|
Viruses; Nasty Pain In the Butt! #3 |
From:
NORTON ANTIVIRUS EMERGENCY NEWS BULLETIN
If you would like to subscribe to other Symantec newsletters, please
visit the following web site and follow the appropriate instructions:
http://www.symantec.com/techsupp/bulletin/index.html
W32.Mypics.Worm is a new, destructive Y2K worm virus. It comes into your system as an email attachment disguised as a picture. The worm propagates automatically on Windows 9x and Windows NT platforms and has a destructive payload that triggers in the year 2000. It also changes the Home page in Internet Explorer to a site containing adult content.
*** THIS VIRUS SHOULD BE CONSIDERED DANGEROUS!
Do NOT open an email attachment named Pics4You.exe. ***
To ensure that your system is protected against this new virus, you must update your detection definitions.
*** Monitor the site
http://www.symantec.com/techsupp/vURL.cgi/nav23
for notice when the virus definitions have been updated and for full details on this destructive virus. ***
W32/MYPICS.WORM Y2K VIRUS DESCRIPTION:
* A new, destructive Y2K virus has been discovered that disguises itself as a Y2K problem. W32/Mypics.worm is a computer worm that is received as an email attachment disguised as a picture.
* Once it infects the host computer it attempts to send itself using Microsoft Outlook to up to 50 people in the users’ Microsoft Outlook address book. It also changes the Home page in Internet Explorer to a site containing adult content.
* Additionally, on Jan.1, 2000, the worm will overwrite the checksum data in the host computer’s CMOS memory so when the system is rebooted the user will think that there may be a Y2K related problem with the computer’s BIOS. Once the computer is restarted the virus will attempt to format the local hard drives and erase all data.
CHARACTERISTICS OF INFECTION:
* W32/Mypics.worm arrives in an e-mail, with no subject line. The body of the message reads, "Here’s some pictures for you!" The e- mail message contains a "Pics4You.exe" attachment that is approximately 34,304 bytes in size.
* Once the user opens the attachment, the worm loads itself into memory and executes by sending out copies of itself attached to e- mails addressed to up to 50 people in the users address list.
* In addition, it modifies the system registry to load its dropped file "cbios.com" on system startup and also changes the user’s home page in Internet Explorer to
http://www.oocities.org/SiliconValley/Vista/8279/index.html
a site that contains some adult content.
* On Jan. 1, 2000 or on any day during the year 2000, the worm writes to the computers CMOS memory to invalidate the system integrity or checksum data. The next time the system is rebooted, the user will be warned that the "CMOS checksum is invalid," making the user believe that it is a Y2K problem, not a computer worm. After validating the CMOS data the computer will continue to boot and if the file ‘cbios.com’ is located in the root directory of the C drive, the virus will silently load itself and then completely reformat the D: and C: local hard drives.
VIRUS RATING:
Medium/High Risk
RECCOMENDATIONS/PROTECTION:
* Do not attempt to open the attached document.
* Download new definitions set. This will be available late December
3, 1999, through Symantec’s LiveUpdate feature or from the Symantec Web
site at
www.symantec.com/avcenter/download.htm.
Update virus anti-virus software to ensure protection against both
variants.
By Eric Chien, Symantec
Detected as: W32.NewApt.Worm
Aliases: Worm.NewApt
Infection Length: 69,632 bytes
Likelihood: Common
Region Reported: Europe
Characteristics: Worm
This worm is still being analyzed. This is preliminary information. New virus definitions are currently being developed and will be posted as they become available.
Description
W32.NewApt.Worm was discovered on December 14, 1999 in Italy. This worm will email itself out when receiving email via Microsoft Outlook or Netscape Navigator. When activated the worm will display an error dialog and modify the registry so the worm is reloaded each time the computer is restarted. The error message box will appear as:
The dynamic link library giface.dll could not be found in specified path D:\SAMPLES;C:\WINDOWS\SYSTEM;C:\WINDOWS;C:\WINDOWS\COMMAND
When received by email (and if you do not have an HTML capable email client), the message body will be:
he, your lame client cant read HTML, haha. click attachment to see some stunningly HOT stuff
Otherwise, the text will read:
http://stuart.messagemates.com/index.html
Hypercool Happy Year 2000 funny programs and animations….
We attached our recent animation from this site in our mail ! Check it out!
Attached to the message will be one of the following file names: g-zilla.exe, cooler3.exe, cooler1.exe, copier.exe, video.exe, pirate.exe, goal1.exe, hog.exe, party.exe, saddam.exe, monica.exe, boss.exe, farter.exe, cheeseburst.exe, panther.exe, theobbq.exe, goal.exe, baby.exe, bboy.exe, cupid2.exe, fborfw.exe, casper.exe, irnglant.exe, or gadget.exe
The worm will add the following registry key:
HKLM/Software/Microsoft/Windows/Command/Run/tpanew
To remove the worm from memory, remove the above registry key and then
restart. Delete all infected files.
For users who were curious about what would happen if their software detected a virus, some companies agreed to develop a standard, harmless file that would cause the software to display its warning message(s). You may find it in your program's documentation, referred to as the Eicar test file. You can create it by typing (or cutting and pasting) these characters in your word processor:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Be sure to save it in TXT file format with the name eicar.com--if you do this properly, you can run the file in a DOS window or double-click it in Windows. The result will be a screen message: "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" If your antivirus has been programmed to do so, it may warn you about the file--either when you run it or when you scan it. If it does, you'll know what to expect. (Note that your scanner must be programmed to recognize the Eicar test file.)
Or download this and watch your Anti-Virus in action.....It's a good
idea to do this so if you ever do get a real virus you'll be familiar with
the screen and what options you are persented with.
ftp://ftp.symantec.com/public/english_us_canada/
antivirus_definitions/norton_antivirus/eicar/
By midday (central European time) on Friday, five different versions of the VBS/LoveLetter worm had been found in the wild. Several more are excepted to appear over the coming weekend.
"The Mother's Day version of this worm is quite cunning", comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation. "The e-mail appears to be a confirmation of an order for 'Mother's Day diamond special', and the attached file mothersday.vbs is portrayed as if it were an invoice. When users get such e-mails they assume there is some mistake and will naturally open the attachment - infecting their computer. With only eight days to go until Mother's Day, this attack is quite credible."
The worm arrives in an e-mail message attachment called mothersday.vbs. On a default Windows system, the ".vbs" extension is not visible. If the recipient opens the attachment, the worm will use Microsoft Outlook (if installed) to send a message to everyone in any address books (including global access books of the organization; these typically contains hundreds or thousands of addresses). The message looks like this:
From: Name-of-the-infected-user
To: Random-name-from-the-address-book
Subject: Mothers Day Order Confirmation
We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place.Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com
Attachment: mothersday.vbs
As address books typically contain group addresses, the result of executing the VBS/LoveLetter worm inside an organization is that the first infected user sends the message to everybody in the organization. After this, other users open the message and send the message again to everyone else. This quickly overloads e-mail servers.
In addition, this worm deletes all INI and BAT files from all drives and directories. This may leave the system in an unbootable state and might do serious damage to network files.
This variant is detected as VBS/LoveLetter.E by F-Secure Anti-Virus. Like the original version of the worm, VBS/LoveLetter.E is written in the VBScript language.
The other known variants of the worm are known as VBS/LoveLetter.A, B, C and D.
The A variant was the original LoveLetter worm.
The B variant has been modified in Lithuania, and the subject field of the sent e-mail messages is "Susitikim shi vakara kavos puodukui...", which in Lithuanian means "Let's meet this evening for a cup of coffee..."
The C variant has the subject field of "fwd: Joke" and the attachment is called "Very Funny.vbs"
The D variant is almost identical to the original LoveLetter worm. It has been modified slightly, probably to make it undetectable to some anti-virus programs.
A technical description of the worm is available in the F-Secure virus
description database at:
http://www.F-Secure.com/v-descs/love.htm
Sample pictures of e-mail messages generated by VBS/LoveLetter are available
in the F-Secure virus screenshots center at:
http://www.F-Secure.com/virus-info/v-pics/
This special edition of the Office News Service is to alert you to a new e-mail virus that has the potential to affect users running Microsoft Outlook.
To cancel your subscription to this newsletter or stop all e-mail newsletters from microsoft.com, read the directions at the bottom of this page.
Last week a new virus began circulating through e-mail that has the potential to affect a wide range of e-mail users including those users running Microsoft Outlook. If run, the virus could overwrite .jpg, .mp3 and other file types, and attempt to send a copy of itself to everyone in the recipient's address book.
The e-mail containing the virus typically carries a subject line of
"ILOVEYOU" (although other variants have also arisen with the subject lines
containing text such as Mother's Day, Joke, and Virus Alert). Inside
the mail is a short text message saying "Kindly check the attached LOVELETTER
coming from me" and an attachment named LOVE-LETTER-FOR-YOU.txt.vbs.
If you receive this message or any of the related messages, it is important
to delete the message immediately and empty it from your Deleted Items
folder. It is important to note that this virus cannot run by itself.
In order for it to run, the recipient must open the mail, launch the attachment
by double-clicking on it, and answer "yes" to a dialogue that warns
of the dangers of running untrusted programs. For more information
on this virus and all other Microsoft security information, please see:
http://www.Microsoft.com/security
Below are a series of tips and best practices that can help Outlook users increase their security protection to avoid being affected by these types of viruses in the future.
1. Customers can avoid being affected by this and other viruses by following
standard best practices:
++ Never run an executable from someone you don't know.
++ Always have a good-quality virus scanner.
++ Always keep the virus scanner's signature files up to date.
2. Outlook users should install the E-mail Attachment Security Update from the Office Update Web site. This update increases the security protection provided by Outlook for certain types of e-mail attachments. Once installed, this update will change the attachment dialog box when certain attachments such as executables are opened so that users see more explicit warning language and will be required to save the attachment to the file system before opening it. This update helps users avoid accidentally releasing viruses that hide in .exe files or from file extensions they are not familiar with. It is important to note that saving the attachment to the file system does not automatically remove any virus that may be present. Before opening the attachment users must scan it using an updated anti-virus software program. This update also prevents Worm viruses from spreading through the Outlook Address Book. The primary benefit of this update is to ensure users are aware of the potential security risk of attachments and to decrease the potential for viruses to be spread through the Outlook Address Book. This update is also included as part of Office 2000 SR-1.
These updates are located at:
Office 2000 Service Release 1
http://officeupdate.microsoft.com/2000/downloadDetails/O2kSR1DDL.htm
Outlook 2000 E-mail Attachment Security Update
http://officeupdate.microsoft.com/2000/downloadDetails/O2Kattch.htm
Outlook 98 E-mail Attachment Security Update
http://officeupdate.microsoft.com/downloadDetails/O98attch.htm
Outlook 97 E-mail Attachment Security Update
http://officeupdate.microsoft.com/downloadDetails/O97attch.htm
3. If you use Outlook 2000, use the option to set your attachment security
setting to High. When security is set to High, users will receive
a warning before opening an attachment. To make sure your setting
is set to High:
1. On the Tools menu select Options
2. Select the Security Tab
3. Click on the Attachment Security button
4. Select High (if not already selected)
Microsoft and Outlook are either registered trademarks or trademarks
of Microsoft Corporation in the United States and/or other countries.
1. Microsoft Users – As Microsoft is the most popular and widely used Web Browser currently in use the world over. Many viruses are written specifically to take advantage of known security problems associated with it, so much so that by using JavaScript it is possible to infect your system without you ever knowing it. However by making sure you have the latest security patch installed you’ll never have to worry, well not until you update your browser at any rate and those annoying Active X errors you’ll occasionally find in emails are actually viruses trying to attack your system but failing. The latest patch is available here, if you are in the Microsoft camp then I suggest you all download and install this patch if you have not done so already. http://www.microsoft.com/Security/Bulletins/ms99-032.asp
2. Professional anti-virus software – One of the best defenses against any virus is to make sure your computer never becomes infected; to do this you need a good quality anti-virus program. Once you have installed this program it should be run at once so that it scans all files and memory thus making sure your computer is clear of viruses. Almost all anti-virus software will come with a set of tools to clean your system of know viruses, the problem comes in that all virus software is only as good as its database of viruses. This allows small windows of opportunity when the very latest viruses may infect your system while your anti-virus software manufacturer updates the database. However as long as you make sure you regularly update your virus database this should be a problem to most people. Remember to set your anti-virus software to run constantly in the background thus giving you the best possible protection at all times, and scan all email attachments and files downloaded or obtained on disk just to be sure.
There are numerous anti-virus software manufacturers out their, perhaps in the future we’ll review a couple of them, but the thought of purposefully infecting a system just to see how something works is taking things to the extreme. I personally use both McAfee and Norton Anti-Virus depending on which system I’m using, you can even find freeware version at www.download.com but whichever program you use, remember to keep it updated.
3. Scan attachment before opening them – As mentioned earlier while it’s not impossible to catch a virus by simply reading an email, the most common way viruses spread is by email attachments. One simple rule to follow is to never, I repeat never open an attachment to an email from anyone you don’t know and trust, and even if you do always scan them with your anti-virus software. Now, don’t go over the top with this, most viruses are extremely easy to pick up on with a bit of practice, just don’t open something you’re not expecting and certainly never open something you haven’t scanned.
4. Download with caution – Downloading files from the Internet is not all that dangerous, in fact your much more likely to find a virus sitting in your in-tray than you are of actually downloading one by accident. However saying that if you are downloading files then a quick scan with your anti-virus software will always help. What you need to do is learn to trust the sites you download files / programs from, although saying this you’ll be extremely unlucky to pick up a virus in this way.
5. Be careful with the disks you use - You should take care when you share disks with your friends or co-workers. Scan the disk with anti-virus software before you use it. Scan all files on the disk not just the program files. When you lend your own disk to others, always write-protect your disk. That way, a virus on someone else PC won't pass over to your disk (unless this person removes the write-protection to make changes). CD-Roms are less risky, but scan them the first time you use them anyway.
6. Always make backups – How many times do we hear the words backup and how often do we back up our files, the answer is not as often as we should if at all. You should constantly backup your work files and system configuration files at least on a weekly basis. Store your backup disks/tapes/whatever in a safe place, separate from your hard drive, by doing this you’ll at least retain your data should the worst happen
7. Save shared files in RTF or ASCII format - If you share data on a network server, and you want your computers to be remain virus-free, save all files in ASCII or RTP format. Neither file format save macros and formatting information.
Remember fighting viruses is an exercise in risk management and damage limitation, you cannot guarantee that you will never catch a virus but you can reduce the risk and the damage caused.
Just to give you all something to think about, I just wonder what will
happen when a large scale military virus is released by some government
or another either by accident or not…because warfare (& terrorism)
in the future will involve attacks by Viruses.