[NLRS] Virus info
Jim Johnson
[email protected]
Fri, 10 May 2002 08:53:10 -0500
Taken from:
http://www.symantec.com/avcenter/venc/data/[email protected]
Because this worm uses a randomly chosen address that it finds on an
infected computer as
the "From:" address, numerous cases have been reported in which users of
uninfected
computers received complaints that they sent an infected message to
someone else.
For example, Linda Anderson is using a computer that is infected with
W32.Klez.H@mm.
Linda is not using a antivirus program or does not have current virus
definitions. When
W32.Klez.H@mm performs its emailing routine, it finds the email address
of Harold Logan. It
inserts Harold's email address into the "From:" portion of an infected
message that it then
sends to Janet Bishop. Janet then contacts Harold and complains that he
sent her an infected
message, but when Harold scans his computer, Norton AntiVirus does not
find anything--as
would be expected--because his computer is not infected.
If you are using a current version of Norton AntiVirus and have the most
recent virus definitions,
and a full system scan with Norton AntiVirus set to scan all files does
not find anything, you
can be confident that your computer is not infected with this worm.
There have been several reports that, in some cases, if you receive a
message that the virus
has sent using its own SMTP engine, the message appears to be a
"postmaster bounce
message" from your own domain. For example, if your email address is
[email protected],
you could receive a message that appears to be from
[email protected], indicating
that you attempted to send email and the attempt failed. If this is the
false message that is
sent by the virus, the attachment includes the virus itself. Of course,
such attachments should
not be opened.
If the message is opened in an unpatched version of Microsoft Outlook or
Outlook Express, the
attachment may be automatically executed. Information about this
vulnerability and a patch are
available at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
The worm attempts to disable on-access virus scanners and some
previously distributed worms (such
as W32.Nimda and CodeRed) by stopping any active processes. The worm
removes the startup
registry keys used by antivirus products and deletes checksum database
files including:
Anti-Vir.dat
Chklist.dat
Chklist.ms
Chklist.cps
Chklist.tav
Ivb.ntz
Smartchk.ms
Smartchk.cps
Avgqt.dat
Aguard.dat
The worm copies itself to local, mapped, and network drives as:
A random file name that has a double
extension. For example, Filename.txt.exe.
A .rar archive that has a double extension.
For example, Filename.txt.rar.
Email:
This worm searches the Windows address book, the ICQ database, and
local files for email
addresses. The worm sends an email message to these addresses with
itself as an attachment. The
worm contains its own SMTP engine and attempts to guess at available
SMTP servers. For
example, if the worm encounters the address [email protected] it will
attempt to send email via
the server smtp.abc123.com.
The subject line, message bodies, and attachment file names are random.
The From address is
randomly-chosen from email addresses that the worm finds on the
infected computer.
The worm will search files that have the following extensions for email
addresses:
mp8
.exe
.scr
.pif
.bat
.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.pas
.mpg
.mpeg
.bak
.mp3
.pdf
In addition to the worm attachment, the worm also may attach a random
file from the computer.
The file will have one of the following extensions:
mp8
.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.pas
.mpg
.mpeg
.bak
.mp3
.pdf
As a result, the email message would have 2 attachments, the first being
the worm and the second
being the randomly-selected file.
The email message that this worms sends is composed of "random" strings.
The subject can be
one of the following:
Undeliverable mail--"[Random word]"
Returned mail--"[Random word]"
a [Random word] [Random word] game
a [Random word] [Random word] tool
a [Random word] [Random word] website
a [Random word] [Random word] patch
[Random word] removal tools
how are you
let's be friends
darling
so cool a flash,enjoy it
your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
meeting notice
questionnaire
congratulations
sos!
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls' vocal concert
japanese lass' sexy pictures
The random word will be one of the following:
new
funny
nice
humour
excite
good
powful
WinXP
IE 6.0
W32.Elkern
W32.Klez.E
Symantec
Mcafee
F-Secure
Sophos
Trendmicro
Kaspersky
The body of the email message is random.
--- StripMime Report -- processed MIME parts ---
multipart/alternative
text/plain (text body -- kept)
text/html
The reason this message is shown is because the post was in HTML
or had an attachment. Attachments are not allowed.
Please post in Plain-Text only.---