SYMANTEC.

SARC Home Page

  AntiVirus Research Center

"The Sun Never Sets on SARC"

 

February/March 2000 Newsletter

 
 
   


The following is a list of the top reported viruses, trojans and worms to SARC's regional offices during the last month.


Asia Pacific

Wscript.KakWorm
PrettyPark.Worm
W97M.Marker


Europe

Happy99.Worm
PrettyPark.Worm
W97M.Marker.A


Japan

XM.Laroux
Happy99.Worm
PrettyPark.Worm

USA

W97M.Melissa
W95.CIH
VBS.FreeLink



New Virus Hoaxes reported to Symantec

Let's Watch TV
Hey You
Be My Valentine

   
This issue covers both February and March 2000, we felt it best to combine them due to technical difficulties distributing the February Newsletter.

The end of January proved interesting with a couple of new macro viruses appearing that targetted Visio documents, Visio licenced Visual Basic for Applications (VBA) and has since been taken over by Microsoft so we'll see a few more of these in the coming months, there is a short writeup about these viruses.

There has been a lot of activity in Taiwan and Korea with VBS.Aps and VBS.Leebill, two new Visual Basic Script trojans arriving in inboxes as html emails plus the
White Worm found in Korea.

February saw the denial of service attacks on some well known web sites,
W32.DoS.Trinoo was believed to have been used to stage these attacks. Trinoo is not a virus, but an attack tool released in late December 1999, used to perform a distributed DoS attack.

Finally, in recent weeks we've seen a lot of
PrettyPark, the worm that spreads itself via email, it appears that several new variants are doing the rounds.

David Banes,
Editor,
sarc@symantec.com
   
     

 STOP PRESS - New VBS Trojan, VBS.APS, VBS.Network

 
       
Viruses in the News

Rare

PC

   
       

Three new types of macro viruses where recentley discovered, these infect Visio documents using Visio's VBA which was licenced from Microsoft last year. Several versions of Visio now support Visual Basic for Application (VBA) 5. This includes Visio 4.5, Visio 5, and Visio 2000. There are brief descriptions here with more details to follow on the SARC web site.

V5M.Unstable is an encrypted and polymorphic macro virus. This macro virus does not have any malicious payload. This proof of concept virus has never been seen in the wild. V5M.Unstable is a proof of concept that it is possible to write a polymorphic macro virus in Visio.

V5M.Unstable infects other Visio files on opening of a file. It modifies the description of an infected file to Visio2K.Unstable. It disables the Visual Basic Application Editor to be stealthy. On the 31st of every month, it displays a message box entitled Visio2000.Unstable with the following message:

Unstable, it's hard to be the one who's strong
Who's always got a shoulder to cry on
Who's got a shoulder for me?


V5M.Radiant.A is a very buggy virus written to infect Visio files. This macro virus does not have any malicious payload. This proof of concept virus has never been seen in the wild.

Several versions of Visio now support Visual Basic for Application (VBA) 5. This includes Visio 4.5, Visio 5, and Visio 2000. V5M.Radiant.A was received as a source code from a virus writer. It is intended as a proof of concept that it is possible to write a macro virus in Visio.

V5M.Radiant.A infects other Visio files when the infected file is closed. It also creates an HTML file "C:\INDEX.HTML" with the following content:

A Multitude of Suns
Orbit in Empty Space
They Speak with their light
to all that is dark.
To me they remain silent.

Greets to all the VX Community
And Radiant Angels
its...... Radiant


V5M.Vision.A is another Visio virus similar to V5M.Radiant.A. This macro virus does not have any malicious payload. This proof of concept virus has never been seen in the wild.

Several versions of Visio now support Visual Basic for Application (VBA) 5. This includes Visio 4.5, Visio 5, and Visio 2000. V5M.Vision.A is intended as a proof of concept that it is possible to write a macro virus in Visio. V5M.Vision.A infects other Visio files when the infected file is closed. On July, after the 2nd of July, it displays two message boxes entitled ViSio_N with the following messages:

VBA-A Security Threat In any language
A Lone tortoise against the state

by: Raul K. Elnitiarta
SARC, USA

   
                 
       
Worms in the News

Common

PC

 
        The Korean cyber criminal investigation team of the National Police Agency (NPA) announced Thursday (Korean Time, 17, February ) that a 15-year-old middle-school student was booked without detention for writing a worm program which he spread indiscriminately
by posting it on a popular computer magazine's Web page, http://www.ilovepc.co.kr, disguised as a free up-dating program.

When the attached EXE file is executed, the worm takes control and the infection routine opens the Outlook express database, gets email addresses from the AddressBook and sends infected messages to the addresses found.

The worm has a very dangerous payload routine. On the 31st day of every month, it overwrites C:\AUTOEXEC.BAT files with a command that format the C drive.

But the worm needs 'VB6KO.DLL' and 'MSVBVM60.DLL' to be started. So it is unlikely that it will spread very far in the wild.

The virus writer studied computers at a private institute for a year and after gaining further computer knowledge through the Internet, he developed the virus in 5 days. Writer told the police that he made the worm because he wanted to check how good his skills were.

This is the third Korean virus author arrested by police. Unfortunatley at the time some mass media in Korea have publicised them as a hero or genius.

(reference: Some texts from Chosun daily newspaper)

by Jacky Cha,
AVAR (Association anti-Virus Asia Researchers)
   
                   
         
Trojans in the News

Common

PC

   
          VBS.APS is a JScript Trojan that was sent as part of the body of an HTML email from an account held at a free email provider. It relies on the Windows Scripting Host(WSH) which is part of Windows 98, Windows 2000 and available as a download for Windows 95.

If this Trojan is received by an email client that uses MS Internet Explorer(Outlook Express, Outlook etc.) to display HTML email and the windows client security settings are not set to 'High' then the Trojan's code will be run by the WSH.

VBS.APS saves information about your email connection to a file then tries to download a program from the Internet to the your computer using ftp.

Repair information. There are no registry keys to remove, just delete the email that the Trojan arrived in and the files that where downloaded, if the download occurred, "Windows\\system\\system\\MSIE.EXE" and EXPLORER.EXE in the same directory.

By David Banes
SARC, Asia Pacific
   
                   
         
Don't get hung up on date triggers
   
          I often get asked for trigger dates for viruses, it seems that often people think this is the thing to focus on, "When does that really nasty virus trigger". Well I've an alternative view that whilst trigger dates are important to remember for viruses that are in the wild and have a dangerous payload, viruses can trigger every day of the year and there are much more interesting questions that can be asked, for example;

- What can people do to avoid getting hit by a virus.
- What can be done to ensure a good recovery from a virus incident.
- How can prevent and stop viruses and worms that spread via email.
- How many viruses are 'In the Wild' and which am I likley to see often.
- What are the different types of viruses, which are more comon.
- How best can I protect myself from Internet based threats.

There are lot's more questions like this, the answers are much more interesting than asking the same old question, 'When does the next virus trigger'. So it's time to start thinking outside the square when it comes to publishing articles on computer viruses.

David Banes
SARC, Asia Pacific
   
                   
         

SARC Glossary, what's the difference between a virus and a worm?

   
          Contacts    
          Correspondence by email to: sarc@symantec.com
Send virus samples to:
avsubmit@symantec.com
Newsletter Archive:
http://www.symantec.com/avcenter/sarcnewsletters.html
   
          To Subscribe and Unsubscribe    
          To be added or removed from the subscription mailing list, please fill out the form available on the SARC website at: http://www.symantec.com/help/subscribe.html
SARC AntiVirus News Update is published periodically by Symantec Corporation. No reprint without permission in writing, in advance.
   
       

 

     
          All information contained in this newsletter is accurate and valid as of the date of issue.  

Copyright © 1996-1999 Symantec Corporation. All rights reserved.