Here is a true virus warning, as shown below.
----- Original Message -----
From: "enews" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Monday, March 19, 2001 10:31 AM
Subject: InoculateIT Personal Edition AntiVirus Newsletter from Computer
Associates, Version 01.08 March 19, 2001
> =============================================
> E-News: InoculateIT Personal Edition AntiVirus
> Newsletter from Computer Associates
> Version 01.08 | March 19, 2001
> via www: http://esupport.ca.com
> =============================================
>
> Table of Contents
>
> - VBS/Postcard.Worm
>
> - InoculateIT Personal Edition AntiVirus
> Update Number 1164 available
>
> =============================================
> VBS/Postcard.Worm
> =============================================
>
> VBS/Postcard is a new virus/worm. Computer
> Associates did not receive client reports of
> this virus, but is issuing a signature release
> due to client inquiries.
>
> VBS/Postcard exists in three parts. The main
> script is an embedded script inside a HTML
> page. Its worm part which exists as a WSF
> file and its payload portion as a VBE file are
> dropped onto the local system. The virus
> infects certain web files in the Windows,
> Windows\Temp, and Windows system directories.
> It will also spread through mapped network
> drives.
>
> Certain configurations may not have Windows
> Scripting Host associated with WSF and VBE
> files, thereby limiting its propagation.
>
> Depending on settings, Internet Explorer, upon
> startup, will prompt a user to run ActiveX
> objects. If rejected, the virus will issue a
> warning that ActiveX needs to be activated in
> order to see its postcard and reload its code
> until accepted or Internet Explorer is forcibly
> shut down.
>
> If accepted, this HTML is displayed after the
> virus' code has executed:
>
> Happy new Millenium
> Happy new year (2001).
> Best wishes from:
> your dear ...
>
> The virus will first modify the registry
> allowing scripts marked as unsafe to be
> run from the local machine without being
> prompted and sets the Internet Explorer
> home page to the infected HTML file:
>
> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\Zones\0\1201=0
> HKLM\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\Zones\0\1201=0
> HKCU\Software\Microsoft\Internet Explorer\Main\Start
> Page=C:\WINDOWS\TEMP\millenium.{3050F3D9-98B5-11CF-BB82-0AA00BDCE0B}
>
> Next, the virus will drop itself (html) to:
>
> C:\WINDOWS\SYSTEM\postcard.tif.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
>
> And copy this file to:
>
> C:\WINDOWS\2001.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
> C:\WINDOWS\SYSTEM\dragonball.GT(dan kokoro
> hikareteku).{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
> C:\WINDOWS\TEMP\millenium.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
>
> The virus will also copy its code to:
>
> C:\WINDOWS\TEMP\<random
> number>post-card.tif.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
>
> Next, the virus will drop its worm portion
> into:
>
> C:\WINDOWS\SYSTEM\[db.GT].wsf
>
> The worm will propagate through Microsoft's
> Outlook by sending one email per address book
> to every address contained within that address
> book with subject chosen at random using the
> current system time from the following:
>
> Happy new Millenium (read the postcard (attached file))
> Postcard for you is waiting (in attachment)
> Happy 2001 (for more action check attached file)
> Stroke of luck? in 2001? (happy 2001 -read attachment)
> Goodies
> You have got a postcard (attached file)
> Someone sent you a postcard (in attachment)
>
> with attachment:
>
> "C:\WINDOWS\TEMP\<random decimal
> number>post-card.tif.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}"
>
> The following registry modifications are then
> made:
>
> HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner\Lord YuP -
> [C]apsule [C]orp
>
HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization\Dragon
> Ball GT
>
> Next, the virus will set out to infect all HTML,
> SHTML, HTM, and ASP files in the Windows, temp,
> and system directories by appending its code
> to the end of the files.
>
> The virus will enumerate all network drives and
> copy itself from:
>
> C:\WINDOWS\TEMP\millenium.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
>
> to:
>
> networkdrive:\\docs.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
>
> The virus will drop a payload file onto the
> local system:
>
> C:\WINDOWS\SYSTEM\payl0ad.vbe
>
> Finally, both the worm portion and the payload
> files are executed. The payload code is meant
> to disable the mouse and the keyboard.
>
> It will then open up WordPad and display:
>
> DB FaMiLy sTrIkEz oNe MoRe Time wiTh: DB.GT
> today we infected you but tommorow we will
> infect rest of the ANIME WORLD. YuP
> [C]apsule[C]orp
>
> If it is Monday 4am or 4pm at 32, 37, 38
> minutes, this payload will execute. If it is
> Thursday 2pm or 4am, the virus will loop
> indefinitely until the minute strikes 40, 42,
> 43, or 45.
>
> IPE signature update 1164 provides detection
> for VBS/PostCard.
>
> =============================================
> VIRUS UPDATE - 1164
> =============================================
>
> The latest AntiVirus Update has been uploaded
> to the Computer Associates web site for you
> to download.
>
> To download the new signature files for IPE
> without going through your Web browser, you can
> use the new "Auto Download" feature inside
> IPE (Tools, AutoDownload) or the AutoDownload
> application to check for updated signatures,
> download, and install them.
>
> Alternatively, the update file can be obtained
> at the following URL:
> http://antivirus.ca.com/cgi-bin/ipe/update.cgi
>
> It is recommended that once you have downloaded
> and installed an update that you do a virus
> scan of all the files on your system and
> create a new reference disk for your system.
>
> We recommend that you keep your anti-virus
> protection up-to-date at all times by ensuring
> you are running the most up-to-date anti-virus
> software (Current IPE version 5.2) and that latest
> update kit.
>
> These update kits are cumulative: therefore the
> latest update kit includes everything from all
> previous update kits as well as the new virus
> information.
>
> These update kits are NOT complete versions of
> IPE but an update which will allow version 5.2
> to detect and clean the latest viruses.
>
> =============================================
>
> Additional information on viruses, worms, and
> Trojan can be found at Computer Associates
> Virus Information Center:
> http://www.ca.com/virusinfo/
>
> Carnegie Mellon Software Engineering Institute
> (CERTŪ Coordination Center):
> http://www.cert.org/advisories/
>
> =============================================
>
> To subscribe to this or other newsletters, go
> to http://esupport.ca.com/index.html?ENews.
>
> You can unsubscribe from the same E-News page or
> by sending an email to mailto:[log in to unmask]
> with 'signoff enews_ipe' in the message body.
>
> This newsletter contains practical tech support
> information about relevant issues with our
> products.
>
> =============================================
>
> Feedback? Comments? Suggestions?
> Send mailto:[log in to unmask] All submissions
> become the property of the publisher and may or
> may not be reprinted.
>
> NOTE: This address should be used only for
> feedback on this newsletter. Requests for
> technical support should be submitted through
> normal channels.
VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask] In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html
|
