Subject: | |
From: | |
Reply To: | |
Date: | Tue, 13 Feb 2001 04:57:34 +0100 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
VBS.SST@mm
Discovered on: February 12, 2001
Last Updated on: February 12, 2001 at 10:10:59 AM PST
The Symantec AntiVirus Research Center (SARC) has confirmed a new
mass-mailing worm. SARC is currently analyzing the worm. The worm is being
reported in an attachment named ANNAKOURNIKOVA.JPEG.VBS. SARC recommends
that you filter attachments with a VBS extension if you have not already
done so.
Category: Worm
Aliases: ANNAKOURNIKOVA.JPEG.VBS
Virus definitions: Pending
Threat assessment:
VBS.SST is a VBS email worm that has been encoded with a virus creation kit.
The worm arrives as an attachment named AnnaKournikova.jpg.vbs When executed
the worm emails itself to everyone in your address book. On January 26, the
worm will attempt to spawn the web browser to http://www.dynabyte.nl
<http://www.dynabyte.nl> This worm appears to have originated in the
Netherlands
When run the virus creates the registry key
HKCU/Software/OnTheFly/
If the day is January 26, the virus attempts to spawn the web browser to
http://www.dynabyte.nl <http://www.dynabyte.nl>
Next, the virus checks to see if the mass-mailing routine has been executed.
If not, the worm emails everyone in the Outlook address book and creates the
registry key HKCU/Software/OnTheFly/mailed
So, the worm does not email every address again. The worm sends the message
with the subject Here you have, ;o)
The message body
Hi:
Check This!
and the attachment AnnaKournikova.jpg.vbs
The worm then remains running and if it is deleted attempts to recreate
itself. Due to a bug in the code, the virus instead recreates itself as a
zero-byte file.
Removal Instructions:
Delete all found infections. If exists, delete the zero-byte file.
Remove registry keys
----------------------------------------------------------------------------
To unsubscribe/subscribe or view archives of postings, go to the Gambia-L
Web interface at: http://maelstrom.stjohns.edu/archives/gambia-l.html
You may also send subscription requests to [log in to unmask]
if you have problems accessing the web interface and remember to write your full name and e-mail address.
----------------------------------------------------------------------------
|
|
|