[10803] in bugtraq
(Fwd) AVP News for 06/10/1999 - VIRUS ALERT
daemon@ATHENA.MIT.EDU (Brad Griffin)
Fri Jun 11 15:50:58 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Message-Id: <199906110540.PAA01527@rockhampton-psvr.qld.hotkey.net.au>
Date: Fri, 11 Jun 1999 15:38:50 +1000
Reply-To: griffinb@hotkey.net.au
From: Brad Griffin <griffinb@HOTKEY.NET.AU>
To: BUGTRAQ@NETSPACE.ORG
This was posted by the AVP people (you've all probably seen it)
------- Forwarded Message Follows -------
From: "News Manager" <newsmgr@avp.com>
Organization: Central Command Inc.
To: avp-news@avp.com
Date sent: Thu, 10 Jun 1999 15:58:28 -0400
Subject: AVP News for 06/10/1999 - VIRUS ALERT
Send reply to: newsmgr@avp.com
AntiViral Toolkit Pro Newsletter for 06/10/1999
===============================================
If you suspect a virus infection you can download a free time limted,
fully functional trial version of AntiViral Toolkit Pro from
http://www.avp.com
VIRUS ALERT - I-Worm.ZippedFiles
AntiViral Toolkit Pro has been updated to detect and remove this
virus.
I-Worm.ZippedFiles
This is a worm virus spreading via Internet. It appears as a
"Zipped_Files.Exe" file attached to email. This file itself is a
Delphi executable files about 210Kb of length. The most part of
file's code is occupied by Delphi run-time libraries, data and
classes, and just about 10Kb of code is "pure" worm code.
Being executed it installs itself into the system, then sends
infected messages (with its attached copy) to addresses using
addresses found in emails in the Inbox. To hide its activity the worm
displays the message:
To install into the system the virus copies itself to Windows
directory with the _SETUP.EXE name and to Windows system directory
with EXPLORE.EXE name, for example:
C:\WINDOWS\_SETUP.EXE
C:\WINDOWS\SYSTEM\EXPLORE.EXE
The worm then registers its copy in the Windows configuration file
WIN.INI to force the system to execute it each time Windows starts
up. To do that the worm writes the instruction "run=" to the
[windows] section there. Depending on the worm "status" and system
conditions there are two possible variants of this instruction, for
example:
run=_setup.exe
run=C:\WINDOWS\SYSTEM\Explore.exe
The worm then stays "memory resident" and is active up to the moment the
system shuts down. The worm's task has no active window and is not visible
in taskbar, but is visible in the task list (Ctrl-Alt- Del) with one of
the names the worm use to name their copies:
Zipped_files
Explore
_setup
The worm does not check its copy already presented in the Windows
memory, and as a result there may be several worm's instances found.
Being active as a Windows application the worm runs four threads of
its main process: installation thread that copies worm files to the
Windows directories and registers them, the Internet spreading thread and
two files destroying threads.
The second (most important) thread sends the email messages using any
email system based on standard MAPI (Messaging Application Program
Interface) - MS Outlook, MS Outlook Express, e.t.c. The worm knocks to the
installed E-mail system four times trying to logon with different MAPI
profiles: default one, Microsoft Outlook, Microsoft Outlook Internet
Settings, Microsoft Exchange.
Being connected to the E-mail the worm monitors all arriving messages - in
endless loop it scans Inbox for messages and reply to them. The reply
message has the same Subject with "Re" prefix, the body of message looks
like follows:
Hi [recipient name]
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
The message ends with one of two variants of signature:
bye.
sincerely [sender name]
The copy of worm is attached to the message with the
"Zipped_Files.Exe" name.
The worm does not reply on the messages twice and does not reply its own
messages. To detect already affected messages the worm marks them with TAB
character at the end of Subject string. Each time the worm scans Inbox for
messages, it gets Subject field, goes to its end, and skips the message if
TAB is found there. The worm also does not reply all messages in Inbox but
unread messages only.
It is necessary to note that both these conditions (reply unread
messages only and do not reply the same message twice) are optional
in the worm's infection routine. In known worm version both of them
are hardcoded the way described above, but it is possible that the
next worm version will answer all messages in Inbox each time the
worm infection thread gets control.
As a result the things look like follows. When the worm starts for
the first time on the computer, it sends infected messages by using
all unread messages found in the Inbox. It marks them as "affected"
by TAB character and does not affect anymore. When a new message is
received from the Internet and appears in the Inbox, it is
immediately "answered" by worm with the fake text shown above.
The virus has extremely dangerous payload. Each time it is executed, it
runs two more threads that scan directory trees on the local and network
drives, look for .C, .H, .CPP, .ASM, .DOC, .XLS, .PPT (programs' source
and MS Office files) and zeroes them. The worm uses a create-and-close
trick that erases file contents and sets file length to zero. As a result
the files become unrecoverable.
As it is mentioned above, there are two files killing threads. First of
them is active all time the worm copy is active in the system - till the
shutting down. In endless loop it scans all available drives from C: to Z:
and corrupts files that were listed above. The second thread is executed
only once. It enumerates network resources, scans them for the same files
and also destroys them.
------------------------------------------------------
You are receiving this newsletter because you
subscribed to our free newsletter service.
Central Command respects your online time and privacy.
If you would refer not to receive future issues of the
this newsletter you can unsubscribe yourself by
sending a e-mail message to:
majordomo@avp.com
In the body of the message please include the
following text to remove yourself from the mailing
list:
unsubscribe avp-news
-------------------------------------------------------
-
=========================================================
Central Command Inc. AntiViral Toolkit Pro
Antivirus Specialists http://www.avp.com
Complete Internet Virus Protection
Visit the Virus Encyclopedia http://www.avpve.com
=========================================================
Brad Griffin
2nd year BiT
Central Queensland University
Rockhampton QLD
Australia
**********************************
Is there anybody out there?
Join 'Team Hypersurf' in the
search for extra terrestrial
intelligence.
http://setiathome.ssl.berkeley.edu
**********************************
