to anything you want, e.g. "abc"

Now, when opening a VBS file, an error message will pop up:
"Windows Scripting Host: Can't find script engine "abc" for script
"C:\...\...\my.vbs".

If you are administrator of Windows NT/95/98 Network, you can implement
this automatically via login script (for NT the user should have
"write" rights for the respective registry key).

The good part of this solution is that if your users do not need to run
any VBScripts, you will not have a problem in the future with new
VBS-viruses :-)

---------------------------------

• April 2000 - BAT911
  Aliases: BAT.Chode.Worm, Chode, ForeSkin, 911 Share Virus

  Descripton:
  BAT911 uses multiple BAT files and some system programs to spread itself through an internet connection. It searches through a range of IP addresses of known ISPs to find an accessible computer. If an accessible computer has a shared drive that is not password protected, the worm checks for the presence of the file C:\WINDOWS\WIN.COM. If such file presents, it assumes the shared drive is the C drive of the other computer.
  
  Once the worm finds an accessible shared drive, it will do a quick test to see if the drive is the C drive. If it is the C drive, it will map the shared drive.
  
  After mapping the drive, it makes sure that it hasn't infected this mapped drive. While performing the check, it also searches and removes VBS.Network, a worm that uses VBS script. Then, it verifies the writability of the drive, and proceeds to copy its files to the other computer.

  Payload:
  it adds the following:

  • a call to a batch file that dials 911 using the computer modem into the C:\AUTOEXEC.BAT. This modification is done one out of five times.
  • ashield.pif into the Program-StartUp of the infected machine. This PIF file hides the worm when it is launched.
  • netstat.pif into the Program-StartUp of the infected machine. This PIF file hides the netstat utility that it uses.
  • winsock.vbs into the Program-StartUp of the infected machine. This VBS carries its payload.
  • Log the infection in the file C:\PROGRAM FILES\chode\chode.txt of the source computer

  The WINSOCK.VBS is lauched when Windows starts on an infected computer. On the 19th of the month, this VBS script deletes files from the following directories:

  • C:\windows
  • C:\windows\system
  • C:\windows\command
  • C:\

  Repair Notes

  • Delete the C:\Program Files\Chode directory.
  • Delete C:\WINDOWS\START MENU\PROGRAMS\STARTUP\ASHIELD.PIF
  • Delete C:\WINDOWS\START MENU\PROGRAMS\STARTUP\NETSTAT.PIF
  • Delete C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINSOCK.VBS

  More Information:
  http://www.cnn.com/2000/TECH/computing/04/03/911.virus/index.html
  http://www.msnbc.com/news/390119.asp
  http://www.fbi.gov/nipc/advis00-038.htm
  http://news.cnet.com/news/0-1005-200-1623077.html?tag=st.cn.1.
  http://www.sarc.com/avcenter/venc/data/bat.chode.worm.html
  http://vil.nai.com/vil/wm98557.asp
  http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=BAT_CHODE911
  http://www.f-secure.com/news/2000/20000402.html
  http://www.sophos.com/virusinfo/analyses/911a.html
  

• March 2000 - W32/Pretty.worm.unp
  Aliases: I-Worm.Prettypark.unp, Pretty Park.exe, Southpark Trojan

  Description:
  This is the unpacked edition of the originally packed "W32/Pretty.worm" Internet worm.*  This is an Internet worm that installs on Windows 9x/NT systems. It arrives via email from affected users who have also run this Internet worm. It appears as an icon of a character from the animated comedy series "Southpark". Emails containing this Internet worm have this format:
  -------------
  Subject: C:\CoolProgs\Pretty Park.exe
  Test: Pretty Park.exe :)
  -------------
  Attached is the file "Pretty park.exe" and in some cases "Pretty~1.exe".
  
  This worm will try to email itself automatically every 30 minutes to all email addresses listed in the Windows address book associated with Outlook Express.
  
  A second function of this worm is that it will also try to connect to an IRC server and join a specific IRC channel. While connected, this worm tries to stay connected by sending information to the IRC server, and will also retrieve any commands from the IRC channel. While on the determined IRC server, the author of this worm could use the connection as a remote access trojan in order to get information such as the computer name, registered owner, registered organization, system root path, and Dial Up Networking username and passwords.
  
  Removal Instructions:
  On the Windows taskbar, click Start > Run. Type REGEDIT, then click OK.Modify the following Registry value:
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ shell\open\command
  and change
  files32.vxd "%1" %*   to  "%1" %*
  
  For clarity, these seven characters are the following: double quote, percent sign, the numeral one, double quote, space, percent sign, and asterisk. Don't forget the space.

  Remove references to the trojan from these keys of the registry

  HKEY_CLASSES_ROOT\exefile\shell\open\command\
  HKEY_LOCAL_MACHINE\exefile\CLASSES\exefile\shell\open\command\
  HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command

  They should contain only the value not including brackets "%1" %*

  If applicable, remove any keys that run the main trojan under

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

  If applicable, delete the registry key if it exists

  HKEY_CLASSES_ROOT\.dl

  and exit Regedit

  If applicable, edit WIN.INI and remove the reference to the trojan from the run= line in the [windows] section.
  
  If applicable, edit SYSTEM.INI and remove the reference to the trojan from the shell= line in the [boot] section. It should just contain the file EXPLORER.EXE.

  Delete the PrettyPark.exe file. Restart your computer.
  Delete the \Windows\System\Files32.vxd file.

  More information:
  http://www.sarc.com/avcenter/venc/data/prettypark.worm.html
  http://vil.nai.com/vil/wm98500.asp
  http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PRETTY_PARK
  http://www.msnbc.com/news/377284.asp
  

• February, 2000 - Distributed Denial of Services (DDoS) attacks

Recently there have been highly publicized reports of Denial of Service (DoS) attacks of major internet web sites, including Amazon, Yahoo, eBay, E-Trade, CNN, ZDNET and others.    These web sites have been brought to a crawl and some have been brought offline for hours to work on the problems.   Most of us in the computer business already know all about this.    Nevertheless we felt compelled to issue this basic information about DoS attacks and to make sure you are aware of the solutions we provide to prevent this and other security breaches.  

Companies should also be concerned by the possibility (see http://www.zdnet.com/pcweek/stories/news/0,4153,2436607,00.html for example) that they may be liable for their computers actions if they unwittingly participate in a Distributed DOS attack.

Alerts 2000

Alerts 1999
Alerts 1998