This was posted by the AVP people (you've all probably seen it) ------- Forwarded Message Follows ------- From: "News Manager" <newsmgrat_private> Organization: Central Command Inc. To: avp-newsat_private Date sent: Thu, 10 Jun 1999 15:58:28 -0400 Subject: AVP News for 06/10/1999 - VIRUS ALERT Send reply to: newsmgrat_private AntiViral Toolkit Pro Newsletter for 06/10/1999 =============================================== If you suspect a virus infection you can download a free time limted, fully functional trial version of AntiViral Toolkit Pro from http://www.avp.com VIRUS ALERT - I-Worm.ZippedFiles AntiViral Toolkit Pro has been updated to detect and remove this virus. I-Worm.ZippedFiles This is a worm virus spreading via Internet. It appears as a "Zipped_Files.Exe" file attached to email. This file itself is a Delphi executable files about 210Kb of length. The most part of file's code is occupied by Delphi run-time libraries, data and classes, and just about 10Kb of code is "pure" worm code. Being executed it installs itself into the system, then sends infected messages (with its attached copy) to addresses using addresses found in emails in the Inbox. To hide its activity the worm displays the message: To install into the system the virus copies itself to Windows directory with the _SETUP.EXE name and to Windows system directory with EXPLORE.EXE name, for example: C:\WINDOWS\_SETUP.EXE C:\WINDOWS\SYSTEM\EXPLORE.EXE The worm then registers its copy in the Windows configuration file WIN.INI to force the system to execute it each time Windows starts up. To do that the worm writes the instruction "run=" to the [windows] section there. Depending on the worm "status" and system conditions there are two possible variants of this instruction, for example: run=_setup.exe run=C:\WINDOWS\SYSTEM\Explore.exe The worm then stays "memory resident" and is active up to the moment the system shuts down. The worm's task has no active window and is not visible in taskbar, but is visible in the task list (Ctrl-Alt- Del) with one of the names the worm use to name their copies: Zipped_files Explore _setup The worm does not check its copy already presented in the Windows memory, and as a result there may be several worm's instances found. Being active as a Windows application the worm runs four threads of its main process: installation thread that copies worm files to the Windows directories and registers them, the Internet spreading thread and two files destroying threads. The second (most important) thread sends the email messages using any email system based on standard MAPI (Messaging Application Program Interface) - MS Outlook, MS Outlook Express, e.t.c. The worm knocks to the installed E-mail system four times trying to logon with different MAPI profiles: default one, Microsoft Outlook, Microsoft Outlook Internet Settings, Microsoft Exchange. Being connected to the E-mail the worm monitors all arriving messages - in endless loop it scans Inbox for messages and reply to them. The reply message has the same Subject with "Re" prefix, the body of message looks like follows: Hi [recipient name] I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. The message ends with one of two variants of signature: bye. sincerely [sender name] The copy of worm is attached to the message with the "Zipped_Files.Exe" name. The worm does not reply on the messages twice and does not reply its own messages. To detect already affected messages the worm marks them with TAB character at the end of Subject string. Each time the worm scans Inbox for messages, it gets Subject field, goes to its end, and skips the message if TAB is found there. The worm also does not reply all messages in Inbox but unread messages only. It is necessary to note that both these conditions (reply unread messages only and do not reply the same message twice) are optional in the worm's infection routine. In known worm version both of them are hardcoded the way described above, but it is possible that the next worm version will answer all messages in Inbox each time the worm infection thread gets control. As a result the things look like follows. When the worm starts for the first time on the computer, it sends infected messages by using all unread messages found in the Inbox. It marks them as "affected" by TAB character and does not affect anymore. When a new message is received from the Internet and appears in the Inbox, it is immediately "answered" by worm with the fake text shown above. The virus has extremely dangerous payload. Each time it is executed, it runs two more threads that scan directory trees on the local and network drives, look for .C, .H, .CPP, .ASM, .DOC, .XLS, .PPT (programs' source and MS Office files) and zeroes them. The worm uses a create-and-close trick that erases file contents and sets file length to zero. As a result the files become unrecoverable. As it is mentioned above, there are two files killing threads. First of them is active all time the worm copy is active in the system - till the shutting down. In endless loop it scans all available drives from C: to Z: and corrupts files that were listed above. The second thread is executed only once. It enumerates network resources, scans them for the same files and also destroys them. ------------------------------------------------------ You are receiving this newsletter because you subscribed to our free newsletter service. Central Command respects your online time and privacy. If you would refer not to receive future issues of the this newsletter you can unsubscribe yourself by sending a e-mail message to: majordomoat_private In the body of the message please include the following text to remove yourself from the mailing list: unsubscribe avp-news ------------------------------------------------------- - ========================================================= Central Command Inc. AntiViral Toolkit Pro Antivirus Specialists http://www.avp.com Complete Internet Virus Protection Visit the Virus Encyclopedia http://www.avpve.com ========================================================= Brad Griffin 2nd year BiT Central Queensland University Rockhampton QLD Australia ********************************** Is there anybody out there? Join 'Team Hypersurf' in the search for extra terrestrial intelligence. http://setiathome.ssl.berkeley.edu **********************************
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:49:07 PDT