SYMANTEC.

SARC Home Page

  AntiVirus Research Centre

"The Sun Never Sets on SARC"

 

May 2000 Newsletter

 
 
   


The following is a list of the top reported viruses, trojans and worms to SARC's regional offices during the last month.


Asia Pacific

Wscript.KakWorm
PWSteal.Trojan
VBS.LoveLetter


Europe

Wscript.KakWorm
VBS.LoveLetter
Happy99.Worm


Japan

PWSteal.Trojan
Wscript.KakWorm
VBS.LoveLetter


USA

Wscript.KakWorm
PWSteal.Trojan
VBS.LoveLetter



New Virus Hoaxes reported to Symantec

California IBM

   
With the 'biggest computer virus incident ever' occurring at the beginning of the month I'm sure you are aware of this worm its payload and fixes, so I've included a small section and pointer to our extensive write-up on the web site. Interestingly VBS.NewLove followed shortly after but had little success, I suspect because everybody was still on high alert after VBS.LoveLetter.

This month our feature article is by Carey Nachenburg, he takes a look at URL filtering and the issues to be considered when implementing such systems.

This monthe we've started using the new Threat Severity Assessment categorisation, this is the number in brackets after the virus name and there's a
description of the categories on our web site.

David Banes,
Editor,
sarc@symantec.com
   
     

 Stop Press - W97M.Melissa.BG [Moderate - 3]

 
       
Viruses in the News

Moderate [3]

PC

   
       

O97M.Cybernet.A is a polymorphic macro virus that infects MS Word and MS Excel files.From an infected MS Word document, it does the following:

  • disable MS Word 97 macro warning or set MS Word 2000 security setting to low
  • mass-email the infected document if it hasn't done so from the infected system.
  • infects MS Word global template
  • delete all *.XL? files from MS Excel startup directory (default is "Program Files\Microsoft Office\Office\XLSTART" directory)
  • drops a read-only CyberNet.XLS into the MS Excel startup directory.

From an infected MS Excel spreadsheet, it does the following:

  • disable MS Excel 97 macro warning or set MS Excel 2000 security setting to low
  • mass-email the infected spreadsheet if it hasn't done so from the infected system.
  • drops a read-only CyberNet.XLS into the MS Excel startup directory.
  • delete the global template (default is "Program Files\Microsoft Office\Template\NORMAL.DOT")
  • delete all *.DO? files from MS Word Startup directory (default is "Program Files\Microsoft Office\Office\StartUp")
  • drops an infected MS Word global template

The mass-mailing payload is similar to that of W97M.Melissa.A. If it hasn't done so, it will email the infected document/spreadsheet to the first 50 addresses in every address list.

The subject line is:
You've GOT Mail !!!

The message body is:
Please, saved the document after you read and don't show to anyone else. The document is also VIRUS FREE...so DISREGARD the virus protection warning !!!

On August 17 or December 25, a malicious payload gets triggered. The virus adds randomly shaped objects to the active document/spreadsheet. Then, it modifies AUTOEXEC.BAT and CONFIG.SYS. The virus replaces AUTOEXEC.BAT with commands to format the C: drive.

It then displays a message box:

Assalamualaikum Li Kulli Muslim...Moslem Power Never End...

Nothing Can Stop << CyberNET >> Virus. Your System Has Already Infected !!!

Now...I Am Outta Here...


Clicking OK will shutdown MS Windows.

http://www.sarc.com/avcenter/venc/data/o97m.cybernet.html

by: Raul Elnitiarta
SARC, USA

   
                 
       
Worms in the News

Very Severe [5]

PC

 
        VBS.LoveLetter.A SARC has currently identified 29 versions of this worm. The latest is VBS.LoveLetter.AC. Virus definitions dated May 5, 2000 detect and remove all of these known variants.

Users of Norton AntiVirus can protect themselves from all known versions of the VBS.LoveLetter worm by downloading the latest virus definitions through LiveUpdate or by going to our web site at http://www.sarc.com/

A tool to repair the VBS.LoveLetter infection, including all known versions, is available at http://www.sarc.com/.
Microsoft has also released a patch for MS Outlook to protect against this type of threat.
http://www.sarc.com/avcenter/venc/data/vbs.loveletter.a.html

by: Eric Chien
SARC, EMEA
   
         
 

Moderate [3]

PC

   
          VBS.NewLove.A SARC, in conjunction with other anti-virus vendors, has renamed this worm from VBS.LoveLetter.FW.A to VBS.NewLove.A.

The VBS.NewLove.A is a worm, and spreads by sending itself to all addresses in the Outlook address book once activated. The attachment name is randomly chosen, but will always have a .vbs extension. The subject header will begin with "FW: " and will include the name of the randomly chosen attachment (excluding the .vbs extension) Upon each infection, the worm introduces up to 10 new lines of randomly generated comments in order to prevent detection.
http://www.symantec.com/avcenter/venc/data/vbs.loveletter.fw.a.html

by Andy C
SARC, USA
   
                   
         
URL Filtering- Your Company: the World's Largest Internet Service Provider
   
          A great deal of Internet surfing takes place in the workplace every day, making the workplace the world's largest Internet Service Provider (ISP). Most employees can access the Internet at work at much higher speeds than at home. But are they using it strictly for work?

In a joint 1999 survey by the FBI and the Computer Security Institute, 97% of companies reported insider abuse of Internet. In addition, 62% of registered hits to X-rated web sites occur during business hours (Elron corp.) - presumably on your company's time.

With the increasing use of Shockwave, Flash and other interactive media, many web sites are designed for high-speed connections. Aside from increased interactivity, temptations like the stock market, online gambling, pornography, and web newscasts are all equally tantalizing. In addition, users check their personal e-mail at least half a dozen times per day.

Not only do these uses of the Internet hinder a company's productivity, they lead to other negative consequences: creating legal liabilities, wasting corporate bandwidth, and increasing your organization's exposure to malicious software, such as viruses, Trojan horses, and worms.

In response to the dilemma of the workplace being the biggest ISP, companies must consider their policies. Some companies will wish to outright block access to "inappropriate" web sites while others will want to take a gentler approach. Internet proxy software is adept at filtering access to web sites and have flexible policies which can be configured based on the time of day, by user or group, and by type of content.

For example, these products can allow the administrator to set policies like "All users in the finance group should be blocked from the following types of web-sites: pornography, gambling and stock trading - from 8am till 5pm, except on weekends." Once provided with such a policy, the Internet proxy can enforce your Internet surfing guidelines without further maintenance.

Alternatively, corporations can merely use Internet proxy software to monitor the company usage of the Internet. For example, an administrator could use the software to generate a report of the top ten visited sites each week during business hours. This information could then be sent to employees to provide awareness as to the current use of the Internet. If an employee sees that they are surfing to one of those top ten web sites and they know that site is inappropriate, they may reevaluate their surfing habits.


Like any new technology, while the Internet is becoming an indispensable work tool in the corporation, it also has some drawbacks. Specifically, when improperly used, it can be a productivity drain and increase the corporations' exposure to both work-related liabilities as well as malicious computer software. Consequently, corporations should examine their Internet usage policies and consider deploying tools to help manage Internet usage.

by Carey Nachenburg
SARC, USA
   
                   
         

SARC Glossary, what's the definition of a virus, trojan and worm?

   
          Contacts    
          Correspondence by email to: sarc@symantec.com, no unsubscribe or support emails please.
Send virus samples to:
avsubmit@symantec.com
Newsletter Archive:
http://www.symantec.com/avcenter/sarcnewsletters.html
   
          To Subscribe and Unsubscribe    
          To be added or removed from the subscription mailing list, please fill out the form available on the SARC website at: http://www.symantec.com/help/subscribe.html
SARC AntiVirus News Update is published periodically by Symantec Corporation. No reprint without permission in writing, in advance.
   
       

 

     
          All information contained in this newsletter is accurate and valid as of the date of issue.  

Copyright © 1996-1999 Symantec Corporation. All rights reserved.