SYMANTEC.  
AntiVirus Research Center

"The Sun Never Sets on SARC"

   
 

SARC Home Page

June 2000 Newsletter

 
   



Top Threats

VBS.Stages.A
W97M.Melissa.BG

Wscript.KakWorm
Happy99.Worm
VBS.LoveLetter
VBS.Network
PrettyPark.Worm



The following is a list of the topreported viruses, trojans and worms to SARC's regional offices during the last month.


Asia Pacific

Wscript.KakWorm
PWSteal.Trojan
VBS.LoveLetter


Europe

Wscript.KakWorm
PWSteal.Trojan
VBS.LoveLetter


Japan

PWSteal.Trojan
Wscript.KakWorm
VBS.LoveLetter


USA

Wscript.KakWorm
PWSteal.Trojan
VBS.LoveLetter



New Virus Hoaxes reported to Symantec

D@Fit
Virus Business
Zlatko

   
Welcome to June's newsletter, already we are half way through the year and it's safe to say that VBS has become popular for virus and worm authors. I suppose it's a logical step across from Visual Basic in an MS Office environment to VBScript in MS Outlook and Outlook Express.


The VBS.Timofonica worm was interesting, not a real threat, more a potential annoyance for mobile phone users and was mistakenly reported as being able to infect mobile phones.

As the newsletter is going out VBS.Stages.A is spreading, mainly in the USA and Europe so now is a good time to update your virus definitions.

David Banes
,
Editor,
sarc@symantec.com
   
     

Note: VBS.Stages.A Category 4 Virus Alert

 
       
Viruses in the News

Moderate [3]

PC

   
        W97M.Stand is a MS Word macro virus with a variable payload. Under the right conditions it tries to delete all of the files from your C, D and E drives using the deltree command.

Repair the infected files with Norton AntiVirus. Delete kill.bat, autoexec.kil and stand.log from C:\ if they exist. Remove the strings that were added to C:\Autoexec.bat.

http://www.sarc.com/avcenter/venc/data/w97m.stand.html
by: Gor Nazaryan
SARC, USA
   
                 
       
 

Severe [4]

PC

   
        W97M.Melissa.BG is a Word 97 macro virus that has a payload of deleting necessary system files. It also sends itself out through e-mail using Microsoft Outlook. The subject of the e-mail is "Resume - Janet Simons".

Although NAV can repair the inserted files, you can safely delete C:\Data\Normal.dot and
C:\WINDOWS\Start Menu\Programs\StartUp\Explorer.doc.

http://www.sarc.com/avcenter/venc/data/w97m.melissa.bg.html
by: Douglas Knowles
SARC, USA
   
       
Worms in the News

Moderate [4]

PC

 
       

VBS.Stages.A. This worm appears as an attachment titled LIFE_STAGES.TXT.SHS. Execution of this attachment will open a text file in Notepad displaying the male and female stages of life. While the user is reading the text file the script is executing in the background. This worm spreads itself using Outlook, ICQ, mIRC and PIRCH. SARC suggests that corporate customers configure their email filtering systems to filter out or stop all incoming emails that have attachments with .SHS extensions.

You must delete all .txt.shs files from your system. Also delete SCANREG.VBS, VBASET.OLB and MSINFO16.TLB from the \WINDOWS\SYSTEM directory. You will need to restore the registry using regedit. To do this, first open a command prompt and change to the \RECYCLED directory. Using the attrib command, modify the settings of the files which the worm creates there. The command would be attrib -hsr recycled.vxd and so on for each of these files. Copy RECYCLED.VXD as \WINDOWS\REGEDIT.EXE and then delete the 4 files you modified.

Using regedit make the following modifications to the registry:

  • Delete the value HKLM/Software/Microsoft/Windows/RunServices/Scanreg.
  • Delete the values Enable, Parameters, Path and StartUp in the key HKEY_USERS/.Default/Software/Mirabilis/ICQ/Agent/Apps/ICQ.
  • Delete the value HKLM/Software/Microsoft/Windows/CurrentVersion/OSName.
  • Modify the value for HKCR/regfile/DefaultIcon by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.
  • Modify the value for HKCR/regfile/shell/open/command by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.
  • Modify the value for HKLM/Software/CLASSES/regfile/shell/open/command by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.
  • Modify the value for HKLM/Software/CLASSES/regfile/DefaultIcon by replacing C:\RECYCLED\RECYCLED.VXD with C:\WINDOWS\REGEDIT.EXE.

http://www.sarc.com/avcenter/venc/data/vbs.stages.a.html
by: Brian Ewell
SARC, USA

   
                   
         
 

Low [2]

PC

   
         

VBS.Timofonica This is a Visual BASIC Script worm which was detected by Norton AntiVirus as VBS.NewLove.A, we subsequently updated the virus definitions to name it correctly. The worm replicates by mailing itself using MS Outlook and attempts to send messages to the MovieStar service.

You must complete the following steps to manually remove this worm from your system:

  • Search your system for files named TIMOFONICA.TXT and delete them. The default locations for these files is C:\.
  • Search your system for the file CMOS.COM and delete it. This file should be in your \WINDOWS\SYSTEM directory.
  • Using regedit make the following modifications to the registry:
  1. Delete the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Cmos
  2. Delete the key HKCU\Software\Microsoft\Windows\CurrentVersion\Timofonica
  3. Set the value of the key HKLM\Software\Classes\VBSFile\Shell\Open\Command to C:\WINDOWS\WScript.exe "%1" %*. For clarity, the characters are double-quote, percent sign, numeral one, double-quote, space, percent sign, asterisk.
  • Within Outlook, enable the option to save copies of messages into the Sent folder.


http://www.sarc.com/avcenter/venc/data/vbs.timofonica.html
by: Brian Ewell
SARC, USA

   
                   
         
 Trojans in the News

Moderate [3]

PC

   
         

PWSteal.Trojan is a trojan which attempts to steal login names and passwords. These passwords are often sent to an anonymous email address. This trojan is still one of the most commonly reported password stealing threats we see.

If your computer is infected with the PWSteal.Trojan (also known as MINE, AOL.Trojan, AOL.PWSteal, and APStrojan.qa), it may exhibit one or more of the following symptoms:

  • When you log on to AOL, you are prompted for your password twice.
  • The logon process takes much longer than expected.
  • If your speakers are turned on, you hear the announcement "Download Succeeded".
  • Email is sent to everyone in your Buddylist over and over again while you are online and everyone in your address book is emailed when you log off. The email contains a .zip file attachment that may be named Hey You.zip, Muttxx.zip, or Miffxx.zip (where xx represents a number).
  • You can no longer run Sysedit or Notepad to view your system configuration files.
  • Windows will not shut down, or appears to stop responding during shut down

To remove this trojan following the following link to our service and support web site;

http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000012318073306

   
                   
         
Microsoft Patch Available for "Office 2000 UA Control" Vulnerability
   
          The following information is a synopsis of the information published in the Microsoft Security Bulletin MS00-034, which is available on the Microsoft TechNet web site at:

http://www.microsoft.com/technet/security/bulletin/MS00-034.asp

Symantec recommends that users read this bulletin carefully and download and install the appropriate patch.

Microsoft has released a patch that eliminates a vulnerability in Microsoft(r) Office 2000 and Office 2000 family products. This vulnerability might allow a malicious web site developer to cause inappropriate action to occur on the computer of a user who visited his web site.

For more information see:

Microsoft Security Bulletin MS00-034
http://www.microsoft.com/technet/security/bulletin/MS00-034.asp
Frequently Asked Questions: Microsoft Security Bulletin MS00-034
http://www.microsoft.com/technet/security/bulletin/fq00-034.asp
Microsoft Knowledge Base (KB) article Q262767 discusses this issue and will be available soon.

http://www.sarc.com/avcenter/venc/data/ms00-034.html
by: Patrick Martin
SARC, USA
   
                   
         

SARC Glossary, what's the definition of a virus, trojan and worm?

   
          Contacts    
          Correspondence by email to: sarc@symantec.com, no unsubscribe or support emails please.
Send virus samples to:
avsubmit@symantec.com
Newsletter Archive:
http://www.symantec.com/avcenter/sarcnewsletters.html
   
          To Subscribe and Unsubscribe    
          To be added or removed from the subscription mailing list, please fill out the form available on the SARC website at: http://www.symantec.com/help/subscribe.html
SARC AntiVirus News Update is published periodically by Symantec Corporation. No reprint without permission in writing, in advance.
   
       

 

     
          All information contained in this newsletter is accurate and valid as of the date of issue.  

Copyright © 1996-2000 Symantec Corporation. All rights reserved.