OpenBCM V1.13 (Linux)

Packet Radio Mailbox

DB0FHN

[JN59NK Nuernberg]

 Login: GUEST





  
M1CUK  > INFO     29.11.02 21:44l 135 Lines 4479 Bytes #999 (0) @ WW
BID : 2E2734M1CUK
Read: DB0FHN GUEST
Subj: virus warning / update
Path: DB0FHN<DB0ZWI<DB0HDF<DB0ERF<DB0FBB<DB0GOS<ON0AR<ON0AR<7M3TJZ<HA3PG<
      GB7FCR
Sent: 021129/1830Z @:GB7FCR.#16.GBR.EU #:30969 [Blackpool] FBB-7.03a $:2E2734M1
From: M1CUK@GB7FCR.#16.GBR.EU
To  : INFO@WW


Nasty virus Winevar insults infected users
By John Leyden
Posted: 28/11/2002 at 10:21 GMT


Winevar-A, the latest mass mailing virus, adds insult to injury for
infected victims. 

As well as attempting to delete files and sending repeating HTTP requests
to Symantec's Web site (an unsophisticated DDoS ploy), Winevar also
displays a rude message. 

The virus normally arrives by email with an infected attachment. If
Windows PC users click on the attachment, the virus gets to work screwing
up systems. 

Winevar-A is a dropper for the W32/Flcss virus and a worm which spreads by
emailing itself via SMTP to addresses on the local computer. It also tries
to terminate AV and security programs running on a machine. 

And there's more. 

On system restart Winevar-A displays the message "Make a fool of oneself:
What a foolish thing you've done!". 

If users press the OK button the worm deletes all deletable files in all
folders. 

AV vendors have mostly updated their definition files to detect the
Winevar, which has not spread widely - yet. Here is AV vendor Sophos's
description of the virus.


W32/Winevar-A 

Aliases 

I-Worm.Winevar, WORM_WINEVAR.A, W32/Korvar, Worm/Bride.C, W32.HLLW.Winevar

 
Type 
Win32 worm 
 
Detection 
A virus identity file (IDE) file which provides protection is available
now from the Latest virus identities section, and will be incorporated
into the January 2003 (3.65) release of Sophos Anti-Virus.

Sophos has received several reports of this worm from the wild. 
 
 
Description 
W32/Winevar-A is a dropper for the W32/Flcss virus and a worm which
spreads by emailing itself via SMTP to addresses on the local computer. 

The worm copies itself to the Windows system folder as WINXXXX.PIF (where 
XXXX represents a random four-digit number) and adds to the following
registry entries to run itself on system restart: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run 

The worm also drops a copy of itself on the Windows Desktop as
EXPLORER.PIF. 

W32/Winevar-A drops W32/Flcss within the Windows system folder as
WINXXXX.TMP (where XXXX represents a random four-digit number). The file
contains the following text within its DOS header: "~ AAVER 2002 in Seoul
~". 

Emails have the following characteristics: 

From: <registered owner> (defaults to "AntiVirus")
Subject: <registered organisation> (defaults to "Trand Microsoft Inc.") 

or 

Subject: Re: AVAR(Association of Anti-Virus Asia Researchers) 

Message text: "<registered owner> - <registered organisation>"
Attached files: 
WINXXXX.TXT (12.6 KB)MUSIC_1.HTM
WINXXXX.GIF (120 BYTES) MUSIC_2.CEO
WINXXXX.PIF

W32/Winevar-A creates several entries within the registry at
HKCR\Software\Microsoft\DataFactory, which is a repository of the
addresses to which an infected email has been sent. 

The HTM file contains a link entitled "Association of Ti-Virus Asia
Researchers" which points to www.aavar.org

When run the HTM file adds an entry to the registry so that CEO files are
interpreted as EXE files by the operating system. 

W32/Winevar-A contains the following text in an encrypted form:

AVAR(Association of Anti-Virus Asia Reseachers) - Report.
Invariably, Anti-Virus Program is very foolish.

W32/Winevar-A attempts to terminate processes containing the following
names:
view, debu, scan, mon, vir, iom, ice, anti, fir, prot, secu, dbg, avk,
pcc, spy, microsoft, ms, _np, r n, cicer, irmon, smtpsvc, moniker, office,
program, explorewclass, antivirus, cillin, nlab, vacc. This appears to be
an attempt to disable various anti-virus products which may be running on
the infected user's computer. 

On system restart W32/Winevar-A displays the message "Make a fool of
oneself: What a foolish thing you've done!". If the "OK" button is pressed
the worm deletes all deletable files in all folders. 

W32/Winevar-A also attempts to launch a denial of service attack on the
website belonging to anti-virus vendor Symantec by sending HTTP requests
to www.symantec.com every 1 millisecond in an infinite loop.
 
-----------------------


73's 
    Trev,
    SysOp GB7FCR 
    E-Mail trev@gb7fcr.co.uk	
    Web Site http://www.gb7fcr.co.uk
    AX25 - tcp/ip - Telnet - axip - RF & Internet Linked System's
    Message timed: 17:27 on 29 Nov 02
    Message sent using WinPack-Telnet V6.80
    GB7FCR A KB2VXA FREE ZONE.
  


Read previous mail | Read next mail


 05.07.2026 07:53:51lGo back Go up