This is G o o g l e's cache of http://csf.colorado.edu/mail/pfvs/2001IV/msg01726.html as retrieved on 9 May 2004 13:52:18 GMT.
G o o g l e's cache is the snapshot that we took of the page as we crawled the web.
The page may have changed since that time. Click here for the current page without highlighting.
This cached page may reference images which are no longer available. Click here for the cached text only.
To link to or bookmark this page, use the following url: http://www.google.com/search?q=cache:j72y-kqwe8oJ:csf.colorado.edu/mail/pfvs/2001IV/msg01726.html++%22David+MacClement%22+site:csf.colorado.edu&hl=en


Google is not affiliated with the authors of this page nor responsible for its content.
These search terms have been highlighted: david macclement 

[pf] Christmas e-mail virus
< < <
Date Index
> > >
[pf] Christmas e-mail virus
by David MacClement
20 December 2001 22:30 UTC
< < <
Thread Index
> > >
· I've just received this, via a reliable source (ask me if you want to
know who):

· Delete unopened, any attachment named: Christmas.exe

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

"W32.Reeezak.A@mm is a mass-mailing worm that uses Microsoft Outlook and
MSN Messenger. The worm will have the following characteristics:

Subject: Hii
Body:
I can't describe my feelings
But all i can say is
Happy New Year :)
bye
Attachment: Christmas.exe

In addition, the worm modifies the Internet Explorer start page to a
malicious homepage. This webpage uses an Internet Explorer exploit to
create a VBScript file on the system which then spreads itself via network
shares and mIRC. The script file also attempts to delete common antivirus
products.

Symantec Security Response is currently analyzing this worm"

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

http://securityresponse.symantec.com/avcenter/venc/data/w32.reeezak.a@mm.htm
l [all in same browser line]
  starts:

W32.Maldal.C@mm
Discovered on: December 19, 2001 
Last Updated on: December 19, 2001 at 04:14:59 PM PST 

 
Threat containment: Easy 
Removal: Easy 

Damage: 

Payload: 
Large scale e-mailing: Emails addresses in Microsoft Outlook 
Deletes files: Attempts to delete antivirus product directories 

Distribution: 

Subject of email: Happy New Year 
Name of attachment: Christmas.exe 
Size of attachment: 37376 
Shared drives: Attempts to copy itself via open network shares 

Technical description: 

W32.Maldal.C@mm is a mass-mailing worm. The worm is written in Visual
Basic, and it requires Visual Basic runtime libraries to execute.

When the worm is executed, it does the following:

It emails itself to all contacts in the Microsoft Outlook address book. The
email has the following characteristics:

Subject: Happy New Year

Message: 
Hii
I can't describe my feelings
But all i can say is
Happy New Year :)
bye

Attachment: Christmas.exe

It then changes the name of the computer to Zacker by modifying the value of:

ComputerName

to

Zacker

in the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName


It also adds the value

Zacker     %SYSTEM%\Christmas.exe

to the registry key

HKEY_LOCAL_MACHINE\\Software\Microsoft\Windows\CurrentVersion\Run 

so that the worm runs each time that you start Windows.

Next, the worm changes your Internet Explorer home page a malicious page
that was created by the author of the worm. This page will be detected as
JS.Exception.Exploit, even when using virus definitions dated prior to the
December 18, 2001.

Next, the worm will display a windows with the text: "From the heart. Happy
new year !"

Finally, the worm disables the keyboard. This means that the keyboard
cannot be used until the computer is restarted without the worm being
executed.
 ...

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
sent-on by David.

==^================================================================
This email was sent to: csf@moscow.com

EASY UNSUBSCRIBE click here: http://igc.topica.com/u/?aVxifP.a2yAZH
Or send an email to: positive-futures-unsubscribe@igc.topica.com

T O P I C A -- Register now to manage your mail!
http://www.topica.com/partner/tag02/register
==^================================================================


< < <
Date Index
> > >
Positive Futures List Archives
at CSF
Subscribe to Positive Futures < < <
Thread Index
> > >