The 4149 DATs (the full set and incrementals) include scanning of
files with the .LNK extension mentioned below. VirusScan TC and
VirusScan 4.51 users can take advantage of this if they are using the
default extension list. All other users must update the extension list
as noted below or SCAN ALL FILES.
July 22, 2001
For detection of W32/SirCam@MM, the LNK and PIF extensions
need to be present on the extension list or SCAN ALL FILES
must be chosen.
This mass-mailing virus attempts to send itself and local documents
to all users found in the Windows Address Book and email addresses
found in temporary Internet cached files (web browser cache).
It may be received in an email message containing the following
information:
Subject: [filename (random)]
Body: Hi! How are you?
I send you this file in order to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I sendo you
or This is the file with the information that you ask for
See you later. Thanks
--- the same message may be received in Spanish ---
Hola como estas ?
Te mando este archivo para que me des tu punto de vista
or Espero me puedas ayudar con el archivo que te mando
or Espero te guste este archivo que te mando
or Este es el archivo con la información que me pediste
Nos vemos pronto, gracias.
--- end message ---
Although other message body possibilities are present in the virus,
these aren't actually being generated frequently.
Attached will be a document with a double extension (the filename
varies). The first extension will be the file type which was prepended
by the virus. When run, the document will be saved to the
C:\RECYCLED folder and then opened while the virus copies itself to
C:\RECYCLED\SirC32.exe folder to conceal its presence and create
the following registry key value to load itself whenever .EXE files are
executed:
HKCR\exefile\shell\open\command
\Default="C:\recycled\SirC32.exe" "%1" %*
As the RECYCLE BIN is often on the exclusion list, check your
settings to insure that this directory IS being scanned.
It also copies itself to the WINDOWS SYSTEM directory as
SCam32.exe and creates the following registry key value to load itself
automatically:
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe
A list of .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG,
.PS, and .ZIP files in the MY DOCUMENTS folder is saved to the file
SCD.DLL (the 2nd character of the name appears to be random) in
the SYSTEM directory. Email addresses are gathered from the
Windows Address Book and temporary Internet cached pages and
saved to the file SCD1.DLL (the 2nd and 3rd character of the name
appears to be random) in the SYSTEM directory.
The worm prepends a copy of the files that are named in the
SCD.DLL file and attaches this copy to the email messages that it
sends via a built in for communicating directly with a SMTP server,
using one of the following extensions: .BAT, .COM, .EXE, .LNK, .PIF.
This results in attachment names having double-extensions.
The program creates a registry key to store variables for itself (such
as a run count, and SMTP information):
HKLM\Software\Sircam
The virus may also infect other systems by using open network
shares. On remote systems the file \windows\rundll32.exe may get
replaced with a viral copy, while the valid RUNDLL32.EXE file is
renamed to RUN32.EXE. On those systems, the AUTOEXEC.BAT file
may be appended with the line: @win \recycled\sirc32.exe.
Aside from e-mail overloading, it might delete files on 16 October
and/or fill up harddisk space by adding text entries over & over again
to a sircam recycle bin file.
W32/ExploreZip.worm
http://www.avertlabs.com/public/datafiles/valerts/vinfo/va10185.asp
Characteristics:
This is a 32bit Worm that travels by sending email messages to users.
It drops the file explore.exe and modifies either the WIN.INI (Win9x) or
modifies the registry (WinNT).
Information:
This worm attempts to invoke the MAPI aware email applications as in
MS Outlook, MS Outlook Express, MS Exchange and confirmed in Netscape-mail.
This worm replies to messages received with an email message with the following
body:
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
The subject line is not constant as the message is a reply. The worm (named "zipped_files.exe") is attached, with a file size of 210,432 bytes. The file has a Winzip icon which is designed to fool unsuspecting users to run it as a self-extracting file. User who run this attachment will be presented with a fake error message that says
"Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help."
The Worm has a payload; immediately after execution it will search
all mapped drives for the following file types, and when it finds them,
it will erase their contents and the file will be zero bytes:
.c, .cpp, .h, .asm, .doc, .xls, or .ppt
Discovery/Added
Date: June 9, 1999
DAT Included:
4030 (Release date 6/16/99)
Type:
Worm
Risk Assessment:
High
The virus, which is called CIH 1.2
and infects Windows 95 and 98
.EXE files, is not nearly as prevalent
or easy to spread as the recent
Melissa virus, but is significantly
more destructive to the computers it
does infect because it goes directly
to the hardware.
According to Steve Trilling, director
of research at the Symantec
Anti-Virus Research Center, the
payload of CIH 1.2 "will not only
delete programs from your hard
drive, but it can over-write flash
BIOS and totally destroy the
motherboard."
Although CIH 1.2 is much more slow moving than the more common macro
viruses, its threat is higher because it typically goes undetected, according
to
Sal Viveros, group marketing manager for Network Associates' Total Virus
Defense product line.
CIH was first discovered in summer 1998 in the Far East, according to
Symantec's Trilling, who explained that viruses tend to be most threatening
within the first six months of release.
"Because CIH is now in its eighth month, the threat has been significantly
reduced," Trilling said.
CIH, however, does have the strength to destroy the hard drives of infected
computers when they are booted up on April 26. Some observers have
speculated that the payload release date is designed to coincide with the
13th anniversary of the nuclear meltdown in Chernobyl.
According to Viveros of Network
Associates, March's relatively benign
Melissa may have been a blessing in
disguise for U.S. computer users.
"Most U.S. users updated their anti-virus
solutions because of Melissa, so they are
safe," Viveros said.
All of the leading anti-virus products have
been aware of CIH 1.2 since last summer,
so people who have updated their systems
since then will have the current fix for CIH
1.2 and should be safe, according to
Viveros, who also remarked that the virus
has been extremely prevalent in Asia.
Computer users who are unsure whether
their systems may be carrying the CIH 1.2
virus, especially those who have not been
updating their anti-virus systems regularly,
should contact their anti-virus solution provider.
Symantec is offering a fix called Kill CIH that can be downloaded from
www.symantec.com (link below). Fixes are also available from Sophos,
Network Associates, and others.
One Microsoft representative said the software company's products had no
particular vulnerabilities to the CIH virus, and updated versions of
Windows-based anti-virus software should keep Windows clean of it.
"It can run Windows 95 and Windows 98," the representative said. "The
virus payload cannot run on NT systems. It could infect, but not run on,
NT."
To Windows users, Microsoft recommended standard virus protection
measures -- using up-to-date scanning software, employing code-signing
safeguards, and not accepting floppy disks or executables from unknown
sources.
Melissa' Virus Hits Internet, May
Cause Havoc Monday
The virus, called "Melissa," comes in the form of a document that
lists pornography sites on the World Wide Web.
Computer experts said the virus was aimed at widely used
Microsoft Windows-based e-mail address book software,
Outlook and Outlook Express, and it can send up to 50 additional
versions of the e-mail to other users, threatening a widespread
infection of computer systems.
That could create a flood of unwanted e-mails around the Internet
as the program perpetuates itself using pre-programmed "macros,"
software embedded in the Windows operating system that sets off
complex computer functions with one command.
"It could grow explosively and shut down e-mail systems as a side
effect," Eric Allman, co-founder of the Emeryville, Calif.-based
Sendmail, a widely used provider of e-mail services, said in an
interview Sunday.
A number of leading software security firms and academic experts
posted warnings about the e-mail threat, including Network
Associates, the leading anti-virus software maker.
"Melissa is widely reported and spreading quickly via mass e-mail,
a function of the viral infection," said Network Associates based in
Santa Clara, Calif.
Carnegie Mellon University's Software Engineering Institute issued
an advisory, which said, "The number and variety of reports we
have received indicate that this is a widespread attack affecting a
variety of sites."
The only damage the virus causes is that it replicates itself and
creates a flood of e-mail, though it apparently does not hurt the
computer itself, experts said.
The real danger is that the virus will overwhelm the server
computers that handle computer messaging systems, which could
lead to system shutdowns as each e-mail multiplies itself 50 times.
Already, a wave of the e-mails has been sent out and awaits office
workers Monday morning.
"It's not doing malicious things or removing files or anything like
that," Allman said. "I've heard claims that it has been doing more
but I haven't seen any substantial verification of that. It's really
more of a wake-up call, that shows us how you could take a
malicious virulent virus and reproduce it all over the place very
quickly."
Computer experts warned users to be wary of documents sent
from any senders asking them to open up a file for Microsoft
Word. That file, in turn, asks for a prompt asking users whether
they want to initiate a "macro," and requires users to approve its
use. Those checkoffs make it relatively easy to avoid the problem.
Microsoft itself has simply warned users to "be careful about what
runs on their machine," the New York Times reported. Carnegie
Mellon said, "our analysis indicates that human action (in the form
of a user opening an infected Word document) is required for this
virus to activate."
The virus can be identified, Network Associates said, because it
will read "Important Message From Application.UserName." The
body of the text reads "Here is that document you asked for ...
don't show anyone else" and contains a list of pornographic Web
sites.
Melissa creates the following entry in the registry:
HKEYCURRENTUSER/Software/Microsoft/Office/"Melissa?"
Network Security said that to avoid the risk of contracting the
Melissa virus, "it is recommended that network administrators and
users upgrade their anti-virus software to include detection and
cleaning for W97M/Melissa."
Network Security posted information about the virus on its the
Web site of its Avert Labs division (http://www.avertlabs.com),
Sendmail also posted advice on the Melissa problem at
http://www.sendmail.com and Carnegie Mellon posted information
on its site as well (http://www.cert.org).
Computer experts said that if advisories were followed, the
problem would probably not become a widespread worry.
"I suspect we'll see a day or two of extremely high e-mail loads
and then it will just die out, so in some sense this virus is not that
critical but it's one what demonstrates what could happen if a truly
malicious virus were released," Sendmail's Allman said. "The
ability to spread something so broadly is scary."
W32/Ska (A.K.A. Happy99.exe)
W32/Ska is a worm that was first posted to several newsgroups and has
been
reported to several of the AVERT Labs locations worldwide. When this
worm is
run it displays a message "Happy New Year 1999!!" and displays "fireworks"
graphics. The posting on the newsgroups has lead to its propagation.
It can
also spread on its own, as it can attached itself to a mail message
and be
sent unknowingly by a user. Because of this attribute it is also considered
to be a worm.
AVERT cautions all users who may receive the attachment via email to
simply
delete the mail and the attachment. The worm infects a system via email
delivery and arrives as an attachment called Happy99.EXE. It is sent
unknowingly by a user. When the program is run it deploys its payload
displaying fireworks on the users monitor.
Note: At this time no destructive payload has been discovered.
When the Happy.EXE is run it copies itself to Windows\System folder
under
the name SKA.EXE. It then extracts, from within itself, a DLL called
SKA.DLL
into the Windows\System folder if one does not already exist.
Note: Though the SKA.EXE file file is a copy of the original it does
not run
as the Happy.EXE files does, so it does not copy itself again, nor
does it
display the fireworks on the users monitor.
The worm then checks for the existence of WSOCK32.SKA in the Windows\System
folder, if it does not exist and a the file WSOCK32.DLL does exist,
it
copies the WSOCK32.DLL to WSOCK32.SKA.
The worm then creates the registry entry -
Alejandro Zamora
C&M Comunicacion y Mercadeo
Costa Rica
WARNING!!! if you receive an e-mail titled "JOIN THE CREW' DO NOT OPEN IT!! It will erase everything on your hard drive. Send this letter out to as many people you can........this is a new virus and not many people know about it.
This information was received this morning from IBM, please share it with anyone that might access the Internet.
There is a computer virus that is being sent across the Internet. If you receive an e-mail message with the subject line "Irina", DO NOT read the message. DELETE it immediately. Someone is sending people and files under the title "Irina". If you receive this mail or file, do not download it. It has a virus that rewrites your hard drive, obliterating anything on it. Please be careful and forward this mail to anyone you care about.
"Do not download any file named PKZIP300 regardless of extenstion.
A new Trojan Horse virus has emerged on the Internet with the name PKZIP300.ZIP so named as to give the impression that this file is a new version of the PKZIP software used to "ZIP" compressed files
Do not download this file under any Circunstances!!
if you install or expand the file, the virus will wipe your hard disk clean.
And affect modems at 14.4 and higher. This is an extremely destructive virus and there is not yet a way of cleaning this one up.
Please pass this on to anyone you know"
"No baje cualquier archivo llamado PKZIP300 de cualquier extensión.
Un nuevo virus Caballo de Troya a surgido de Internet bajo el nombre PKZIP300.ZIP el nombre da impresión que este es una nueva versión del software PKZIP usado para comprimir archivos ZIP.
No baje este archivo bajo cualquier circunstancia!!!
Si usted instala o expande el archivo, El virus puede limpiar su disco duro y afecta modems arriba de 14.4. Este es un virus extremadamente destructivo y no hay manera de limpiarlo
If anyone receives mail entitled: PENPAL GREETINGS! please delete it WITHOUT reading it. Below is a little explanation of the message, and what it would do to your PC if you were to read the message.
This is a warning for all internet users - there is a dangerous virus propagating across the internet through an e-mail message entitled "PENPAL GREETINGS!". DO NOT DOWNLOAD ANY MESSAGE ENTITLED "PENPAL GREETINGS!"
This message appears to be a friendly letter asking you if you are interested in a penpal, but by the time you read this letter, it is too late. The "trojan horse" virus will have already infected the boot sector of your hard drive, destroying all of the data present. It is a self-replicating virus, and once the message is read, it will AUTOMATICALLY forward itself to anyone who's e-mail address is present in YOUR mailbox!
This virus will DESTROY your hard drive, and holds the potential to DESTROY the hard drive of anyone whose mail is in your inbox, and who's mail is in their inbox, and so on. If this virus remains unchecked, it has the potential to do a great deal of DAMAGE to computer networks worldwide!!!!
Please, delete the message entitled "PENPAL GREETINGS!" as soon as you see it! And pass this message along to all of your friends and relatives, and the other readers of the newsgroups and mailing lists which you are on, so that they are not hurt by this dangerous virus!!!!
Si alguien recibe un correo titulado: ¡PENPAL GRETINGS!! ¡favor de anularlo sin lectura. Ésta es una advertencia para todo usuarios del internet- hay un virus peligroso propagado por la internet por un mensaje del E-mail tituló "PENPAL GRETINGS"!. No haga download cualquier mensaje tituló "PENPAL GRETINGS"! Este mensaje parece ser una carta amistosa lo pregunta interesa por un penpal, pero por el tiempo que leyó esta carta, es demasiado tarde. El "TROJAN CABALLO" VIRUS que YA ha INFECTADO EL SECTOR de la BOOT De SU UNIDAD DE DISCOS DUROS. Destruye todo los datos presentes. Es un virus que el mismo se reproduce. Y una vez se lee el mensaje, lo reenviará automáticamente a alguien que está dirección del e-mail es presente en su buzón. Este virus destruye su unidad de discos duros., y sostenimientos, lo potencial destruir la unidad de discos duros de alguien cuyo correo está en su caja, y que este correo está en su en caja y así sucesivamente. Si este virus se guarda hace pasó, tiene el potencial de hacer mucho daño a computadoras conectadas a una red de computadoras mundial. favor de pasar esta información a lo largo de internet.