"Norton Anti-Virus Programs"
or it is at: http://www.symantec.com/avcenter/hoax.html

"CIAC"
or the page is at: http://www.ciac.org/ciac/CIACHoaxes.html

Another reliable one is: "MYTHS"
or it is at: http://www.kumite.com/myths/

Another very good and well known one: "DATAFELLOWS"
or it is at: http://www.datafellows.com/news/hoax/

And last but not least.. Dr. Solomon's (another well known one) at: "DR. SOLOMON'S"
or it is at: http://www.drsolomon.com/vircen/index.cfm

HACKERS INFORMATION
http://antionline.com/fight-back/
"HACKERS INFORMATION" Everyone should check this site out!

******************************************************

*NEW* March 29th, 2002

Pretending to be Something Else--WORM_SHREW.A (Low Risk)

WORM_SHREW.A is an Internet worm, created in Visual Basic that uses Microsoft Outlook to propagate copies of itself via email to all recipients listed in the infected user's Windows Address Book (WAB). The details of the email that this worm arrives in are as follows:

SUBJECT:Try this, pretty cool
MESSAGE BODY: None
ATTACHMENT:ActiveM.exe; List.txt

The EXE file this worm arrives in is an Active Mouse program. Upon execution, it prompts the target user for a registration number. Thereafter, if the target user clicks the "Cancel" button on the message box, it displays another message box with a warning.

For additional information about WORM_SHREW.A, please visit the Trend Micro Virus Information Center at: http://www.antivirus.com/vinfo/virusencyclo/default5.asp? VName=WORM_SHREW.A

*****************************************************

*NEW* March 17th, 2002

Flawed MyLife worm attempts to delete critical Windows files. *NOTE* There are many variants of this virus out now and it is advisable to go to your favourite anti-virus program website and read about them all!

Fortunately, a bug in this particular malicious code prevents it from working as intended. *NOTE* Take the time to view all variants of this virus.

A worm posing as an old-fashioned photograph of a girl holding a flower is making the rounds on the Internet. MyLife (w32.mylife@mm) is a 30,720-byte worm written in Visual Basic and compressed using UPX. If executed, the worm will attempt to mail copies of itself to everyone in the user's address book and will attempt to delete critical Windows files. Fortunately, a bug in the current worm code prevents MyLife from deleting any files. Users of Macintosh and Linux machines are not affected. Because MyLife spreads via e-mail and currently does not damage system files, this worm rates a 4 on the CNET Virus Meter.

How it works
MyLife arrives as e-mail with a subject line that reads "my life ohhhhhhhhhhhhh." The body of the e-mail message contains the following text:

:Hiiiii How are youuuuuuuu? look to the digital picture it's my love vvvery verrrry ffffunny :-) my life = my car my car = my house The attached file is My Life.scr.

If the user opens the attached file, the worm will display a picture of a young girl sniffing a flower. The active worm will appear as the item My Life in the Windows Task Bar. MyLife copies itself to the Windows System directory and adds itself to the following Registry key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\strmgr = C:\windows\system\My Life.scr.

The worm will attempt to delete SYS and COM files from the root directory; COM, SYS, INI, and EXE files from Windows directory; and SYS, VXD, EXE, and DLL files from the Windows System directory. Several antivirus vendors have reported that this worm did not delete any files on their test systems.

Prevention
Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from the attached SCR file in MyLife. Users who have not upgraded to Outlook 2002 or who have not installed the Security Update for Outlook 2000 should do so. In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include MyLife.

Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F- Secure, McAfee, Sophos, Symantec, and Trend Micro.

*****************************************************

*NEW* March 17th, 2002

Gibe worm poses as a Microsoft update

Obvious spelling errors, however, should alert Windows users to the presence of infected e-mail.

What appears to be a new security update from Microsoft is actually a clever attempt by a virus writer to spread a worm. Gibe (w32.gibe@mm) is a nondestructive worm written in Visual Basic that attempts to mass-mail itself to everyone in an address book. Fortunately, the infected e-mail is plagued with spelling errors and should be easy to spot. Because this worm is not destructive and only sends e-mail to others, Gibe ranks as a 4 on the CNET Virus Meter.

What it does
Gibe arrives via e-mail. The subject is "Internet Security Update" and the body of the message appears to be a message from Microsoft (it is not):

Microsoft Customer,
this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities, and is discussed in Microsoft Security Bulletin MS02-005. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run code on your computer.

Description of several well-know vulnerabilities:

- "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability. If a malicious user sends an affected HTML e-mail or hosts an affected e-mail on a Web site, and a user opens the e-mail or visits the Web site, Internet Explorer automatically runs the executable on the user's computer.

- A vulnerability that could allow an unauthorized user to learn the location of cached content on your computer. This could enable the unauthorized user to launch compiled HTML Help (.chm) files that contain shortcuts to executables, thereby enabling the unauthorized user to run the executables on your computer.

- A new variant of the "Frame Domain Verification" vulnerability could enable a malicious Web site operator to open two browser windows, one in the Web site's domain and the other on your local file system, and to pass information from your computer to the Web site.

- CLSID extension vulnerability. Attachments which end with a CLSID file extension do not show the actual full extension of the file when saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are simple, harmless files - such as JPG or WAV files - that do not need to be blocked.

System requirements: Versions of Windows no earlier than Windows 95.

This update applies to:
Versions of Internet Explorer no earlier than 4.01
Versions of MS Outlook no earlier than 8.00
Versions of MS Outlook Express no earlier than 4.01

How to install
Run attached file q216309.exe

How to use
You don't need to do anything after installing this item.

For more information about these issues, read Microsoft Security Bulletin MS02-005, or visit link below. If you have some questions about this article contact us at rdquest12@microsoft.com

Thank you for using Microsoft products.

With friendly greetings,
MS Internet Security Center.
----------------------------------------
----------------------------------------

Microsoft is registered trademark of Microsoft Corporation.
Windows and Outlook are trademarks of Microsoft Corporation.

The attached file is q216309.exe (122,880 bytes), which appears to be a Microsoft Knowledge Base entry (it is not).

Users of non-Windows systems are not affected by this worm. If a Windows user opens the attached file, Gibe will make the following changes to the Registry:

HKLMSoftwareAVTechSettingsDefault Address = [default address]
HKLMSoftwareAVTechSettingsDefaultServer = [default server]
HKLMSoftwareAVTechSettingsInstalled = ...by Begbie
HKLMSoftwareMicrosoftWindows CurrentVersionRun3dfx Acc = [path to gfxacc.exe]
HKLMSoftwareMicrosoftWindowsCurrentVersionRunLoadDBackup = [path to bctool.exe]
These changes allow Gibe to install a backdoor Trojan horse that becomes active every time the computer is rebooted. Gibe will also create the following files in the Windows directory:

bctool.exe (32,768 bytes) - the mass-mailing component
winnetw.exe (20,480 bytes)- e-mail address finding component
q216309.exe (122,880 bytes) - a copy of the worm
vtnmsccd.dll (122,880 bytes) - a copy of the worm
gfxacc.exe (20,480 bytes) - the Trojan horse component
The file gfxacc.exe is the backdoor Trojan horse that could allow malicious users into a PC. Alert users who monitor their systems with a firewall may notice unusual traffic on port 12387 as a result of Gibe.

Prevention
Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from the EXE attachment included with Gibe. Users who have not upgraded to Outlook 2002 or who have not installed the Security Update for Outlook 2000 should do so. In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include Gibe.

Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F- Secure, McAfee, Sophos, Symantec, and Trend Micro.

****************************************************

*NEW* February 20th, 2002

Yarner (w32.yarner.a@mm) appears to be a newsletter about Trojan horses from a legitimate security site, but is actually a dangerous worm. Yarner is a Windows PE EXE file about 434K in size, written in Delphi. It uses its own e-mail engine to send copies of itself to others. Once executed, the worm deletes the Windows directory on infected computers.

At present, the infections are limited to Germany, however, a new variation could be produced in English or any other language. Because of the dangerous potential of this worm, Yarner ranks a 7 on the ZDNet Virus Meter.

How it works
Yarner arrives by e-mail and appears to be from Trojaner-Info [webmaster@trojaner-info.de]. This is a real address and is not the true origin of this e-mail. The subject of the infected e- mail reads "Trojaner-Info Newsletter [Current Date]" The body text is in German and appears to be a newsletter which translates into English as:

"Hello!
Welcome to the latest newsletter from Trojaner-Info.de

Content:
1. YAW 2.0 - the latest version of our porn-dialer warner ****

1. YAW 2.0 - Our porn-dialer warner in its latest version. Our widely used Dialerwarner YAW is now available in a brand new and enhanced version. All subscribers to our newsletter get this version for free with this newsletter. Just start the attached file and YAW 2.0 installs itself. If there are any questions the programmer of this unique tool is available at [...]
Have fun with YAW!
http://www.trojaner-info.de/dialer/yaw.shtml
****

That's it with the latest Trojaner-Info news, thank you for your attention and we wish all our readers a pleasant week."

The attached file with this e-mail is yawsetup.exe.
If executed, Yarner will copy itself to the Windows directory as notedpad.exe, overwriting the system's original Notepad application (notepad.exe). Whenever you launch Notepad, Yarner uses notedpad.exe to hide its presence. The worm adds two additional files: kerneI32.daa (which the worm uses to write e- mails) and kerneI32.das (which the worm uses to write known SMTP).

The worm then changes this registry file:

HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce[random characters] = [random characters].exe

There can be up to 100 random characters assigned to these values.

To send e-mail, Yarner gains access to the Microsoft Outlook address book then scans all .php, .htm, .shtm, .cgi, .pl files in all subdirectories, looking for additional e-mail addresses. Yarner then uses its own SMTP engine (e-mail program) to send e- mails and connects to its own list of servers, including:

216.113.14.106
joy-go.gr.jp
ctripserver.ctrip.com.cn
202.101.62.207
cocess.cocess.co.kr
mail.bizpoint.com.sg
ns2.webshock.co.kr
olympus.mda.com.tr
linux2.ele-china.com
mailsvr.hanace.co.kr

After it has sent copies of itself, Yarner then deletes all files in the Windows directory.

Prevention
Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from opening the attached file with Yarner. Users who have not upgraded to Outlook 2002 or who have not installed the Security Update for Outlook 2000 should do so. In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include Yarner.

Removal
Almost all the antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, Kaspersky,McAfee, Norman, Sophos, Symantec, and Trend Micro.

 ***********************************************

        

"Back to Main "Purple" Section Index"
"Back to Main Entry Page for other Sections"

Go Back to the page you just came from

 

This page has been accessed times.

 

© vjr All Rights reserved.