B-W: Virus Warnings

Virus Name: W32.Maldal.C@mm
Discovered on: December 19, 2001
About the virus: W32.Maldal.C@mm is a mass-mailing worm that is written in Visual Basic. The worm uses Microsoft Outlook to spread its infection. It also modifies your Internet Explorer home page.
Also Known As: W32.Zacker.C@mm, W32.Reeezak.A@mm
General Information:

A new mass-mailer worm that offers New Year's greetings and what appears to be a Christmas related animation but actually attempts to delete large portions of the Windows operating system was spreading in Europe today, according to a virus alert by Computer Associates International Inc.

The worm, called Reeezak, appears in in-boxes with the subject line "Hi" and a message that reads "I can't describe my feelings, but all I can say is Happy New Year :-) Bye.

An attachment called Christmas.exe accompanies the e-mail and appears to be a Macromedia Inc. Flash animation. When the attachment is double-clicked, the worm sends itself to all addresses listed in the user's address book and tries to delete all the files in the Windows directory as well as disabling some keys on the keyboard. The worm only affects users of Microsoft Corp.'s Outlook or Outlook Express e-mail clients.

For more information go to:

http://securityresponse.symantec.com/avcenter/venc/data/w32.maldal.c@mm.html

B-W Information Technology Virus Detection and Prevention Tips

1) Do not open any files attached to an email from an unknown,
suspicious or untrustworthy source.

2) Do not open any files attached to an email unless you know what it is, even if it appears to come from a dear friend or someone you know. Some viruses can replicate themselves and spread through email. Better be safe than sorry and confirm that they really sent it.

3) Do not open any files attached to an email if the subject line is questionable or unexpected. If the need to do so is there always save the file to your hard drive before doing so.

4) Delete chain emails and junk email. Do not forward or reply to any to them. These types of email are considered Spam, which is unsolicited, intrusive mail that clogs up the network.

5) Do not download any files from unknown sites.

6) Exercise caution when downloading files from the Internet. Ensure that the source is a legitimate and reputable one. Verify that an anti-virus program checks the files on the download site. If you're uncertain, don't download the file at all or download the file to a floppy and test it with your own anti-virus software.

7) Update your anti-virus software regularly. Over 500 viruses are discovered each month, so you'll want to be protected. These updates should be at the least the products virus signature files. For more information contact the helpdesk.

8) Back up your files on a regular basis. If a virus destroys your files, at least you can replace them with your back-up copy. You should store your backup copy in a separate location from your work files, one that is preferably not on your computer.

9) When in doubt, always err on the side of caution and do not open, download, or execute any files or email attachments. Not executing is the more important of these caveats. Check with your product vendors for updates that include those for your operating system web browser, and e-mail.

10) If you are in doubt about any potential virus related situation you find yourself in, call the helpdesk at x7000 to report a virus or click here.

*************************************************************

Virus Name: W32/Goner@MM
Risk Assessment: High
Date Discovered: 12/4/2001
Date Added: 12/4/2001
Origin: Unknown
Length: 38,912
Type: Virus
SubType: Internet Worm
DAT Required: 4174

Virus Characteristics:

This mass mailing worm attempts to send itself using Microsoft Outlook to all entries found in the Outlook Address book. It uses ICQ to spread as. It arrives in an email message containing the following information:

Subject: Hi
Body: How are you ?
When I saw this screen saver, I immediately thought about you. I am in a harry, I promise you will love it!

Attachment: GONE.SCR

Running this attachment infects the local system.
When run, the worm displays a message box entitled, "About"
After a short time another windows entitled "Error" is displayed:
The worm copies itself into SYSTEM in the %WinDir% folder and adds the following registry key in order to get started upon boot:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\C:\%WINDIR%\SYSTEM\gone.scr=C:\%WINDIR%\SYSTEM\gone.scr

The worm looks for the following processes in memory:
APLICA32.EXE
ZONEALARM.EXE
ESAFE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
PCFWallICON.EXE
FRW.EXE
VSHWIN32.EXE
NAVW32.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
LOCKDOWN2000.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE

Method Of Infection:

This mass-mailing worm sends itself to all users found in the Outlook Address Book using using a plain text format. Therefore, the attachment does not start automaticly when the user opens the message and does not get activated automaticly when then Outlook previewpane if used.

Aliases:

I-Worm.Goner (AVP), W32.Goner.A@mm (NAV), W32/Goner-A (Sophos),
W32/Goner.A@mm (Panda), Win32.Goner.A@mm (AVX)

Virus Detection and Prevention Tips:

Do not open any files attached to an email from an unknown, suspicious or untrustworthy source.
Do not open any files attached to an email unless you know what it is, even if it appears to come from a dear friend or someone you know. Some viruses can replicate themselves and spread through email. Better be safe than sorry and confirm that they really sent it.
Do not open any files attached to an email if the subject line isquestionable or unexpected. If the need to do so is there always save the file to your hard drive before doing so.
Delete chain emails and junk email. Do not forward or reply to any to them. These types of email are considered Spam, which is unsolicited, intrusive mail that clogs up the network.
Do not download any files from unknown sites.
Exercise caution when downloading files from the Internet. Ensure that the source is a legitimate and reputable one. Verify that an anti-virus program checks the files on the download site. If you're uncertain, don't download the file at all or download the file to a floppy and test it with your own anti-virus software.
Update your anti-virus software regularly. Over 500 viruses are discovered each month, so you'll want to be protected. These updates should be at the least the products virus signature files. For more information contact the helpdesk.
Back up your files on a regular basis. If a virus destroys your files, at least you can replace them with your back-up copy. You should store your backup copy in a separate location from your work files, one that is preferably not on your computer.
When in doubt, always err on the side of caution and do not open, download, or execute any files or email attachments. Not executing is the more important of these caveats. Check with your product vendors for updates that include those for your operating system web browser, and email.
If you are in doubt about any potential virus related situation you find yourself in, click here to report a virus.

Virus Name: Vote Virus

How It Appears:

The virus appears with the subject line: "Peace between America and Islam!" and the body of the e-mail reads: "Hi. Is it a war against America or Islam!? Let's vote to live in peace!"

Attachment:

WTC.exe

What It Does:

The virus deletes all the files on the computer's hard drive and sends copies of the original e-mail message to every address listed in the computer's address book. The virus also defaces any Web pages that are hosted by an infected computer to read: "America...few days will show you what we can do!!! It's our turn Zaker is so sorry for you."

Virus Name: Nimda

How it may arrive in your inbox:

"Nimda" may masquerade as a sound or .wav file. When a user opens the underlying file, called readme.exe, the program opens the computer's hard drive, allowing the computer to be accessed by third parties via the Internet, explained Dan Ingevaldson, of Internet Security Systems. The worm can also e-mail itself to everyone in the user's computer-based address book. Ingevaldson said experts are still trying to determine whether the worm directly harms hard drives.

Description:

This threat can infect all unprotected users of Win9x/NT/2000/ME. This is a HIGH RISK virus that is spread via email. The infected email can come from addresses that you recognize. W32/Nimda@MM also spreads via open shares, the Microsoft Web Folder Transversal vulnerability (also used by W32/CodeBlue), and a Microsoft content-type spoofing vulnerability. The email attachment name varies and may use the icon for an Internet Explorer HTML document.

What it does to your computer:

It attempts to create a share (c:), and checks for the presence of the Trojan dropped by the W32/CodeRed.c worm. It will attempt to spread itself as follows: The email messages created by the worm specify a content-type of audio/x-wav with an executable attachment type. Thus when a message is accessed, the attachment can be executed even if the user does not open it and without the user's knowledge.

It adds JavaScript code to HTML documents, which opens a new browser window containing the infectious email message itself (taken from the dropped file README.EML). When this infected window is accessed (locally or remotely), the machine viewing the page is then infected.

Once infected, your system is used to seek out others to infect over the web. As this creates a lot of port scanning, this can cause a network traffic jam.

It creates a SYSTEM.INI entry to load the worm at startup:

    Shell=explorer.exe load.exe -dontrunold

A MIME encoded version of the work is created in each folder on the drive (often as README.EML, can also be .NWS files) Certain executable files are selected by the worm and altered.

Even when the attack isn't successful, the virus is capable of scanning process that slow down the Internet for many users and can have the effect of knocking Web sites or entire networks offline.

Virus Detection and Prevention Tips

Do not open any files attached to an email from an unknown, suspicious or untrustworthy source.
Do not open any files attached to an email unless you know what it is, even if it appears to come from a dear friend or someone you know. Some viruses can replicate themselves and spread through email. Better be safe than sorry and confirm that they really sent it.
Do not open any files attached to an email if the subject line is questionable or unexpected. If the need to do so is there always save the file to your hard drive before doing so.
Delete chain emails and junk email. Do not forward or reply to any to them. These types of email are considered Spam, which is unsolicited, intrusive mail that clogs up the network.
Do not download any files from unknown sites.
Exercise caution when downloading files from the Internet. Ensure that the source is a legitimate and reputable one. Verify that an anti-virus program checks the files on the download site. If you're uncertain, don't download the file at all or download the file to a floppy and test it with your own anti-virus software.
Update your anti-virus software regularly. Over 500 viruses are discovered each month, so you'll want to be protected. These updates should be at the least the products virus signature files. For more information contact the helpdesk.
Back up your files on a regular basis. If a virus destroys your files, at least you can replace them with your back-up copy. You should store your backup copy in a separate location from your work files, one that is preferably not on your computer.
When in doubt, always err on the side of caution and do not open, download, or execute any files or email attachments. Not executing is the more important of these caveats. Check with your product vendors for updates that include those for your operating system web browser, and e-mail.
If you are in doubt about any potential virus related situation you find yourself in, click here to report a virus.

Information Technology

Virus Warnings