SYMANTEC.

SARC Home Page

  AntiVirus Research Center

"The Sun Never Sets on SARC"

 

January 2000 Newsletter

 
 
   


The following is a list of the top reported viruses, trojans and worms to SARC's regional offices during the last month.


Asia Pacific

W95.CIH
Happy99.Worm
W97M.Marker


Europe

Happy99.Worm
PrettyPark.Worm
W97M.Marker.A


Japan

XM.Laroux
Happy99.Worm
WM.NPad

USA

W97M.Melissa
W95.Babylonia
Worm.ExploreZip(pack)



New Virus Hoaxes reported to Symantec

AOL Flashing 'IM'
Gift from Microsoft
Virtual Card Virus
AOL RIOT 2 Virus
John Kennedy Jr

   
Here we are in 2000, having avoided serious virus outbreaks or email spamming worms. I hope you all read our short review of the Y2k period soon after January 1st. I'd be interested to know if anyone did detect any of the 'Y2k' viruses, worms and trojans we listed leading up to the new year.

This months newsletter reports a new Windows 95 virus discovered in Korea called
W95.LoveSong.998, a complicated macro virus, W97M.Overlord. More details are available on our web site. The Windows Scripting Host now hosts another worm VBS.Tune. We'll see more of these as Windows 98 and Windows 2000 become the more common of Microsofts operating systems.

Last month we carried an article describing the
SARC Threat Severity Assessment. This generated a lot of interest and some great suggestions which has led us to review the system and put it on hold for a month or so while we rework it. The main change will almost certainly be a reversing of the numbering system from 5-1 (Low to Severe) to 1-5, with Catagory 5 the highest, this is easier to understand.

I've used the new year as an excuse to redesign the title area for the newsletter, which means discontinuing the Volume and Issue numbering system(which seemed a bit redundant for a monthly publication).


David Banes
,
Editor,
sarc@symantec.com
   
     

 STOP PRESS - W2K.Installer.1676 - First Windows 2000 Virus

 
       
Viruses in the News

Common

PC

   
        W95.LoveSong.998 is a memory resident Windows 95/98 virus discovered in Korea.

Once an infected file is executed, the virus will load into memory and will infect files that are accessed. The virus code will be inserted into the .reloc section of the 32-bit executable. If this section of the file is not large enough, it may corrupt the file.

The technique used to hook the file access is based on the method used in the W95.CIH virus. But W95.LoveSong.998 will not split its code like the W95.CIH virus.

The virus has a payload that plays a popular commercial Korean song on the PC speaker. From analyzing the payload routine, the virus will trigger after Feb 16, 2000 with exception of the 30th of each month when certain criteria are met. The virus contains the text 'love' and because of its payload, the virus was named LoveSong.
http://www.sarc.com/avcenter/venc/data/w95.lovesong.998.html

by: Motoaki Yamamura
SARC, USA

W97M.Overlord is a macro virus, which infects Microsoft Word97 (including SR-1) and Word2000 documents. This virus places its code in a macro module named Module. The virus has stealth capabilities so, when opening the Visual Basic Editor or selecting Tools | Macro, the virus will remove all infectious code from open documents and the NORMAL.DOT and then will re-infect them at a later time.

The virus may also insert these files into your Windows directory: OVERLORD.B.VBS, OVERLORD.B.DLL, TEMPAD.DLL, and TEMPNT.DLL. OVERLORD.B.DLL. The .DLL files cannot cause any viral infection and can be deleted. The virus may also add the registry key:

HKLM\software\RegisteredOwner = "the Overlord"
and may modify the WIN.INI, adding the line:

run = <Windows directory>\overlord.b.vbs

This virus has no other payload. To eliminate the virus the infectious file OVERLORD.B.VBS needs to be deleted.
http://www.sarc.com/avcenter/venc/data/w97m.verlor.html

by: Eric Chien
SARC, Europe
   
                   
         
Worms in the News

Rare

PC

 
         

VBS.Tune. The Windows Scripting Host (WSH) is required for this virus to replicate. WSH is packaged with Windows 98, Windows 2000, Windows NT and Internet Explorer 5, or can be downloaded from Microsoft's web site and installed in Windows 95. This Visual Basic Script virus begins by copying itself to the following locations:

c:\windows\tune.vbs
c:\windows\system\tune.vbs
c:\windows\temp.vbs

Next, the virus adds the following registry keys to ensure that it is executed each time the system is rebooted:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ScanRegistry HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TaskMonitor

Then it identifies each of the drives to which the infected computer is attached and copies itself to the root directory of all fixed and network drives.

If Microsoft Outlook is installed, VBS.Tune first checks for the existence of the following registry key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Sent?

If the key is not found, it is created. Then the virus attempts to mail itself to each entry in the address book with the following information:

Subject: Please Read
Body: Hey, you really need to check out this
attached file I sent you...please check it
out as soon as possible.

The email also contains an attachment named: TUNE.VBS

If mIRC is installed on the target computer in the default directory of c:\mirc, the virus modifies c:\mirc\script.ini and c:\mirc\mirc.ini such that each time an IRC user joins the infected user's channel, a copy of TUNE.VBS is sent via DCC. Similarly, if Pirch98 is installed on the target computer in c:\pirch98, the virus modifies c:\pirch98\events.ini and c:\pirch98\pirch98.ini such that each time an IRC user joins the infected user's channel, a copy of TUNE.VBS is sent via DCC.

To repair VBS.Tune search for all instances of TUNE.VBS and delete them. The added registry keys should be deleted. If applicable, the following files should be restored from a clean backup:

c:\mirc\script.ini
c:\mirc\mirc.ini
c:\pirch98\events.ini
c:\pirch98\pirch98.ini

http://www.sarc.com/avcenter/venc/data/vbs.tune.html

by: Andy Cianciotto
SARC, USA.

   
                   
         
Trojans in the News

Rare

PC

   
         

Feliz.Trojan. This is a malicious Trojan Horse program. It is NOT a virus. When the file is executed, this program will display the image, which can be viewed at the following URL.

http://www.symantec.com/avcenter/graphics/feliz1.gif

After clicking 'EXIT', the trojan will display a sequence of message boxes with some friendly advice to the user about not running unknown programs and needing to reboot the computer. At the end, it will display the following message to wish a Happy New Year:

http://www.symantec.com/avcenter/graphics/feliz2.gif

In the background, this trojan will delete vital Windows files that will render the system inoperable after the next reboot. The files affected are:

C:\COMMAND.COM
C:\WINDOWS\COMMAND\COMMAND.COM

The following files located in the C:\WINDOWS directory are also affected:

SYSTEM.DAT
USER.DAT
SYSTEM.INI
SYSTEM.CB
WIN.COM
WIN.INI

To remove the trojan, you must delete the original file. If the program has been executed, the only repair available is re-install of Windows.

http://www.sarc.com/avcenter/venc/data/feliz.trojan.html

by: Brian Ewell
SARC, USA.

   
                   
         
New Technologies in Norton AntiVirus.
   
          Two new features where recently added to Norton AntiVirus, detection and repair for Trojans embedded in OLE files, such as Windows scrap files and MS Office documents. For example you may be unfortunate enough to receive a Microsoft Word document that has a copy of Happy99 embedded in the document, perhaps drag and dropped into it.

The second is detection of macro viruses that infect Microsoft Project documents (
P98M.Corner.A for example), this virus completes the 'suite' of MS Office infectors with, Word, Excel, Powerpoint, Access and now Project being targets for hosting macro viruses.

Both these new technologies will already be installed in you current Norton AntivVirus products if you have done a LiveUpdate since November 1999.
   
                   
         
1999 Virus Summary
   
          We have put together this brief overview of 1999 from SARC's perspective, these numbers are obtained from our own database and relate to the numbers of files submitted and new viruses discovered.

SARC is receiving more 'suspicious' file submissions each quarter. Below are the actual numbers of submissions for each quarter in 1999. From Q1 to Q4, there was an increase of over 260%.

99Q1: 8902 submissions
99Q2: 14783 submissions
99Q3: 15743 submissions
99Q4: 23390 submissions

The number of file submissions is very different from the number of viruses discovered each quarter. The numbers of viruses discovered from customer submissions is listed below. Please note this does not include 'zoo' (Zoo viruses include viruses collected from virus research channels or viruses found on virus exchange web sites that are not found in the public PC population.) viruses and may not reflect actual number of viruses that were added to Norton AntiVirus per quarter.

99Q1: 254 viruses
99Q2: 249 viruses
99Q3: 247 viruses
99Q4: 275 viruses

Regardless of the number of new viruses discovered, more and more viruses are attracting mainstream news coverage. This is because many of the newer viruses are email or network aware and can spread very quickly, here is a list of viruses, trojans and worms that made the news in 1999.

99Q1:
W97M.Melissa.A - Worm

99Q2:
O97M.Tristate - Virus Office cross infector.
Worm.ExploreZip - Worm.

99Q3:
Back Orifice 2000 - Trojan

99Q4:
W97M.Melissa.U(gen1) - Worm
W32.FunLove.4099. - Virus
W97M.Prilissa.A. - Worm
W32.ExploreZip.Worm(Pack) - Worm
W97M.Melissa.AA. - Worm
W95.Babylonia. - Virus

We can see that worms are becoming the predominant type of mobile threat on the Internet, expect to see an increase on their numbers in 2000, especially MS Office based variants such as Melissa.
   
                   
         

SARC Glossary, what's the difference between a virus and a worm?

   
          Contacts    
          Correspondence by email to: sarc@symantec.com
Send virus samples to:
avsubmit@symantec.com
Newsletter Archive:
http://www.symantec.com/avcenter/sarcnewsletters.html
   
          To Subscribe and Unsubscribe    
          To be added or removed from the subscription mailing list, please fill out the form available on the SARC website at: http://www.symantec.com/help/subscribe.html
SARC AntiVirus News Update is published periodically by Symantec Corporation. No reprint without permission in writing, in advance.
   
       

 

     
          All information contained in this newsletter is accurate and valid as of the date of issue.  

Copyright © 1996-1999 Symantec Corporation. All rights reserved.