new virus

To:	MG List <mgs@autox.team.net>, Riley list <riley@autox.team.net>
Subject:	new virus
From:	Martin <martin@virtual-motors.com>
Date:	Tue, 25 Sep 2001 09:03:35 -0500

Hi guys,

yet another new virii.

CA has detected a new mass mailer virus using the Microsoft Address Book. It 
has a destructive payload that will delete your Windows directory and reformat 
your hard drive.

The characteristics of the WinVote.A@mm virus as are follows:
Subject: Fwd:Peace BeTweeN AmeriCa And IsLaM ! 

Body: 
Hi 

iS iT A waR Against AmeriCa Or IsLaM !? 
Let's Vote To Live in Peace! 

Attachment: WTC.exe 

Drops textfile C:\Windows\Htmlhelp.htm 
Drops textfile C:\Windows\Readme.htm 
Drops VBSfile C:\Windows\MixDaLaL.vbs and runs it (using Wscript.exe) 
Attempts to overwrite HTML files with string: 

"AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr 
is So Sorry For You ."

Drops EXEfile C:\Windows\WTC.exe 
Drops textfile C:\Windows\System\Membg.htm 
Drops VBSfile C:\Windows\System\ZaCker.vbs

HKLM\Software\Windows\CurrentVersion\Run\Norton.Thar = 
C:\Windows\System\ZaCker.vbs 

If machine is rebooted, ZaCker.vbs attempts to delete all files in Windows 
directory and modifies autoexec.bat: "echo y | format C:" displays a message 
box and attempts to exit out of windows. 
The worm spawns two IE browser windows.
1st URL:
http us.f1.yahoofs.com/users/da36d538/bc/TimeUpdate.exe?bcaVq97ATaW0yAxk

Which opens a dialog box requesting permission to download a file.
This exe file is a password stealing trojan, detected by iRiS as
Win32/PSW.Barrio.5_0.Trojan
Win32/PSW.Barrio.50 (Vet)

Registry key modified:
HKCU\software\microsoft\internet Explorer\main\start Page = 
http://us.f1.yahoofs.com/users/da36d538/bc/TimeUpdate.exe?bcaVq97ATaW0yAxk

2nd URL:
http love135.cjb.net
Which does not resolve, site has been brought down.

HTML files are not dropped, but overwritten as are all HTML/HTM files with text 
on both local and accessible network drives.
AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr 
is So Sorry For You 
by 1st trojan, MixDaLaL.vbs.
Attempts to delete files found in the following directories:
C:\Program Files\AntiViral Toolkit Pro\*.*
C:\eSafe\Protect\*.*
C:\Program Files\Command Software\F-PROT95\*.*
C:\PC-Cillin 95\*.*
C:\PC-Cillin 97\*.*
C:\Program Files\Quick Heal\*.*
C:\Program Files\FWIN32\*.*
C:\Program Files\FindVirus\*.*
C:\Toolkit\FindVirus\*.*
C:\f-macro\*.*
C:\Program Files\McAfee\VirusScan95\*.*
C:\Program Files\Norton AntiVirus\*.*
C:\TBAVW95\*.*
C:\VS95\*.*

If you don't use the Microsoft Address Book by virtue of
using a non-MS mail client, this won't effect you.

--Martin

///
///  mgs@autox.team.net mailing list
///  or try http://www.team.net/cgi-bin/majorcool
///

<Prev in Thread]	Current Thread	[Next in Thread>
new virus, Martin <= Re: new virus, Andrew B. Lundgren Re: new virus, David N Waldmann Re: new virus, Martin Re: new virus, Eric Re: new virus, Bullwinkle Re: new virus, James H. Nazarian, Ph.D. Re: new virus, Bullwinkle

Previous by Date:	RE: Moss Motors - was RE: MGB tube axle, Phillip Farmer
Next by Date:	Re: new virus, Andrew B. Lundgren
Previous by Thread:	Early Header Rail, Tom Bott
Next by Thread:	Re: new virus, Andrew B. Lundgren
Indexes:	[Date] [Thread] [Top] [All Lists]