| |
M1CUK > INFO 28.11.02 02:02l 122 Lines 4868 Bytes #999 (0) @ WW
BID : 042718M1CUK
Read: DB0FHN GUEST
Subj: virus / worm update
Path: DB0FHN<DB0ZWI<DB0HDF<DB0ERF<DB0FBB<DB0GOS<ON0AR<ON0AR<VK6HGR<VK3AVE<
GB7FCR
Sent: 021127/2355Z @:GB7FCR.#16.GBR.EU #:30717 [Blackpool] FBB-7.03a $:042718M1
From: M1CUK@GB7FCR.#16.GBR.EU
To : INFO@WW
Date: November 27, 2002
1. Destructive Internet Worm - WORM_WINEVAR.A (Medium Risk)
2. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
--------------------------------------------------------------------
1. Destructive Internet Worm - WORM_WINEVAR.A (Medium Risk)
WORM_WINEVAR.A is a destructive Internet worm that runs on all Windows
platforms. It uses its own Simple Mail Transfer Protocol (SMTP) engine to
propagate via email. It sends email messages with random subjects to
addresses listed in the HTML files of the infected user's system. When
sending email it uses a known exploit that causes the attachment to
automatically execute when the message is viewed or previewed on Internet
Explorer-based email clients, such as Microsoft Outlook and Outlook
Express. This exploit is known as Automatic Execution of Embedded MIME
type. This worm is capable of terminating monitoring programs and
antivirus products from system memory, and it deletes all files in local
drives.
Upon execution, this worm creates a copy of itself in the Windows system
folder as WIN<Random numeric value>.PIF. Due to the use of the random
string, a new copy of this worm is created in the Windows system folder
every time it is executed. It also drops a copy of itself in the Desktop
folder as EXPLORER.PIF.
It then creates autostart entries in the registry using the generated file
name as the name of the entries. These registry entries allow the dropped
copy to execute at startup. After the worm installs itself, it gathers
email addresses from HTML files on the system. The email addresses saved
in the registry entry are removed upon every subsequent execution and
replaced with newly found email addresses. It then uses the default SMTP
server to send out email messages containing an attached copy of itself to
all the gathered addresses.
On the next bootup, this worm displays a message box containing the
following text strings:
Header:Make a fool of oneself
Body:What a foolish thing you have done!
Once the user clicks the OK button, this worm deletes all files from local
drives, except files that are currently running on the system.
If no Internet connection is detected, this worm simply drops the file
AAVAR.PIF in the Windows system folder, which is a slightly modified
version of PE_FUNLOVE.4099. It executes the dropped virus to infect all
.EXE files in all folders, except the Windows and Program Files folders.
The subject lines of the email messages sent by the worm are constructed
in two ways. The first subject format is used 33% of the time, meaning
that, it generates this subject once in every 3 email messages (where
<Registered Owner> is the registered owner of the machine and <Registered
Organization> is the organization of the owner):
Subject: AVAR (Association of Anti-Virus Asia Researcher)
Message Body: <Registered Owner> - <Registered Organization>
Attachments:
WIN<random numeric value>.GIF (120 bytes) MUSIC_2.CEO
WIN<random numeric value>.TXT (12.6 KB) MUSIC_1.HTM
The second subject line format is used 66% of the time. It generates 2
email messages of this subject format in every 3 (where <Registered Owner>
is the registered owner of the machine and <Registered Organization> is
the organization of the owner):
Subject: <Registered Organization>
Message Body: <Registered Owner> - <Registered Organization>
Attachments:
WIN<random numeric value>.GIF (120 bytes) MUSIC_2.CEO
WIN<random numeric value>.TXT (12.6 KB) MUSIC_1.HTM
However, at the time of this writing, the virus has a bug that cannot
completely decode the second email subject resulting in its first four
generated characters being unintelligible. Therefore, most of the email it
sends arrive with the subject format N`4_<Registered Organization>.
If you would like to scan your computer for WORM_WINEVAR.A or thousands of
other worms, viruses, Trojans and malicious code,
free online virus scanner at:
http://housecall.trendmicro.com/
---------------------------------------------------------------------
2. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: November 18, 2002 to November 24, 2002)
1.. WORM_KLEZ.H
2.. WORM_BUGBEAR.A
3.. WORM_OPASERV.F
4.. WORM_OPASERV.A
5.. BKDR_MISNOMER.A
6.. BKDR_JEEM.A
7.. WORM_OPASERV.G
8.. JS_NOCLOSE.E
9.. REG_STARTPAGE.A
10..PE_SPACES.1445
-------------------------------------------------------------------
73's
Trev,
SysOp GB7FCR
E-Mail trev@gb7fcr.co.uk
Web Site http://www.gb7fcr.co.uk
AX25 - tcp/ip - Telnet - axip - RF & Internet Linked System's
Message timed: 22:55 on 27 Nov 02
Message sent using WinPack-Telnet V6.80
GB7FCR A KB2VXA FREE ZONE.
Read previous mail | Read next mail
| |