symantecTM

 
 Symantec AntiVirus Research Center  

ISSN 1444-9994

   
   
 


SARC Home Page

April 2001 Newsletter

 
   


These are the most reported Viruses, Trojans and Worms to SARC's offices during the last month.

Top Global Threats
W95.Hybris
W95.MTX
Wscript.KakWorm
W32.HLLW.Bymer
VBS.SST@mm
VBS.LoveLetter
W32.Navidad
Happy99.Worm
W32.Magistr.24876@mm
VBS.Vbswg.gen

Asia Pacific
W95.MTX
W95.Hybris
Wscript.KakWorm
W32.HLLW.Bymer

W32.FunLove.4099
W32.Navidad
W32.HLLW.Qaz
W32.Magistr.24876@mm
VBS.LoveLetter
VBS.Network

Europe
W95.Hybris
W95.MTX
Wscript.KakWorm
W32.HLLW.Bymer
VBS.LoveLetter
VBS.Tam.A

W32.Navidad
W97.Satt.A

Happy99.Worm
W32.Magistr.24876@mm


Japan
W95.Hybris
W95.MTX
W32.HLLW.Bymer
W32.HLLW.Qaz.A
Happy99.Worm
W32.Magistr.24876@mm
VBS.LoveLetter
VBS.Network
Wscript.KakWorm
W32.Navidad

USA
W95.Hybris
Wscript.KakWorm
W95.MTX
W32.HLLW.Bymer
VBS.LoveLetter
VBS.SST@mm
VBS.Sorry
HLLP.Krile.4768
VBS.Stages.A
W32.Navidad


Top 20
Consolidated
Global Threats

By SecurityPortal

W32.Hybris
W32.Magistr@mm
W95.MTX
W32.Navidad
VBS.LoveLetter
W97M.Marker
VBS.KakWorm
W32.Funlove
W97M.Ethan
VBS.SST@mm
W32.HLLW.Bymer
W95.CIH
PWSteal.Trojan
W32.Prolin
W32.Naked@mm
(Troj_Nakedwife)
W97M.Thus.A
W95.Spaces
W97.Class
W32.Kriz
Happy99.Worm
(alias W32.Ska)




Removal Tools for...

W32.HybrisF
W32.Kriz
W32.Navidad
W32.HLLW.QAZ.A
W95.MTX
W32.FunLove.4099
Wscript.Kakworm
Wscript.Kakworm.B
Happy99.Worm
VBS.Loveletter
PrettyPark.Worm
VBS.Stages.A
W2K.Stream
AOL.Trojan.32512
W95.CIH
Worm.ExploreZip



New Virus Hoaxes

reported to Symantec

Foot N Mouth Virus Warning



No New Joke Programs
reported to Symantec this month


 

  Those of you that follow the threats listed in the sidebar would have noticed that there's been a fairly big shake up over the last month. W32.Magistr.24876@mm moved up to level 4 (Severe) because we have seen a sharp rise in the number of reported incidents of this worm and virus hybrid. FunLove has returned to the Asia Pacific top ten and others have either dropped out of the listings or appear for the first time.

We usually get increased levels of virus and worm activity around Easter time and I expect this year to be no different, let's just hope that we don't see another Melissa or LoveLetter level incident. VBS worms are very common and still pose a major threat to many organizations and individuals alike. Symantec recently released a script blocking feature in our consumer product NAV 2001 v7.07 and I asked the lead developer Mark Kennedy to write a short
article on this for us.

David Banes.
Editor,
sarc@symantec.com
   
             
        Worms  
       
VBS.Pleh.A@mm

Medium [3]

Script

VBS.Pleh.A@mm sends itself to email addresses in the Microsoft Outlook address book. It overwrites files on local and remote drives, including files with the extensions .mp3, .pwd, .exe, .mp2, .doc, .avi, .mpeg, or .htm. The contents of these files are replaced with the source code of the worm, destroying the original contents.

Removing this worm is complicated please visit the web page linked to below for detailed instructions.

http://www.sarc.com/avcenter/venc/data/vbs.pleh.a@mm.html
by: Douglas Knowles
SARC, USA

VBS.Futonik.A@mm

Low [2]

Script

VBS.Futonik.A@mm sends itself to email addresses in the Microsoft Outlook address book. It overwrites files on local and remote drives, including files with the extensions .vbs, .vbe, .js, .txt, .bmp, .htm, .html, .gif, .jpg, and .htt. The contents of most of these files are replaced with the source code of the worm, destroying the original contents.

NOTE: Due to a bug in the virus code, in some cases files with the extensions .hta, .htt, .htm, .html, or .asp will be infected by the worm, instead of being overwritten. If this happens, the viral code will execute prior to executing the original file.

VBS.Futonik.A@mm also infects the Microsoft Word global template, Normal.dot.

http://www.sarc.com/avcenter/venc/data/vbs.futonik.a@mm.html
by: Douglas Knowles
SARC, USA
   
             
        Viruses    
       
BW.770.B

Minimal [1]

DOS

BW.770.B is a virus that infects DOS .exe and .com files. It is 770 bytes in size, and it appears to have been created with the "Biological Warfare" virus creation kit . The virus appears to have been modified manually after being created with the kit. BW.770.B can be inserted on your system by the "futs" hackers tool.

NOTE: This virus was previously detected as Bloodhound.Filestring. All viruses that can be created with the Biological Warfare virus creation kit will be detected by Norton AntiVirus.

http://www.sarc.com/avcenter/venc/data/bw.770.b.html
by: Neal Hindocha
SARC, EMEA
   
             
        Trojans    
       
JS.StartPage

Minimal [1]

Script

JS.StartPage is a Trojan horse program, which alters the default home page of Microsoft Internet Explorer. It sometimes arrives as a file with the .hta extension. This file is an HTML application, and it runs only if the Windows Scripting Host is installed.

When JS.StartPage is executed, it makes changes to the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

To remove this Trojan:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as JS.StartPage.
4. Start Internet Explorer, and reset the home page to one of your preference.

http://www.sarc.com/avcenter/venc/data/js.startpage.html

by: Serghei Sevcenco
SARC, APAC
   
             
        Symantec Enterprise Security    
        Visit the Symantec Enterprise Security web site; http://enterprisesecurity.symantec.com/

Recent headlines include:
Cyber Terror Threatens UK's Biggest Companies; The Guardian (London)
http://enterprisesecurity.symantec.com/content.cfm?articleid=676

U.S. Legislature Eyes Cybersecurity - Effort Aims to Boost Public Trust in Internet; Computerworld
http://enterprisesecurity.symantec.com/content.cfm?articleid=677

Denial-of-Service attacks are becoming more common, and your Web site could be a target. Find out what you can do to stay protected in our latest feature article, "Ten Steps to Protect Your Enterprise from DoS Attacks."
http://enterprisesecurity.symantec.com/article.cfm?articleid=659

Get the latest enterprise security news delivered straight to your inbox.Register for Symantec's free Enterprise Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm 
   
           
       
W32.Magistr.24876@mm

Severe [4]

Win32

   
        W32.Magistr.24876@mm is a polymorphically encrypted, entry point-obscuring, anti-heuristic, anti-debugging, memory resident, parasitic infector of Portable Executable .EXE and .SCR files, with replication across the local area network, mass-mailing capabilities using its own SMTP engine, some highly destructive payloads, an interesting visual effect... and a number of bugs.

As an anti-heuristic device, files infected with W32/Magistr do not have their entry point altered. Instead, the virus will save the first 512 bytes of code, and replace them with polymorphic garbage which includes subroutines, jumps, and some Structured Exception Handling tricks to interfere with debuggers and code emulators.

The virus will search for .DOC and .TXT files and take words from one of these files for the mail subject and body. It will address the mail to up to 100 recipients whose names are taken from the Windows Address Books (*.WAB), Outlook Message stores (*.DBX, *.MBX), and the Netscape Messenger mail files, and attach an infected .EXE or .SCR.

The virus will occasionally copy an infected file into the Windows directory and add a "run=" line to WIN.INI or alter the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run key in the registry to point to the infected file.

The virus will search local hard drives and shared network directories and infect .EXE and .SCR files. If the Windows directory is located, then a "run=" line will be added to WIN.INI. It is similar to the replication mechanism of the W32/Cholera worm or the W32/Funlove virus.

After one month, the first payload might activate. This payload appears to have been adapted from W32/Kriz or W95/CIH. Under Windows 9x and Windows Me, it will erase the contents of the CMOS memory and flash BIOS, and overwrite a single sector on the first hard disk. Under all platforms, it will delete one in every twenty-five files on every local hard drive and shared network directory, and overwrite every other file with some text.

After two months, the second payload will activate which will reposition the desktop icons whenever the mouse pointer approaches, giving the impression that the icons are "running away" from the mouse.

[
Editors Note:The complete article includes a detailed technical description of this virus and will be published in the May Edition of Virus Bulletin, and the SARC web site at http://www.sarc.com/, a short description and removal instructions are also on the site, http://www.sarc.com/avcenter/venc/data/w32.magistr.24876@mm.html].

by Peter Ferrie
SARC, APAC
   
               
          Proactive Detection of Script based viruses and worms    
          Virus writers increasingly use scripting technologies such as JavaScript and VBScript to infect computer systems. Script Blocking technology in Norton AntiVirus 2001 v 7.07 monitors scripts and alerts users of virus-like malicious behavior, stopping these viruses before they can infect a system. Some of the most famous and prevalent viruses are script based. For example, VBS.LoveLetterA, VBS.SST@mm, and VBS.BubbleBoy.

Script Blocking is a proactive technology that detects script based viruses and worms without the need for signatures. Customers will now have protection against certain types of viruses even before virus definitions have been made available. This technology runs in the background and works in real-time. It is able to detect and stop malicious behavior by monitoring objects used by the Windows Scripting Host. It also prevents Outlook from being remotely controlled. This closes the vulnerability Microsoft's Visual Basic Script (VBS) and Java Script (JScript) have opened.

By default none of these objects may be used via a script. This prevents worms like LoveLetter from mass mailing themselves. The specific Outlook behavior that is forbidden is the enumeration of the address book coupled with sending mail. A script or application may do either, but not both. NAV 2001 v7 can be configured to exclude such non-malicious activity by adding these scripts to an exclusion list or using a machine specific authorization code.

by Mark Kennedy
SARC, USA.
   
   

Unsubscribe

First name:

Last name:

Email address:


         
             
       

SARC Glossary for definitions of viruses, Trojans and worms and more.

   
        Contacts and Subscriptions    
        Correspondence by email to: sarc@symantec.com, no unsubscribe or support emails please.
Follow
this link to unsubscribe or change your subscription type.
Send virus samples to:
avsubmit@symantec.com
Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html
   
     

 

     
       

This is a Symantec Corporation publication, use of requires permission in advance from Symantec.
All information contained in this newsletter is accurate and valid as of the date of issue.
Copyright © 1996-2001 Symantec Corporation. All rights reserved.