[28514] in North American Network Operators' Group
RE: Virus Update
daemon@ATHENA.MIT.EDU (Branden R. Williams)
Thu May 4 13:30:43 2000
Date: Thu, 4 May 2000 10:54:45 -0500 (CDT)
From: "Branden R. Williams" <brw@netvitality.net>
To: msarges@midco.net
Cc: bugtraq@securityfocus.com, nanog@merit.edu
In-Reply-To: <XFMail.20000504105037.msarges@midco.net>
Message-ID: <Pine.LNX.4.21.0005041053430.16143-100000@everest.netvitality.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 4 May 2000 msarges@midco.net wrote:
> Just to clarify, it will look at files on network or net-mapped drives.
> Our organization just found out the hard way.
Ok, we must have stopped it before that happened to us. The person who
ran this (argh) only affected their own hard drive and missed any network
drives.
> On 04-May-2000 Branden R. Williams wrote:
> >
> > Ok, this thing is pretty nasty... Here is a quick summary of what it
> > does.
> >
> > Should you run it, you will lose any files of the following
> > extensions. They will be renamed to filename.extension.vbs with a fresh
> > copy of the replication part.
> >
> > File extensions
> > affected: vbs,vbe,js,jse,css,wsh,sct,hta,jpg,jpeg,mp2,mp3.
> >
> > Every file with that extension is overwritten with the virus. It looks to
> > be localized to mounted hard drives. It does not appear to affect mapped
> > network drives.
> >
> > It also makes a dozen or so registry entries including one to reset your
> > start page to the following URL.
> >
> > http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqweras
> > djhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe
> >
> > I have not gone to this URL yet to see what it is, but it downloads a copy
> > of a file called WIN-BUGSFIX.exe.
> >
> > In addition, it creates a MIRC script called script.ini to DCC SEND this
> > to whatever channel you are on.
> >
> > Of course it sends it to everyone in your address book with the subject
> > ILOVEYOU. It looks to only affect people who actually run the vbs
> > script. I would assume that if you are not on a Windows platform that you
> > are not affected.
> >
> > I'll let you know more when we find more.
> >
> > Cheers,
> >
> > Branden R. Williams <brw@netvitality.net>
> > Vice President, Systems - NetVitality, Inc.
> > http://www.netvitality.net/
> > Internet Commerce Specialists
>
> ----------------------------------
> E-Mail: msarges@midco.net
> Date: 04-May-2000
> Time: 10:49:31
>
> We have met the enemy, and he is us.
> -- Walt Kelly
>
> ----------------------------------
>
Cheers,
Branden R. Williams <brw@netvitality.net>
Vice President, Systems - NetVitality, Inc.
http://www.netvitality.net/
Internet Commerce Specialists
