Subject: | |
From: | |
Reply To: | |
Date: | Fri, 22 Mar 2002 09:25:41 -0600 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Sorry to be non- milk related. But since much of our list is in the
UK, I thought it might be helpful
The subject is "bill caricature" and the attachment is a file called
"c a r i . s c r". Files with .scr endings are as dangerous as .exe files and
should not be opened.
More info below:
> >===== Original Message From [log in to unmask] =====
>VIRUS ALERT
>
>There is a new virus in circulation with the key details as follows:
>
>· Virus name: Caric
>· Official name: W32/MyLife.B-mm
>· Number of copies seen so far: 1158
>· Time & Date first Captured: 21 Mar 2002
>· Origin of first intercepted copy: Great Britain
>· Number of countries seen active: 23
>· Top three most active countries: Great Britain (666), Australia (158),
>United States (61)
>
>Technical Details:
>· Subject title, attachment name and body text.
>Subject: bill caricature
>Message Body:
>
>Hiiiii
>How are youuuuuuuu?
>look to bill caricature it's vvvery verrrry ffffunny :-) :-)
>i promise you will love it? ok
>buy
>========No Viruse Found========
>MCAFEE.COM
>----------------------------
>----------------------------
>
>Attachment: cari.scr
>
>
>· Virus Behaviour:
>
>Upon execution, it displays a .GIF picture. While the caricature is
>displayed, the virus drops a copy of itself to CARI.SCR file in the Windows
>System directory (this is usually located at C:\Windows\System on the Win 9x
>operating systems and at the C:\WinNT\System32 on WinNT and Win2000 operating
>systems).
>
>It modifies the auto-start registry entries so that it is executed at system
>reboot:
>
>It then sends copies of itself, using Microsoft Outlook, the recipients being
>all members of the infected users address book. If Microsoft Messenger is
>installed on the infected system, the worm will send copies of itself to the
>all the users in the infected pc’s contact list.
>
>· Payload
>
>The virus payload will only execute when the hour of the pc clock is 8. It
>will delete all files with the extensions :
>
>*.SYS
>*.VXD
>*.OCX
>*.NLS
>
>The worm also deletes all files from the following locations:
>
> c:\*.*
> d:\*.*
> e:\*.*
> f:\*.*
>
>· Other info:
>
>Note that the virus writer has tried to use social engineering by adding:
>========No Viruse Found========
>MCAFEE.COM
>
>Not only is it a poor attempt to try and fool users he/she has not spelt virus
>correctly.
|
|
|