new virus

Subject: new virus
From: Mark W Galatowitsch <galat002@TC.UMN.EDU>
Date: Mon, 12 Feb 2001 15:31:15 -0600
Reply-To: Plant Tissue Culture <PLANT-TC@TC.UMN.EDU>
Sender: Plant Tissue Culture <PLANT-TC@TC.UMN.EDU>

Greetings all-

Hot off the presses,

There is a new e-mail worm going around, discovered just today.

More information at:
http://www.symantec.com/avcenter/venc/data/vbs.sst@mm.html

-very slow response at that site at this time.

What to watch for:

Subject:          Here you have, ;o)
Message:          Hi:Check This!
Attachment:       AnnaKournikova.jpg.vbs

DELETE THE ATTACHMENT.

Norton and other anti-virus programs will not catch this one yet - too new
- no definition updates at this time.

-------------------------------------------------------------------------
INFORMATION FROM NORTONS SITE

VBS.SST@mm
Discovered on: February 12, 2001
Last Updated on: February 12, 2001 at 10:10:59 AM PST

The Symantec AntiVirus Research Center (SARC) has confirmed a new
mass-mailing worm. SARC is currently analyzing the worm. The worm is
being reported in an attachment named ANNAKOURNIKOVA.JPEG.VBS. SARC
recommends that you filter attachments with a VBS extension if you have
not already done so.

Category: Worm

Aliases: ANNAKOURNIKOVA.JPEG.VBS

Virus definitions: Pending

Threat assessment:

Wild: High
Damage: Low
Distribution: High

Wild

Number of infections: 50 - 999
Number of sites: More than 10
Geographical distribution: High
Threat containment: Easy
Removal: Easy

Damage

Payload trigger: January 26th. Spawns Web browser to an Internet address
in The Netherlands.

Distribution

Subject of email: Here you have, ;o)
Name of attachment: AnnaKournikova.jpg.vbs
Size of attachment: 2853
Technical description:

VBS.SST is a VBS email worm that has been encoded with a virus creation
kit. The worm arrives as an attachment named AnnaKournikova.jpg.vbs When
executed the worm emails itself to everyone in your address book. On
January 26, the worm will attempt to spawn the web browser to an Internet
address. This worm appears to have originated in the Netherlands

When run the virus creates the registry key

HKCU/Software/OnTheFly/
If the day is January 26, the virus attempts to spawn the Web browser.

Next, the virus checks to see if the mass-mailing routine has been
executed. If not, the worm emails everyone in the Outlook address book
and creates the registry key HKCU/Software/OnTheFly/mailed

So, the worm does not email every address again. The worm sends the
message with the subject

Here you have, ;o)

The message body

Hi:
Check This!

and the attachment AnnaKournikova.jpg.vbs

The worm then remains running and if it is deleted attempts to recreate
itself. Due to a bug in the code, the virus instead recreates itself as a
zero-byte file.

Removal Instructions:

Delete all found infections. If exists, delete the zero-byte file.
Remove registry keys.

Mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mark Galatowitsch                                    Phone: 612-625-2721
PLANT-TC Listserv coordinator                          Fax: 612-625-1268
Agronomy & Plant Genetics
University of Minnesota
411 Borlaug Hall                                     galat002@tc.umn.edu
1991 Buford Circle
St. Paul, MN 55108        http://www.agro.agri.umn.edu/plant-tc/listserv
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[Subject Prev][Subject Next][Thread Prev][Thread Next]

Plant-tc Listserv Homepage | Subject Index | Thread Index