SARC AntiVirus Newsletter

symantecTM

Symantec AntiVirus Research Center
^{ISSN 1444-9994}

SARC Home Page

March 2001 Newsletter

These are the most reported Viruses, Trojans and Worms to SARC's offices during the last month.

Top Global Threats
W95.Hybris
W95.MTX
Wscript.KakWorm
JS.Seeker
VBS.SST@mm
W32.HLLW.Bymer
VBS.Plan
Backdoor.SubSeven
VBS.LoveLetter
W32.Navidad.16896

Asia Pacific
W95.Hybris
VBS.Plan
W95.MTX
Wscript.KakWorm
VBS.LoveLetter
W32.HLLW.Bymer
JS.Seeker
W32.Weird
Backdoor.SubSeven
W32.Navidad.16896

Europe
W95.Hybris
W95.MTX
VBS.Plan.A
Wscript.KakWorm
JS.Seeker
W32.HLLW.Bymer
Happy99.Worm
Backdoor.SubSeven
W32.Navidad.16896
VBS.SST@mm

Japan
W95.Hybris
W95.MTX
Linux.Ramen.Worm
W32.HLLW.Qaz.A
W32.HLLW.Bymer
VBS.SST@mm
JS.Seeker
Wscript.KakWorm
W95.CIH
VBS.LoveLetter

USA
W95.Hybris
Wscript.KakWorm
VBS.SST@mm
W95.MTX
JS.Seeker
W32.HLLW.Bymer
JS.Fav
VBS.Plan
Backdoor.SubSeven
W32.BleBla.B

Top 20
Consolidated
Global Threats

By SecurityPortal

VBS.SST@mm
W95.MTX
W32.Hybris
VBS.KakWorm
VBS.LoveLetter
W32.Navidad
W97M.Marker
W32.Prolin
W97M.Ethan
W32.Funlove
VBS.Stages.A
W97M.Thursday
Happy99.Worm
(alias W32.Ska)
W97M.Melissa.BG
W32.HLLW.Bymer
W32.HLLW.Qaz.A
(alias Troj.Qaz.A)
W32.PrettyPark
W97.Class
W95.CIH
W32.ExploreZip.Worm

Removal Tools for...

W32.HybrisF
W32.Kriz
W32.Navidad
W32.HLLW.QAZ.A
W95.MTX
W32.FunLove.4099
Wscript.Kakworm
Wscript.Kakworm.B
Happy99.Worm
VBS.Loveletter
PrettyPark.Worm
VBS.Stages.A
W2K.Stream
AOL.Trojan.32512
W95.CIH
Worm.ExploreZip

New Virus Hoaxes
reported to Symantec

Family Pictures
The New Ice Age Hoax

No New Joke Programs
reported to Symantec this month

This month has produced two media worthy worms right in the middle of the newsletter publishing cycle so most of you will already have heard about VBS.SST (AnnaKournikova.jpg.vbs) and W32.Naked by the time you read this. I seem to be out of the office when the media alarm bells go off. During the VBS.SST outbreak I was at the Sydney SANS Conference and I seem to remember being in Tasmania for VBS.LoveLetter the event. At least for W32.Naked I was at home, even if I did get the call at 5am. It was, however, comforting to see that we had virus definitions published within two hours and the write-up posted to the web site 45 minutes later, mainly due to the coordinated efforts of SARC USA, SARC Europe and the digital immune system (DIS).

Serghei Sevenco from SARC, Australia has just completed a detailed description of a very interesting worm that uses VBScript, Javascript and debug.exe to do it's work of infecting a Windows PC. It's not often we carry a full description of a virus or worm and it's removal instructions but VBS.Kidarcade is interesting enough to make it worthwhile.

Symantec Australia was also busy this month discovering, analysing and communicating a Lotus Domino server exploit, luckily this came to our attention by an innocent travel related mail out and not a hacker hoping to get lucky. This was another interesting turn of events with only a few hours elapsing from the first report of servers crashing to the local technical support staff pin-pointing a buffer overflow situation in part of the servers HTML parsing code.

Finally I came across an interesting document on the SARC web site this month describing virus naming conventions and thought that this would make interesting reading, I've linked to it here. Talking of links, I apologise for the many broken links in last months newsletter, lets just say that the publishing team here in Sydney wasn't in synch with the web publishing team in California, or was it the other way around. :)

David Banes.
Editor, sarc@symantec.com

Worms

VBS.SST@mm
Severe [4]

Script

VBS.SST@mm is a VBS email worm that has been encoded using a virus creation kit. This worm arrives as an attachment named AnnaKournikova.jpg.vbs. When executed, the worm emails itself to everyone in your Microsoft Outlook address book. On January 26, the worm will attempt to direct your Web browser to an Internet address in The Netherlands, from where the worm appears to have originated.

The removal of this worm is quite complicated and is detailed on the web page linked to here;
http://www.symantec.com/avcenter/venc/data/vbs.sst@mm.html

by: Eric Chien and Neal Hindocha
SARC, EMEA

Viruses

W32.Naked@mm
Medium [3]

Win32

W32.Naked@mm is a mass mailing worm that disguises itself as flash movie. The attachment is named NakedWife.exe. This worm, after it has attempted to email everyone in the Microsoft Outlook address book, will attempt to delete several system files.

To remove this worm:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and then run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as W32.Naked@mm or W32.Naked.dam.

If the worm has been executed, it is very likely that you will have to reinstall Windows.

http://www.symantec.com/avcenter/venc/data/w32.naked@mm.html
by: Andre Post and Neal Hindocha
SARC, EMEA

Trojans

Backdoor.Acropolis
Low [2]

Win32

This Trojan horse permits a remote operator to control an infected system. The name of the Trojan horse is Acropolis 1.0, and it is detected as Backdoor.Acropolis.

When launched, the Trojan horse opens a network connection on ports 32791 and 45673. This gives a remote operator the capability to use your computer to send messages using mIRC. These messages may contain attached files. It is possible, but not confirmed, that the Trojan horse could also be used to control email programs.

http://www.symantec.com/avcenter/venc/data/backdoor.acropolis.html
by: Dmitry Reyder
SARC, USA

Symantec Enterprise Security

Visit the Symantec Enterprise Security Web Site
http://enterprisesecurity.symantec.com/

Get the latest enterprise security news delivered straight to your inbox. Register for Symantec's free Enterprise Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm

Recent headlines include:
Hackers Invaded Navy Computer, Got Missle-Related Software; St. Louis Post-Dispatch, USA.
http://enterprisesecurity.symantec.com/content.cfm?articleid=620

AtHome Users Targeted by Virus Sent in Fake Email; The Toronto Star, Canada.
http://enterprisesecurity.symantec.com/content.cfm?articleid=618

What are you doing to keep your employees from causing a security breach? Our latest feature article "Internet Security Training for Employees" gives you steps to take to protect your enterprise from this often overlooked inside threat.
http://enterprisesecurity.symantec.com/article.cfm?articleid=613

VBS.Kidarcade - Traditional coding meets modern scripting.

VBS.Kidarcade is a virus based on Visual Basic Script (VBS). It has been put into an HTML page, and is on at least one Web site. The virus installs a Backdoor Trojan that allows unauthorized access to the infected computer.

VBS.Kidarcade is both a Visual Basic Script and a Java Script virus. It has been designed to perform the following actions:

If the security settings on the computer allow the scripts to run, then the HTML page will copy the file Html.hta to the \Windows\StartUp folder. This file is a Visual Basic Script, which will be executed every time that Windows starts.
When executed, the script will drop the binary file 2ascii.bin. It then runs the DOS/Windows utility Debug.exe with the parameter "2ascii.bin" passed to it. 2ascii.bin is a binary file that consists of the decoder, written in Assembly language, and the encoded body of the Backdoor Trojan Winrun.exe. Debug.exe reads the decoder instructions to memory and passes execution control to them. The decoder extracts the body of the Trojan from 2ascii.bin and writes it as the Winrun.exe file.
The Script then moves the Backdoor Trojan to the \Windows\System folder and runs it. The 2ascii.bin binary file is then deleted.
The Script next creates the value
NeverShowExt
in the registry key
HKEY_CLASSES_ROOT\htafile
and changes the value of
HKEY_CLASSES_ROOT\htafile\DefaultIcon\
to
SHELL32.DLL,104
This prevents Windows from displaying the .hta file extension, even if "Hide file extensions for known file types" is unchecked in Windows Folder Options. As a result, when viewed in Explorer the viral script Html.hta that was copied to the \Windows\StartUp folder is shown as the "Html" file (no extension). Its icon is keys on a keyring.

The script then creates the Wininit.ini file in the \Windows\System folder and writes the following lines in the file:

[rename]
NUL= <path> \Html.hta

NOTE: Winrun.exe is a Backdoor Trojan. When it runs, it sends the signal "I am ONLINE" to the remote computer. This tells the remote computer that the infected computer is ready for remote administration. It then starts to accept and perform the remote commands. The remote administration has full access to the file system of the infected computer. Winrun.exe permits the remote administration to download or upload files from the remote computer, change the registry, and run commands and programs. The Backdoor Trojan is able to change its own settings and uninstall itself if such commands are received. Because the Backdoor Trojan is dropped and launched by the Html.hta script that is stored in the \Windows\StartUp folder, it will run every time that the infected computer starts.

Removal Instructions:

To remove this Trojan, you need to:

End all network connections, scan with Norton AntiVirus, and delete files detected as VBS.Kidarcade or Backdoor Trojan.
Remove the text that refers to \Html.hta from the Wininit.ini file.
Delete NeverShowExt from HKEY_CLASSES_ROOT\htafile

The following sections offer detailed instructions.

To scan with Norton AntiVirus:

Make sure you have no network connections (unplug the network card and disconnect your Dial-Up connection if any).
Run LiveUpdate to make sure that you have the most recent virus definitions.
Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
Delete any files detected as VBS.Kidarcade or Backdoor Trojan. If any files are detected as VBS.Kidarcade or Backdoor Trojan, then when the scan is finished, reboot the computer and repeat the full system scan with NAV.

To edit the Wininit.ini file:

Click Start, point to Find, and click Files or Folders.
Make sure that Look in is set to (C:) and that Include subfolders is checked.
In the Named box, type wininit.ini and click Find Now.
Double-click the Wininit.ini file that was found in the \Windows\System folder. It will open in Notepad.
Look for the line <path>\html.hta and delete it if found.
Save the changes and close Notepad.

To edit the registry:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding. This document is available from the Symantec Fax-on-Demand system. In the U.S. and Canada, call (541) 984-2490, select option 2, and then request document 927002.

Click Start, and click Run. The Run dialog box appears.
Type regedit and then click OK. The Registry Editor opens.
Navigate to the following key:
HKEY_CLASSES_ROOT\htafile

In the right pane, delete the following value:
NeverShowExt

Close the Registry Editor.

by Serghei Sevcenco,
SARC, APAC

Unsubscribe

First name:

Last name:

Email address:

SARC Glossary for definitions of viruses, Trojans and worms and more.

Contacts and Subscriptions

Correspondence by email to: sarc@symantec.com, no unsubscribe or support emails please.
Follow this link to unsubscribe or change your subscription type.
Send virus samples to: avsubmit@symantec.com
Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html

This is a Symantec Corporation publication, use of requires permission in advance from Symantec.
All information contained in this newsletter is accurate and valid as of the date of issue.
Copyright © 1996-2001 Symantec Corporation. All rights reserved.