*NEW* April 19rd, 2002

Mass-mailing Worm - WORM_KLEZ.G (Medium Risk)

This memory-resident variant of the WORM_KLEZ.A mass-mailing worm uses SMTP to propagate via email. The subject line of the email it arrives with is randomly selected from a long list of possible choices. This worm is capable of spreading via shared drives/folders with read/write access. To accomplish this, it enumerates all shared resources in the network. For shared folders with read/write access, it copies itself to files with randomly generated filenames.

Upon execution, this worm drops files and creates an entry in the AutoRun key of the system registry. It then drops a randomly named file in the ProgramFilesDirectory (usually C:\Program Files) that is approximately 10KB in size, and is capable of infecting files in network shared folders and disabling system file protection. Trend Micro detects this program as PE_ELKERN.D.

The worm also disables the running processes, and occasionally deletes the executable files, of programs associated with several popular antivirus products.

This worm does not execute on the Windows NT platform.

WORM_KLEZ.G is detected and cleaned by Trend Micro pattern file #265 and above.

For additional information about WORM_KLEZ.G, please visit Trend Micro at: WORM_KLEZ.G or http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.G

********************************************************

*NEW* April 15th, 2002

X97M.Divi.O

X97M.Divi.O is a standard Microsoft Excel macro virus. The virus replicates when a workbook is opened.

Type: Macro
Infection Length: one VBS module

When X97M.Divi.O is executed, it drops a copy of its viral code as the file \XLStart\ErisH.xls. This ensures that the virus is loaded whenever you start Excel.

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP client, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.

If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, and .src files.

Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.

Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

******************************************************

*NEW* April 14th, 2002

ABAP.Rivpas.A

ABAP.Rivpas.A is a proof-of-concept virus. It was written to replicate using the Advanced Business Application Programming scripting language. The sample that we have received will not replicate in its current form, and thus is purely an intended virus.

Also Known As: SAP.VSoft.A, SAP.Willi.A, ABAP/Rivpas
Type: Virus
Infection Length: 1,380 bytes

No additional information available at this time. Symantec Security Response will update this write-up if/when more information is available.

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP client, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.

If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, and .src files.

Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.

Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

*****************************************************

*NEW* April 11th, 2002

VBS.Resreg@mm

VBS.Resreg@mm is an Internet worm that is written in VBScript. It uses Microsoft Outlook to spread as the attachment Freemp3s.vbs.

Also Known As: VBS.Resreg
Type: Worm
Infection Length: 2,417 bytes

VBS.Resreg@mm arrives in the following format:

Subject: Free Access To Thousands Of MP3

Message:
-------------- Trend Micro Online Scanner ----------------
The attached file doesn't contain any malicious routines
-------------------------------------------------------------------

Attachment: Freemp3s.vbs

If the attachment is run, it does the following:

It copies itself to the root of drive C as Freemp3s.vbs.

Next it uses Microsoft Outlook to send itself to the first 101 recipients in the address book, in the format shown above.

It then deletes Freemp3s.vbs.

VBS.Resreg@mm has a type of "backup and recovery" mechanism that it can use to reinstall itself. The script writes 4695 bytes, the hex equivalent of Freemp3s.vbs, into a registry key that it creates:

HKEY_LOCAL_MACHINE\Alcopaul

VBS.Resreg@mm creates the VBScript decoder file Excel.vbs. It also modifies the registry so that Excel.vbs is executed if any other .vbs file is executed. It does this by changing the Value Data of the (Default) value from

"%1" /S

to

wscript.exe c:\excel.vbs

in the registry key

HKEY_CLASSES_ROOT\scrfile\shell\open\command\

When Excel.vbs is run, it recreates the mass-mailing script by reading the data from the Alcopaul registry key, writes a script as C:\Registry.vbs, executes the script, and then deletes the Registry.vbs file.

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP client, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.

If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.

Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, and .src files. Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.

Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

*note* for removal instructions see your own anti-virus program's website.

****************************************************

*NEW* April 10th, 2002

VBS.Chick.C@mm

VBS.Chick.C@mm is a variant of the VBS.Chick@mm family. In this variant, the file that is distributed is Shakira.chm. The single sample that was received by Symantec Security Response originated in Chile.

Also Known As: VBS.Breetnee.C
Type: Worm

Technical Details:
As with the previous two variants, this threat is in Compiled HTML Help file (.chm) format. The .chm file may be received either by IRC or by email as the file Shakira.chm.

If the threat is opened on a vulnerable system, it will open as an HTML help file and display the following message:

Permite Active X para ver el nuevo video de SHAKIRA Kuasanagui inc.

Gratis nuevo video de SHAKIRA !!!!

VBS.Breetnee.C copies itself to the \Windows folder and then attempts to send itself using Microsoft Outlook to the first contact in the address book. The email is formatted as follows: Subject: ˇNuevo video de SHAKIRA!
Message: Hola He visto el nuevo video de Shakira y me he enamorado de ella. Esta hermosa mujer es hermosa, es impactante me ha hecho suspirar y quiero que igual que yo compartas esta emoción. Disfrutalo.

If mIRC is installed in the C:\Mirc folder, this threat attempts to modify the Script.ini file in an effort to distribute itself when you join an IRC channel.

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP client, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates. If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, and .src files. Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media. Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

1. Obtain the most recent virus definitions. There are two ways to do this: Run LiveUpdate. LiveUpdate is the easiest way to obtain virus definitions. These virus definitions have undergone full quality assurance testing by Symantec Security Response and are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up. Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions have undergone full quality assurance testing by Symantec Security Response. They are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.

Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.

2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.

3. Run a full system scan.

4. Delete all files that are detected as VBS.Chick.C@mm.

*NOTE* It is advisable that you read the following page "vbs.chick.c@mm" as it has diagrams of what will come up so you are aware if you have opened this virus!

***************************************************

*NEW* W32.Klez.E@mm - January 17th, 2002

W32.Klez.E@mm

*NOTE* always see your own anti-virus program's website for removal instructions. This one can be tricky to remove and may involved going to your systems registry. DO NOT attempt that if you do not have a lot of knowledge. I suggest you take your computer in to a certified repair service for this. If you are not VERY familiar and at ease with systems registry you can kill your computer in one easy shot. Then you won't have to worry about the virus..

Due to an increased rate of submissions, Symantec Security Response is upgrading the threat level for W32.Klez.E@mm from level 2 to level 3 as of March 6, 2002.

W32.Klez.E@mm is similar to W32.Klez.A@mm. It is a mass-mailing email worm that also attempts to copy itself to network shares. The worm uses random subject lines, message bodies, and attachment file names.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message in which it is contained. Information and a patch for the vulnerability are available at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.

The worm overwrites files and creates hidden copies of the originals. In addition, the worm drops the virus W32.Elkern.3587, which is similar to W32.ElKern.3326.

The worm attempts to disable some common antivirus products and has a payload which fills files with all zeroes.

Type: Virus, Worm

When the worm is executed, it copies itself to %System%\Wink[random characters].exe.

NOTE: %System% is a variable. The worm locates the Windows System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

It adds the value

Wink[random characters] %System%\Wink[random characters].exe

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

or it creates the registry key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Wink[random characters]

and inserts a value in that subkey so that the worm is executed when you start Windows.

The worm attempts to disable on-access virus scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active processes. The worm removes the startup registry keys used by antivirus products and deletes checksum database files including:

ANTI-VIR.DAT
CHKLIST.DAT
CHKLIST.MS
CHKLIST.CPS
CHKLIST.TAV
IVB.NTZ
SMARTCHK.MS
SMARTCHK.CPS
AVGQT.DAT
AGUARD.DAT

The worm copies itself to local, mapped, and network drives as:

A random file name with a double extension. For example, filename.txt.exe.
A .rar archive with a double extension. For example, filename.txt.rar.

In addition, the worm searches the Windows address book, the ICQ database, and local files (such as .html and text files) for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers.

The subject line, message bodies, and attachment file names are random. The from address is randomly chosen from email addresses that the worm finds on the infected computer.

NOTES:
Because this worm does use a randomly chosen address that it finds on an infected computer as the "From:" address, numerous cases have been reported in which users of uninfected computers receive complaints that they have sent an infected message to someone else.

For example, Linda Anderson is using a computer that is infected with W32.Klez.E@mm; Linda is not using a antivirus program or does not have current virus definitions. When W32.Klez.E@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From:" line of an infected email that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her infected email, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected.

If you are using a current version of Norton AntiVirus, have the most recent virus definitions, and a full system scan with Norton AntiVirus set to scan all files does not find anything, you can be confident that your computer is not infected with this worm.

There have been several reports that, in some cases, if you receive a message that the virus has sent using its own SMTP engine, the message appears to be a "postmaster bounce message" from your own domain. For example, if your email address is jsmith@anyplace.com, you could receive a message that appears to be from postmaster@anyplace.com, indicating that you attempted to send email and the attempt failed. If this is the false message that is sent by the virus, the attachment includes the virus itself. Of course, such attachments should not be opened.

If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a patch are available at

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

The worm also infects executables by creating a hidden copy of the original host file and then overwriting the original file with itself. The hidden copy is encrypted, but contains no viral data. The name of the hidden file is the same as the original file, but with a random extension.

The worm also drops the virus W32.Elkern.3587 as the file %System%\wqk.exe and executes it.

Finally, the worm has a payload. On the 6th of every odd numbered month (except January or July), the worm attempts to overwrite with zeroes files that have the extensions .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak, or .mp3. If the month is January or July, this payload attempts to overwrite all files with zeroes, not just those with the aforementioned extensions.

 ***********************************************

If you can't find what you want the Virus info you are looking for may be in my Virus Archives Page 10.

---

        

---

"Back to Main "Purple" Section Index"
"Back to Main Entry Page for other Sections"

Go Back to the page you just came from

 

This page has been accessed times.

 

© vjr All Rights reserved.