SYMANTEC.

SARC Home Page

The SARC AntiVirus News Update
"The sun never sets on SARC"

Volume 4 Issue 3 December 1999

 
   


The following is a list of the top reported viruses, trojans and worms to SARC's regional offices during the last month.


Asia Pacific

O97M.Tristate.O
W97M.Marker.A
Happy99.Worm


Europe

Happy99.Worm
PrettyPark.Worm
W97M.Marker.A


Japan

XM.Laroux
O97M.Tristate
WM.NPad

USA

W97M.Melissa
W95.Babylonia
Worm.ExploreZip(pack)

New Virus Hoaxes reported to Symantec

FROGAPULT, ELFBOWL, Y2KGAME Virus Hoax

Y2K7 Virus Hoax

   
This month we have a bumper issue, it's been busier than usual at SARC. As expected the Y2k has prompted virus authors to release their latest creations, make sure you remember to update your virus definitions before January 1st 2000 and refer to the SARC web site regulary for up to the minute news.

I'm sure you are all glad to hear that the Elf Bowling hoax is just that, a hoax. But, as always, please remember that any of these animations can potentially pick up a virus during its travels. Remember the "Frog in a Blender" cartoon, initially this animation was clean but eventually someone received it who was infected with CIH, then promptly forwarded it to all their friends.

We received samples of W32.MyPics Worm, W95.Babylonia, W97M.Melissa.AA, W32.Passion as well as two new worms which haven't had a big impact as yet, but you may want to keep tuned into the news channels to track Win32.Video.25600.Worm and W32.NewApt.Worm (reported in Europe) just in case they become more prevalent.

Finally, we take a look at the new SARC Threat Severity Assessment, developed by Charles Renert and Carey Nachenberg. Both are well respected anti-virus researchers and have published and presented papers regulary at the industries most popular forums.

SARC will be using this method of threat assessment for any new viruses and worms we detect leading into the new millenium. Severity levels range from Category 5(Minimal) to Category 1 (Very Severe).

We'll endeavour to keep you updated as news breaks during the New Year period. Here's to a safe and virus free festive season. See you in 2000.

David Banes,
Editor, sarc@symantec.com		    
     

Go to the SMART Web Site (Symantec Millenium Action Response Team)

 
       
Viruses in the News - Or is it a Worm?

Common

PC

   
        W95.Babylonia W95.Babylonia was originally posted to an Internet news group on the night of Dec 3, 1999 as a Windows Help file named serialz.hlp and appeared to be a list of serial numbers for commercial software. When this Windows help file is launched, it will introduce the virus into the computer system. Symantec AntiVirus Research Center has received a number of submissions of this new virus and believes it is spreading quickly worldwide. The virus appears to have been written by the same individual who released the W32.Coke and W95.Fono (a.k.a. El_Inca) viruses.

W95.Babylonia is a complex virus that propagates mainly to other computer users via MIRC or as an attachment to an e-mail message. Additionally, all infected .HLP and .EXE files can cause infection on other systems. This Windows 95 virus employs many proven infection techniques that have been developed by virus writers for the Windows 9x platforms over the past few years.

When an infected .HLP file is introduced on a Windows 9x system, the virus code will be activated. The virus modifies the entry point of .HLP files to a short script routine. This routine transfers control from the script interpretation to the binary virus code that is placed at the end of .HLP files in variable packed form.

When the binary virus code assumes control, the virus attempts to install itself to kernel memory area on the machine and hooks the file system to its own code. The virus then creates a 4KB file named c:\babylonia.exe. Finally, this file is executed.

This virus is very complicated and can be classified as both a worm and a virus. For more details about infection mechanisms please go to the full description on our web site.
http://www.sarc.com/avcenter/venc/data/w95.babylonia.html

by: Peter Szor
SARC, USA.		    
                   
         
Worms in the News

Common

PC

 
         

W32.Mypics.Worm was discovered on the evening of Dec 2, 1999. The worm propagates automatically on Windows 9x and Windows NT platforms through email and has a destructive payload that triggers in the year 2000.

The worm sends itself to as many as 50 people in the Outlook address book with the message;

Here's some pictures for you!

It will also contain a worm program attachment named pics4you.exe (34,304 bytes).

MyPics attempts to fool the recipient into believing that the attachment contains images. When the attachment is executed (for example by double clicking on it), the program will not display any images and simply seems to have terminated. But the worm will become resident in memory and will email itself to as many as 50 people. The worm will also modify the current Microsoft Internet Explorer browser's 'Home Page' setting to an adult web page.

The Windows registry keys will also be modified and changed to load the worm in memory every time the computer system is rebooted. As a result, the worm will always be resident in memory.

The worm has two payloads that simulate a Y2K problem. First, it monitors the system clock and when it detects the year is 2000, it will modify the system BIOS. On the next cold reboot, the computer will display a message such as

"CMOS Checksum Invalid"

and prevent the computer from booting. This can easily be corrected by going into the BIOS setup. After the BIOS settings are corrected, the worm will execute its second payload and will format the hard drive.
http://www.sarc.com/avcenter/venc/data/w32.mypics.worm.html

By: Motoaki Yamamura
SARC, USA

   
                   
         
W32.Passion.27648

Rare

PC

   
          W32.Passion.27648 is a worm that usually comes as an ICQ_GREETINGS.EXE program attachment in email. The size of this attached program file is 27,648 bytes.

Similar to W32.Badass.24576, the W32.Passion.27648 worm routine appears to be a straight Visual Basic porting of W97M.Melissa payload routine. In fact, it is so similar that it marks its activation in the Windows Registry. The marker is the value "... by diejkdls"

If the marker is present, the worm routine is not activated.

Every time it is executed, the worm attempts to perform malicious activities:

format d: /autotest /q /u
format e: /autotest /q /u
format a: /autotest /q /u
format f: /autotest /q /u
format u: /autotest /q /u
format b: /autotest /q /u
deleting files c:\*.c*, d:\*.c*, c:\WinNt\System\*.c*, c:\WinNt4\System\*.c*, c:\Windows\System\*.c*, c:\WinNt\System\*.o*, c:\WinNt4\System\*.o*, c:\Windows\System\*.o*, c:\WinNt\*.i*, c:\WinNt4\*.i*, c:\Windows\*.i*

The worm also registers itself in Windows Registry to start every time Windows begins. For more details on this go to the description on our web site.
http://www.sarc.com/avcenter/venc/data/w32.passion.27648.html

by: Raul K. Elnitiarta
SARC, USA		    
                   
         
Melissa, back again.

Common

PC

   
         

W97M.Melissa.AA is a modified variant of the W97M.Melissa.A virus. Norton AntiVirus is capable of detecting this new variant of the Melissa virus with its heuristic technology called Bloodhound. When unknown macro viruses are detected by Bloodhound, the virus will be called 'Bloodhound.WordMacro' by Norton AntiVirus. By using the most recent virus definitions, Norton AntiVirus will detect it as a known virus and identify it as 'W97M.Melissa.AA'. In future virus definitions, Norton AntiVirus will be renaming the W97M.Melissa.AA to W97M.Melissa.O.

The key changes made from the original W97M.Melissa.A virus are:

  • the virus module name (now called "x")
  • the email subject/message
  • a malicious payload which deletes some text from the active document

Please refer to the W97M.Melissa.A write-up for more general information on the Melissa virus.
http://www.sarc.com/avcenter/venc/data/w97m.melissa.aa.html

Write-up by: Andy Cianciotto
SARC, USA

   
                   
         
SARC Threat Severity Assessment
   
         

The SARC Threat Severity Assessment initiative is designed to assess computer threats and classify them into clearly defined categories of risk for computer users. There are three major components that will be analyzed to determine this severity rating:

1) the extent that a malicious program is "in-the-wild",
2) the damage that a malicious program causes if encountered, and
3) the rate at which a malicious program spreads.

Based on an evaluation of its sub-components, each category will be rated as "High", "Medium" or "Low" risk. The overall severity measure, which is drawn from various combinations of risks, will fall into one of 5 categories, with "Category 1" (or CAT 1) being the most severe, and "Category 5" (or CAT 5) the least severe. Section 1 includes details outlining each of the three major components. Section 2 lists the combinations of categories that result in the overall risk assessment measure.

1. Section 1: Threat Metrics

1.1 Wild

The "Wild" component measures the extent to which a virus is already spreading among computer users. Information in this metric includes:

  • The number of independent sites infected
  • The number of computers infected
  • The geographic distribution of infection
  • Ability of current technology to combat threat
  • Virus complexity

Classification guidelines:

  • "High" - 1,000 machines or 10 infected sites or 5 countries
  • "Medium" - 50-999 machines or 2 infected sites/countries (i.e. WildList)
  • "Low" - Anything else

1.2 Damage

The "Damage" component measures the amount of damage that a given infection could inflict. Information in this metric includes:

  • Triggered Events
  • Clogging e-mail servers
  • Deleting/modifying files
  • Releasing confidential information
  • Performance degradation
  • Buggy routines that cause unintended loss of productivity
  • Compromising security settings
  • Ease by which any damage can be fixed

Classification Guidelines:

  • "High" - File destruction/modification, very high server traffic, large-scale non-repairable damage, large security breaches, destructive triggers
  • "Medium" - Non-critical settings altered, buggy routines, easily repairable damage, non-destructive triggers
  • "Low" - No intentionally destructive behavior

1.3. 'Spreadability'

The 'Spreadability' component measures how quickly a program spreads itself. Information in this metric includes:

  • Large-scale e-mailing attack (worm)
  • Executable code attack (virus)
  • Spreads only through download or copy (trojan horse)
  • Network drive infection capability
  • Difficulty to remove/repair

Classification Guidelines:

  • "High" - Worms, network-aware executables, uncontainable threats (due to high virus complexity or low AV ability to combat)
  • "Medium" - Most viruses
  • "Low" - Most Trojan Horses

2. Overall Severity Measure

The overall severity measure unifies the three components above into a measure of risk to computer users. There are five categories of classification.

Category 1 (Very Severe):

Highly dangerous threat type, very difficult to contain. All machines should download the latest definitions immediately and execute a scan. E-mail servers in many cases will need to come down. Recent example: Melissa.A (when it was first released).

1) Wild: High + Damage: High + 'Spreadability': High

Category 2 (Severe):

Dangerous threat type, difficult to contain. The latest definitions should be downloaded immediately and deployed. Recent example: CIH.

1) Wild: High + Damage or 'Spreadability': High

Category 3 (Moderate):

Threat type characterized either as highly wild (but reasonably harmless and containable) or potentially dangerous (and uncontainable) if released into the wild. Recent example: Melissa.A (at this stage in it's life cycle). The two CAT 3 scenarios are:

1) Wild: High or
2) Damage: High + 'Spreadability': High

Category 4 (Low):

Non-wild threat, generally containable. Can be characterised by an unusual damage or 'spreadability' routine, or perhaps by some feature of the virus that makes news worthy. Recent example: Bubbleboy. The two CAT 4 scenarios are:

1) Damage: High or
2) 'Spreadability': High

Category 5 (Minimal):

Poses little threat to users. Rarely even makes headlines. No reports in-the-wild.

1) Wild: Low + Damage, 'Spreadability': Not High

We are hoping that this proposal will be the starting point of an industry standard for threat severity assessment and will be passing it on to the relevant industry bodies for their consideration.

by Charles Renert and Carey Nachenberg
SARC, USA

   
                   
         

SARC Glossary, what's the difference between a virus and a worm?

   
          Contacts    
          Correspondence by email to: sarc.avnews@symantec.com
Send virus samples to: avsubmit@symantec.com
Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html		    
          To Subscribe and Unsubscribe    
          To be added or removed from the subscription mailing list, please fill out the form available on the SARC website at: http://www.symantec.com/help/subscribe.html
SARC AntiVirus News Update is published periodically by Symantec Corporation. No reprint without permission in writing, in advance.		    
       

 

     
          All information contained in this newsletter is accurate and valid as of the date of issue.  

Copyright © 1996-1999 Symantec Corporation. All rights reserved.