Wild Apache Feather Wild Apache Logo Clarkdale, Arizona ¥ 928.649.3020
HOME



SECURITY ADVISORY

Nov. 23rd - Please beware of any email that asks you to click a link or open an attachment to update or verify account information. Recent examples have included messages that appear to be from the IRS, Social Security Admin., Facebook, MySpace, or from e-mail providers. If you receive such a message please delete it.
*********************************************************************

Internet-worm MyDoom

More detailed information on MyDoom can be found here.

*********************************************************************



I Love You Virus
To erase this virus, click on the Start Button, click on Settings, then Control Panel. In the Control Panel, double click on Add/Remove Programs. Find Windows Scripting Host or Microsoft Windows Scripting Host. Highlight this file and click remove.

Next, Click on the tab "Windows Setup". Windows will search for installed components. Highlight Accessories and Click Details. A new screen will appear. Find Windows Scripting Host and Uncheck this item. Click okay and close out of all open windows.
VIRUS Links...
http://www.mcafee.com/
McAfee maintains a listing of known viruses and virus hoaxes

http://www.cert.org/advisories/
CERT is a more technical listing and deals with other issues in addition to virus data

F-Secure Virus Information Pages

F-Secure is yet another source.

VIRUS SPECIFIC Info...



W32/ExploreZip.worm.pak

Virus Characteristics
This is a 32bit Worm that travels by sending e-mail messages to users. It drops the file
explore.exe and modifies either the WIN.INI (Win9x) or modifies the registry (WinNT).

Information
This is a minor variant of the original W32/ExploreZip.worm in that this edition is a compressed
copy of the executable. A compression tool named Neolite was used to compress the binary
executable that is the worm, preventing detection by existing detection's of the original version.
This variant runs compressed and is not expanded beyond its compressed form except in
memory. The following description and removal method is almost identical to the description for
the first variant with regard to file size.

This worm attempts to invoke the MAPI aware e-mail applications as in MS Outlook, MS Outlook
Express and MS Exchange. This worm replies to all unread and all new messages received by
replying to the e-mail message with the following body:

"I received your e-mail and I shall send you a reply ASAP. Till then, take a look at the attached
zipped docs. "

The subject line is not constant as the message is a reply to a message sent to the infected
user.

The worm is attached with the filename "zipped_files.exe" as the attachment, with a file size of
120,495 bytes. The file has a Winzip icon which is designed to fool unsuspecting users to run it
as a self-extracting file. If the attachment is run, the user will see a fake error message that of the
following text:

"Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup
set, insert the last disk of the backup set and try again. Please press F1 for help."

This worm will locate systems drives which are NOT mapped drives using functions from
MPR.DLL and Network Neighborhood!

Systems with full access shares on the network could experience the worm creating a copy of
itself in two folder locations, and two file names. A file named "EXPLORE.EXE" will be copied to
Windows\System folder and a file "_SETUP.EXE" is copied to the Windows folder. On these
systems, if the OS is Windows 9x, the WIN.INI is modified with

[windows]
run=c:\windows\explore.exe (or) _setup.exe

The value will switch between _setup.exe and explore.exe per reboot. On the startup of Windows,
it will load this file thereby infecting the system. This worm will only try to such systems once,
whereas systems which are mapped drives are constantly attempted to re-infect.

On Windows NT systems, the registry is modified with the following key addition

HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows run = explore.exe (or) _setup.exe

The value will switch between _setup.exe and explore.exe per reboot.

This worm does not self-check and prevent itself from loading more than once so could have more
than one task running. On Windows 9x and Windows NT, it is listed as a task by the file name
running, such as "Explore" or "_Setup" or "Zipped_Files".

Payload Notice
This worm has a dangerous payload. Immediately after execution it will search all available local
driver from C: to Z: for the following files of extension: .c, .cpp, .h, .asm, .doc, .xls, or .ppt. When
found, they are opened for write and immediately closed leaving them with a zero byte count.
Approximately in 30 minute intervals, this payload is repeated.

***** These files with zero bytes are unrecoverable! *****

Indications Of Infection
Existence of any of the 3 file names mentioned above [note EXPLORER.EXE is
a valid name - do not confuse this name]. Process running as mentioned above,
files being corrupted / deleted as mentioned above.



appy99.Worm

Aliases: Trojan.Happy99, I-Worm.Happy
Likelihood: Common
Region Reported: World Wide
Characteristics: Trojan Horse, Worm


Description

This is a worm program, NOT a virus. This program has reportedly been received through email spamming and USENET newsgroup posting. The file is usually named HAPPY99.EXE in the email or article attachment.

When being executed, the program also opens a window entitled "Happy New Year 1999 !!" showing a firework display to disguise its other actions. The program copies itself as SKA.EXE and extracts a DLL that it carries as SKA.DLL into WINDOWS\SYSTEM directory. It also modifies WSOCK32.DLL in WINDOWS\SYSTEM directory and copies the original WSOCK32.DLL into WSOCK32.SKA.

WSOCK32.DLL handles internet-connectivity in Windows 95 and 98. The modification to WSOCK32.DLL allows the worm routine to be triggered when a connect or send activity is detected. When such online activity occurs, the modified code loads the worm's SKA.DLL. This SKA.DLL creates a new email or a new article with UUENCODED HAPPY99.EXE inserted into the email or article. It then sends this email or posts this article.

If WSOCK32.DLL is in use when the worm tries to modify it (i.e. a user is online), the worm adds a registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunOnce=SKA.EXE

The registry entry loads the worm the next time Windows start.

Removing the Worm Manually

  1. delete WINDOWS\SYSTEM\SKA.EXE
  2. delete WINDOWS\SYSTEM\SKA.DLL
  3. in WINDOWS\SYSTEM\ directory,
    rename WSOCK32.DLL to WSOCK32.BAK
  4. in WINDOWS\SYSTEM\ directory,
    rename WSOCK32.SKA to WSOCK32.DLL
  5. delete the downloaded file,
    usually named HAPPY99.EXE

Windows prevents you to do step #3 and #4 above if the machine is still connected to the Internet. The file "windows\system\wsock32.dll" is used whenever the machine is connected to Internet (i.e. through dial-up or LAN connection).


If you are using dial-up connection (i.e. America Online), you need to do the following:

  1. terminate internet connection
  2. delete WINDOWS\SYSTEM\SKA.EXE
  3. delete WINDOWS\SYSTEM\SKA.DLL
  4. in WINDOWS\SYSTEM\ directory,
    rename WSOCK32.DLL to WSOCK32.BAK
  5. in WINDOWS\SYSTEM\ directory,
    rename WSOCK32.SKA to WSOCK32.DLL
  6. delete the downloaded file,
    usually named HAPPY99.EXE


If you are connected to Internet through LAN (i.e. in the office or cable modem), you need to do the following:

  1. From the Start menu, select shutdown-restart in MS DOS mode
  2. type CD \windows\system when DOS
    prompt (C:\)appears
  3. type RENAME WSOCK32.DLL WSOCK32.BAK
  4. type RENAME WSOCK32.SKA WSOCK32.DLL
  5. type DEL SKA.EXE
  6. type DEL SKA.DLL

Safe Computing

This worm and other trojan-horse type programs demonstrate the need to practice safe computing. One should not execute any executable-file attachment (EXE, SHS, MS Word or MS Excel file) that comes from an email or a newsgroup article from an untrusted source.


Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the following webpage:

http://www.symantec.com/avcenter/download.html

Write-up by: Raul K. Elnitiarta
March 2, 1999


Use the index files to locate virus information by name:
A-Am Dn-Dz H-Hm Kn-Kz O-Om R-Rm U-Um X-Xm
An-Az E-Em Hn-Hz L-Lm On-Oz Rn-Rz Un-Uz Xn-Xz
B-Bm En-Ez I-Im Ln-Lz P-Pm S-Sm V-Vm Y-Ym
Bn-Bz F-Fm In-Iz M-Mm Pn-Pz Sn-Sz Vn-Vz Yn-Yz
C-Cm Fn-Fz J-Jm Mn-Mz Q-Qm T-Tm W-Wm Z-Zm
Cn-Cz G-Gm Jn-Jz N-Nm Qn-Qz Tn-Tz Wn-Wz Zn-Zz
D-Dm Gn-Gz K-Km Nn-Nz 0-9 and Special Characters


Cross-reference data provided by Project VGrep.
Implemented with permission of Virus Bulletin.

VBS/Bubbleboy

http://www.virusbtn.com/VirusInformation/bboy.html

Email-propagating without using attachments
VBS/Bubbleboy is the first virus that is able to propagate itself via e-mail, without
having to open an attachment. It achieves this by exploiting security holes that
exist in the treatment of ActiveX controls. As stated by Microsoft on their
MS99-032 Security Bulletin page (
http://www.microsoft.com/Security/Bulletins/ms99-032.asp):

Links To Patches

Alpha System (click here)

x86 System [Pentium II, III] (click here)

Links To More Information

Read Me File

bubbleboy.html



PrettyPark.Exe

ALIAS: PSW, CHV, Pretty Park

The 'PrettyPark' also known as 'Trojan.PSW.CHV' is an Internet worm, a
password stealing trojan and a backdoor at the same time. It was reported to be
widespread in Central Europe in June 1999.

PrettyPark spreads itself via Internet by attaching its body to e-mails as 'Pretty
Park.Exe' file. Being executed it installs itself to system and then sends e-mail
messages with its copy attached to addresses listed in Address Book and also
informs someone (most likely worm author) on specific IRC servers about
infected system settings and passwords. It also can be used as a backdoor
(remote access tool).

When the worm is executed in the system for the first time, it looks for its copy
already active in memory. The worm does this by looking for application that has
"#32770" window caption. If there is no such window, the worm registers itself
as a hidden application (not visible in the task list) and runs its installation routine.

While installing to system the worm copies itself to \Windows\System\ directory
as FILES32.VXD file and then modifies the Registry to be run each time any
EXE file starts when Windows is active. The worm does this by creating a new
key in the HKEY_CLASSES_ROOT. The key name is
exefile\shell\open\command and it is associated with the worm file
(FILES32.VXD file that was created in the Windows system folder). If the
FILES32.VXD file is deleted and Registry is not corrected no EXE file will ever
be started in Windows further on.

In case of error during installing the worm activates the SSPIPES.SCR screen
saver (3D Pipes). If this file is missing, the worm tries to activate
'Canalisation3D.SCR' screen saver.

Then the worm opens Internet connection and activates 2 its routines. Further on
theseinits socket (Internet) connection and runs its routines that are activated
regularly: the first one once per 30 seconds, another one - once per 30 minutes.

The first routine that activates once in 30 seconds tries to connect to one of IRC
chat servers (see the list below) and to send a messages to someone if he is
present on any channel of this chat server. This allows worm author to monitor
infected computers.

The list of IRC servers the worm tries to connect to:

irc.twiny.net
irc.stealth.net
irc.grolier.net
irc.club-internet.fr
ircnet.irc.aol.com
irc.emn.fr
irc.anet.com
irc.insat.com
irc.ncal.verio.net
irc.cifnet.com
irc.skybel.net
irc.eurecom.fr
irc.easynet.co.uk

The worm may be also used as a backdoor (remote access tool) by its author. It
can send out system configuration details, drives list, directories info as well as
confidential information: Internet access passwords and telephone numbers,
Remote Access Service login names and passwords, ICQ numbers, etc. The
backdoor is also able to create/remove directories, send/receive files, delete and
execute them, etc.

The second routine, which is activated once per 30 minutes, opens Address
Book file, reads e-mail addresses from there, and sends messages to these
addresses. The message Subject field contains the text:

C:\CoolProgs\Pretty Park.exe

The message has an attached copy of the worm as Pretty Park.EXE file. If
someone receives this message and runs the attached file his system becomes
infected.

[Analysis: AVP, Data Fellows and DataRescue teams]



W32.Kriz.3740

Aliases: W32.Kriz
Area of Infection: Windows 9x/NT PE files
Likelihood: Rare
Region Reported: Worldwide
Characteristics: Wild, BIOS, December 25

Description:

W32.Kriz.3740 is a Windows 9x/NT virus, which infects Portable Executable
(PE) Windows files. The virus goes resident into memory, attempting to infect
any files that are opened by the user or applications. If infected with this virus, the
user should verify they have "booted clean" before attempting to scan and repair
files.

The virus also modifies the KERNEL32.DLL. This file must be replaced with a
known, clean backup. In addition, this virus may corrupt some PE files, requiring
them to be replaced by known, clean backups (or from the installation package).

The W32.Kriz.3740 virus also contains a payload, which is executed on
December 25th.

The first time the virus is executed on a system, it will create an infected copy of
KERNEL32.DLL in the Windows system directory. The file will be called
KRIZED.TT6. If the user finds this file in their Windows system directory, it
should be deleted. The next time Windows is started, this file will be copied over
the original KERNEL32.DLL. Then, the virus infects other files when certain
Windows API functions are called by a program.

There are also variants of this virus. Some of the differences between variants
pertain to the payload. Other differences include multiple methods of infection.
One variant will create a new section named ".", and copy its viral code to that
newly created section. Another variant will simply append its code to the end of
the last section.

Payload:

If the system date is December 25th, the virus will attempt to flash the BIOS of
the computer. This will prevent the computer from booting up properly and may
require a change of hardware. Information stored in the CMOS will be cleared.
So the date, time, hard drive and floppy drive settings, peripheral configuration,
etc. will need to be restored. The virus will also begin overwriting files on all
available drives. This includes mapped network drives, floppy drives and RAM
disks. This payload is very similar to W95.CIH. Norton AntiVirus will detect this
virus with the current virus definitions either through LiveUpdate or by download
from the following webpage:

http://www.symantec.com/avcenter/download.html

Write-up by: Eric Chien
August 18, 1999