|
|
< < <
Date Index > > > |
[pf] Christmas e-mail virus by David MacClement 20 December 2001 22:30 UTC |
< < <
Thread Index > > > |
· I've just received this, via a reliable source (ask me if you want to know who): · Delete unopened, any attachment named: Christmas.exe - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "W32.Reeezak.A@mm is a mass-mailing worm that uses Microsoft Outlook and MSN Messenger. The worm will have the following characteristics: Subject: Hii Body: I can't describe my feelings But all i can say is Happy New Year :) bye Attachment: Christmas.exe In addition, the worm modifies the Internet Explorer start page to a malicious homepage. This webpage uses an Internet Explorer exploit to create a VBScript file on the system which then spreads itself via network shares and mIRC. The script file also attempts to delete common antivirus products. Symantec Security Response is currently analyzing this worm" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://securityresponse.symantec.com/avcenter/venc/data/w32.reeezak.a@mm.htm l [all in same browser line] starts: W32.Maldal.C@mm Discovered on: December 19, 2001 Last Updated on: December 19, 2001 at 04:14:59 PM PST Threat containment: Easy Removal: Easy Damage: Payload: Large scale e-mailing: Emails addresses in Microsoft Outlook Deletes files: Attempts to delete antivirus product directories Distribution: Subject of email: Happy New Year Name of attachment: Christmas.exe Size of attachment: 37376 Shared drives: Attempts to copy itself via open network shares Technical description: W32.Maldal.C@mm is a mass-mailing worm. The worm is written in Visual Basic, and it requires Visual Basic runtime libraries to execute. When the worm is executed, it does the following: It emails itself to all contacts in the Microsoft Outlook address book. The email has the following characteristics: Subject: Happy New Year Message: Hii I can't describe my feelings But all i can say is Happy New Year :) bye Attachment: Christmas.exe It then changes the name of the computer to Zacker by modifying the value of: ComputerName to Zacker in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName It also adds the value Zacker %SYSTEM%\Christmas.exe to the registry key HKEY_LOCAL_MACHINE\\Software\Microsoft\Windows\CurrentVersion\Run so that the worm runs each time that you start Windows. Next, the worm changes your Internet Explorer home page a malicious page that was created by the author of the worm. This page will be detected as JS.Exception.Exploit, even when using virus definitions dated prior to the December 18, 2001. Next, the worm will display a windows with the text: "From the heart. Happy new year !" Finally, the worm disables the keyboard. This means that the keyboard cannot be used until the computer is restarted without the worm being executed. ... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - sent-on by David. ==^================================================================ This email was sent to: csf@moscow.com EASY UNSUBSCRIBE click here: http://igc.topica.com/u/?aVxifP.a2yAZH Or send an email to: positive-futures-unsubscribe@igc.topica.com T O P I C A -- Register now to manage your mail! http://www.topica.com/partner/tag02/register ==^================================================================
|
< < <
Date Index > > > |
Positive Futures List Archives at CSF | Subscribe to Positive Futures |
< < <
Thread Index > > > |