The following may be of interest to many of you.
>Approved-By: [log in to unmask]
>X-Mailer: Internet Mail Service (5.5.2650.21)
>Date: Wed, 8 Nov 2000 18:13:14 -0500
>Reply-To: [log in to unmask]
>Sender: [log in to unmask]
>From: enews <[log in to unmask]>
>Subject: InoculateIT Personal Edition AntiVirus Newsletter from Computer
> Associates, Version 00.69 November 8, 2000
>Comments: To: [log in to unmask]
>To: [log in to unmask]
>
>=============================================
>E-News: InoculateIT Personal Edition AntiVirus
>Newsletter from Computer Associates
>Version 00.69 | November 8, 2000
>via www: http://esupport.ca.com
>=============================================
>
>Table of Contents
>
>- Win32/Navidad.Worm
>
>- InoculateIT Personal Edition AntiVirus
> Update Number 490 available
>
>- Internet Defense Summit
>
>==============================================
>Win32/Navidad.Worm
>==============================================
>
>Win32/Navidad.Worm
>
>Win32/Navidad.Worm is an e-mail worm which,
>despite having a major bug, is still able to
>spread successfully.
>
>It will arrive in an e-mail message, the
>subject of which is variable. The worm replies
>to messages so the subject will usually match
>one that the recipient has previously sent.
>The body of the message is empty except for
>an attachment called:
>
>"Navidad.exe".
>
>When run, the worm immediately displays a
>dialog box with the title "Error", the text
>"UI", and an "OK" button.
>
>When the "OK" button is pressed, the worm
>immediately starts to send itself. It does this
>by going through all of the messages in the
>Inbox of the default MAPI mail client and
>replying to each one. The replies have exactly
>the same subject as the original message ("Re:"
>is NOT added) and, in place of the message
>body, the worm is attached. These messages are
>sent using the default MAPI mail client, so
>they may appear in the Outbox of Outlook or
>Outlook Express before being sent, depending on
>the user's settings.
>
>The worm displays an icon (in the form of a
>blue eye) on the system tray of the Windows
>task bar. If the mouse cursor is placed over
>the icon, the ToolTip message will display
>
>"Lo estamos mirando...".
>("We are watching it...")
>
>If the icon is clicked, a window containing a
>single button will be displayed. The text on
>the button is
>
>"Nunca presionar este boton".
>("Never push this button")
>
>When the button is clicked, another window with
>the title
>
>"Feliz Navidad"
>("Merry Christmas")
>
>will appear. This window contains the text
>
>"Lamentablemente cayo en la tentacion y perdio su computadora"
>("Unfortunately he/she did not resist the temptation and lost his/her
>computer")
>
>and an "OK" button.
>
>The worm also attempts to install itself onto
>the system and this is where the bug lies. The
>worm makes a copy of itself, as "Winsvrc.vxd",
>in the Windows System directory. It then
>creates two registry keys which point to a
>different filename, "Winsvrc.exe":
>
>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
> \Run\Win32BaseServiceMOD = "C:\WINDOWS\SYSTEM\Winsvrc.exe"
>HKEY_CLASSES_ROOT\exefile\shell\open\command\(Default) =
> "C:\WINDOWS\SYSTEM\Winsvrc.exe "%1" %"
>
>As the "Winsvrc.exe" file does not exist, the
>first registry change will have no effect. The
>second change, however, will effectively stop
>all .EXE files from being executed. Whenever
>the user tries to execute a program, a message
>will be displayed informing the user that
>Windows cannot find winsvrc.exe and the
>program will not run.
>
>IPE signature release 490 includes
>detection for the Navidad worm.
>
>For a utility to fix the registry, please visit:
>
>http://www.ca.com/virusinfo/encyclopedia/descriptions/navidad.htm
>
>=============================================
>VIRUS UPDATE 490
>=============================================
>
>AntiVirus Update number 490 has been uploaded
>to the Computer Associates web site for you
>to download.
>
>To download the new signature files for IPE
>without going through your Web browser, you can
>use the new "Auto Download" feature inside
>IPE (Tools, AutoDownload) or the AutoDownload
>application to check for updated signatures,
>download, and install them.
>
>It is recommended that once you have downloaded
>and installed an update that you do a virus
>scan of all the files on your system and
>create a new reference disk for your system.
>
>Alternatively, the update file can be obtained
>at the following URL:
>http://antivirus.ca.com/cgi-bin/ipe/update.cgi
>
>We recommend that you keep your anti-virus
>protection up-to-date at all times by ensuring
>you are running the most up-to-date anti-virus
>software (Current IPE version 5.1) and that latest
>update kit.
>
>These update kits are cumulative: therefore the
>latest update kit includes everything from all
>previous update kits as well as the new virus
>information.
>
>These update kits are NOT complete versions of
>IPE but an update which will allow version 5.x
>to detect and clean the latest viruses.
>
>Below is a list of all the viruses that have been
>added to the update kit:
>
>Bablas.AS
>Class.FA
>Confused.D:Tw
>Opey.AL
>Pri.W
>Sevensix.A
>Sugar.F
>Thus.BG
>Thus.BQ
>Ump.C:Kit
>VBS.Bebop
>VBS.Gnut.C trojan
>VBS.Scary.A
>Win32.Ankara trojan
>Win32.BusConquerer trojan
>Win32.Delarm
>Win32.FruitMachine
>Win32.HLLO.Homer
>Win32.Hybris
>Win32.Hybris.A
>Win32.Hybris.B
>Win32.Infinite.1661
>Win32.Kriz.3621
>Win32.Navidad
>Win32.SecretService.20 trojan
>Win32.Sonic.55
>Win32.Sonic.56
>Win32.Sonic.60
>Win32.Sonic.61
>Win32.Sonic.B
>
>=============================================
>Internet Defense Summit
>=============================================
>
>Attend a FREE interactive seminar where you
>can learn how to defend against Electronic
>and Internet crime. Learn how to:
>
>- Protect your eBusiness from today's most
> serious security threat - viruses.
>- Safeguard systems connected to the internet
> from malicious code attacks.
>- Provide authorized users with access to
> your networks while keeping unauthorized
> users out.
>- Defend networks against the deployment and
> execution of Distributed Denial of Service
> attacks.
>- Secure internet communications accessed by
> remote users and secure site to site
> communication over the internet.
>- Learn how these technologies can improve
> your overall business performance.
>
>For locations, dates, and registration
>information, please visit:
>http://www.ca.com/events/security_summit/.
>Seating is limited.
>
>=============================================
>
>Additional information on viruses, worms, and
>Trojan horses can be found at Computer Associates
>Virus Information Center:
>http://www.ca.com/virusinfo/
>
>Carnegie Mellon Software Engineering Institute
>(CERTŪ Coordination Center):
>http://www.cert.org/advisories/
>
>=============================================
>
>To subscribe to this or other newsletters, go to
>http://esupport.ca.com/ and click the E-News
>button on the left panel.
>
>You can unsubscribe from the same E-News page or
>by sending an email to mailto:[log in to unmask]
>with 'signoff enews_ipe' in the message
>body.
>
>This newsletter contains practical tech
>support information about relevant issues
>with our products.
>
>=============================================
>
>Feedback? Comments? Suggestions?
>Send mailto:[log in to unmask] All submissions
>become the property of the publisher and may
>or may not be reprinted.
>
>NOTE: This address should be used only for
>feedback on this newsletter. Requests for
>technical support should be submitted
>through normal channels.
VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask] In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html
|
