I am constantly getting e-mails concerning the latest virus
some joker comes out with.
I will try to post each alert the very DAY I get one, along with the source, if possible.
Hope this helps someone out there to NOT lose all the data on their drive, or names in address books. ~S~
ATTENTION:
Do not open any email titled CALIFORNIA.
There is a new virus called WOBBLER. It will arrive via e-mail titled CALIFORNIA.
IBM and AOL have announced that it is very powerful, more so than Melissa, there is no remedy. It will destroy all the information on your hard drive and it also destroys Netscape Navigator and Microsoft Internet Explorer. Do not open anything with this title and do not download ANY attached files. Please pass this message on to all your contacts and to anyone who uses your e-mail facility. Not many people seem to know
about this yet, so pass this message on as fast as possible.
- Officer Troy C. Ross, Unit 1420 VCU Police Department email: ross1420@aol.com
website: http://www.fortunecity.com/campus/college/811
6/24/99
Source: Bill & Sandy Eakle
http://www.wirefire.com/seakle
http://www.mcafee.com/viruses/explorezip/default.asp
Description:
W32/ExploreZip.worm is a worm that infects Windows systems. It is very dangerous, potentially more destructive than Melissa. It reproduces itself by sending replies to incoming email messages, with itself as an attachment called "zipped_files.exe". It includes a payload: it will search the user's mapped drives and overwrite all files of types .c, .cpp, .asm, .doc, .xls, .ppt. to zero Kb.
IMPORTANT — If you receive an email with the message "I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs.", DELETE IT IMMEDIATELY! It will have an attachment called "zipped_files.exe"; DO NOT DOUBLE-CLICK OR RUN THIS ATTACHMENT! If you do, it will infect your system!
6/11/99
Source: Bill & Sandy Eakle
http://www.wirefire.com/seakle
http://www.zdnet.com/zdnn/stories/news/0,4586,2271326,00.html
Description:
Worm.ExploreZip is a worm that contains a malicious payload. The worm
utilizes MAPI commands and Microsoft Outlook on Windows systems to propagate
itself. Worm.ExploreZip was first discovered in Israel and submitted to the
Symantec AntiVirus Research Center on June 6, 1999.
The worm e-mails itself out as an attachment with the filename
"zipped_files.exe". The body of the e-mail message may appear to come from a
known e-mail correspondent, and contains the following text:
Hi Recipient Name!
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
bye
The worm determines whom to mail this message to by going through your
received messages in your Inbox.
Once the attachment is executed, it may display the following window:
<<...>>
The worm proceeds to copy itself to the c:\windows\system directory with the
filename "Explore.exe", and then modifies the WIN.INI file so the program is
executed each time Windows is started. The worm then utilizes your e-mail
client to harvest e-mail addresses in order to propagate itself. You may
notice their e-mail client start when this occurs.
<<...>>
Payload:
In addition, when Worm.ExploreZip is executed, it also searches through the
C through Z drives of your computer system and selects a series of files of
any file extension to destroy by making them 0 bytes long. This can result
in non-recoverable data and/or computer system.
<<...>>
Repair Notes:
To remove this worm, you should perform the following steps:
Remove the line run=C:\WINDOWS\SYSTEM\Explore.exe from the WIN.INI
file
Delete the file "C:\WINDOWS\SYSTEM\EXPLORE.EXE". If the file is
currently in use, you may need to reboot first.
Norton AntiVirus users can protect themselves from this worm by downloading
the current virus definitions either through LiveUpdate or from the
following web page:
Write-up by: Eric Chien
Update: June 9, 1999
Debra L. Cuckovich, Microsoft Account Representative
800-231-0950 ext. 8066
http://www.microsoft.com/greatlakes
http://www.microsoft.com/mcsp
6/8/99
Source: Bill & Sandy Eakle
http://www.wirefire.com/seakle
http://www.sarc.com/avcenter/venc/data/prettypark.worm.html
Detected: 6/1/99
Virus Name: PrettyPark.Worm
Aliases: Trojan Horse, W32.PrettyPark
Region Reported: Europe
Characteristics: Trojan Horse, Worm
Description: This is a worm program that behaves similar to Happy99 Worm.
This worm program was originally spread by email spamming from a French email address. The attached program file is named "PrettyPark.EXE". The original report of this worm was submitted through our exclusive Scan&Deliver system on May 28, 1999 from France.
When the attached program called "PrettyPark.EXE" is executed, it may display the 3D pipe screen saver. It will also create a file called FILES32.VXD in the WINDOWS\SYSTEM directory and modify the following registry entry value from "%1" %* to FILES32.VXD "%1" %* without your knowledge:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
Once the worm program is executed, it will try to e-mail itself automatically every 30 minutes (or 30 minutes after it is loaded) to email addresses registered in your Internet address book. It will also try to connect to an IRC server every 30 seconds and connect to a specific IRC channel. This
connection can potentially be used maliciously.
Norton AntiVirus users can protect themselves from PrettyPark.Worm by downloading the current virus definitions either through LiveUpdate or from the following web page:
http://www.symantec.com/avcenter/download.html
Norton AntiVirus will detect PrettyPark.Worm as “Trojan Horse” with June 1, 1999 virus definitions.
Removing this worm manually:
1.Delete WINDOWS\SYSTEM\FILES32.VXD
2.Using REGEDIT, modify the Registry entry
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command from FILES32.VXD "%1" %* to "%1" %*
You may launch REGEDIT through Windows Start-menu-RUN.
Then search for "FILES32.VXD" in REGEDIT..
3.Delete the "Pretty Park.EXE" file..
4.Reboot your computer.. .
You need to do step #2 above; otherwise, executable files may not run properly if you simply delete FILES32.VXD. .
This worm, and other trojan-horse type programs, demonstrate the need to practice safe computing. You should not launch any executable-file attachment (EXE, SHS, MS Word or MS Excel file) that comes from an untrusted email or newsgroup source. These files should always be scanned by Norton AntiVirus, using the latest virus definitions.
Write-up Updated by:Raul K. Elnitiarta & Eric Chien .
*****************************************************************
6/4/99
Source: Bill & Sandy Eakle
http://www.wirefire.com/seakle
http://www.avertlabs.com/public/datafiles/valerts/vinfo/va10182.asp
NAME: Backdoor.SubSeven
ALIAS: Backdoor.SubSeven.1_7, Backdoor-G, SubSeven
SIZE: 333547 (packed)
The SubSeven backdoor was first discovered in May 1999. First samples of this backdoor were not packed and were easy to detect.
Later version were packed and could not be easily detected by contemporary anti-virus programs that had no Win32 'Aspack' file compressor unpacking capabilities. The backdoor was distributed under different names via newsgroups and e-mails.
When run, the backdoor copies itself to \Windows\ directory with the original name of file it was run from or as SERVER.EXE, KERNEL16.DL, RUNDLL16.COM,SYSTEMTRAYICON!.EXE or WINDOW.EXE.
Then it unpacks a single DLL file to \Windows\System\ directory - WATCHING.DLL. After that the backdoor patches Registry so its main application could be run during next Windows bootups (RunServices key)and finally creates and modifies some other Registry keys. The backdoor can also install itself to system by modifying WIN.INI file.
The SubSeven backdoor task being active in memory (and invisible in Task Manager) looks for TCP/IP connections, and they are established it listens to TCP/IP ports for commands from client part. A person who has a client part gets control over remote system where the server part is installed. Here's the list of 113
SubSeven's capablities:
Fun Manager
------------------
1. Open Web Browser to specified location.
2. Restart Windows.
3. Reverse Mouse buttons .
4. Hide Mouse Pointer.
5. Move Mouse.
6. Mouse Trail Config.
7. Set Volume.
8. Record Sound file from remote mic.
9. Change Windows Colors / Restore.
10. Hung up Internet Connection.
11. Change Time.
12. Change Date.
13. Change Screen resolution.
14. Hide Desktop Icons / Show
15. Hide Start Button / Show
16. Hide taskbar / Show
17. Opne CD-ROM Drive / Close
18. Beep computer Speaker / Stop
19. Turn Monitor Off / On
20. Disable CTRL+ALT+DEL / Enable
21. Turn on Scroll Lock / Off
22. Turn on Caps Locl / Off
23. Turn on Num Lock / Off
Connection Manager
-----------------------------
1. Connect / Disconnect
2. IP Scanner
3. IP Address book
4. Get Computer Name
5. Get User Name
6. Get Windows and System Folder Names
7. Get Computer Company
8. Get Windows Version
9. Get Windows Platform
10. Get Current Resolution
11. Get DirectX Version
12. Get Current Bytes per Pixel settings
13. Get CPU Vendor
14. Get CPU Speed
15. Get Hard Drive Size
16. Get Hard Drive Free Space
17. Change Server Port
18. Set Server Password
19. Update Server
20. Close Server
21. Remove Server
22. ICQ Pager Connection Notify
23. IRC Connection Notify
24. E-Mail Connection Notify
Keyboard Manager
--------------------------
1. Enable Key Logger / Disable
2. Open Key Logger in a remote Window
3. Clear the Key Logger Windows
4. Collect Keys pressed while Offline
5. Open Chat Victim + Controller
6. Open Chat among all connected
Controllers
--------------
1. Windows Pop-up Message Manager
2. Disable Keyboard
3. Send Keys to a remote Window
Misc. Manager
--------------------
1. Full Screen Capture
2. Continues Thumbnail Capture
3. Flip Screen
4. Open FTP Server
5. Find Files
6. Capture from Computer Camera
7. List Recorded Passwords
8. List Cached Passwords
9. Clear Password List
10. Registry Editor
11. Send Text ot Printer
File Manager
------------------
1. Show files/folders and navigate
2. List Drives
3. Execute Application
4. Enter Manual Command
5. Type path Manually
6. Download files
7. Upload files
8. Get File Size
9. Delete File
10. Play *.WAV
11. Set Wallpaper
12. Print *.TXT\*.RTF file
13. Show Image
Window Manager
------------------------
1. List visible windows
2. List All Active Applications
3. Focus on Window
4. Close Window
5. Disable X (close) button
6. Hide a Window from view.
7. Show a Hidden Window
8. Disable Window
9. Enable Disabled Window
Options Menu
--------------------
1. Set Quality of Full Screen Capture
2. Set Quality of Thumbnail Capture
3. Set Chat font size and Colors
4. Set Client's User Name
5. Set local 'Download' Directory
6. Set Quick Help
7. Set Client Skin
8. Set Fun Manager Skin
Edit Server
--------------
1. PreSet Target Port
2. PreSet server Password
3. Attach EXE File
4. PreSet filename after installation
5. PreSet Registry Key
6. PreSet Autostart Method:
Registry: Run
Registry: RunSevices
Win.ini
Less known method
7. PreSet Fake error message
8. PreSet Connection Notify Username
9. PreSet Connection Notify ICQ#
10. PreSet Connection Notify E-Mail
11. PreSet Connection Notify IRC Chan.
12. PreSet IRC Port
13. Change Server *.exe Icon
The author of SubSeven backdoor calls himself Mobman. His backdoor can be considered to be the most advanced one at the moment. Subseven tries to use ICQ, IRC and different e-mail accounts to notify the author that his victims are online.
