The SARC AntiVirus News Update
"The sun never sets on SARC"
Volume 4 Issue 1.1 July 1999
Following the success of the latest issues and feedback from our readers, we will be distributing the SARC AntiVirus News Update on a monthly basis so you can be up-to-date and informed on recent virus threats.
In this edition of the SARC AntiVirus News Update we will provide you with a brief description on the topical viruses, worms and trojans. We touch on the new version of Back Orifice, Back Orifice 2000, the memory resident W95.K32 virus, the Worm.ExploreZip worm and more. For more detailed information on any of these please visit the SARC website.
There was a new macro virus discovered in Asia Pacific this month, called W97M.JulyKiller, this Word macro virus is believed to have originated in China or Taiwan. As we go to press a new version of the Melissa virus has been discovered, W97M.Melissa.M. There's a short description below of JulyKiller with a detailed write up for both viruses on our web site. As usual I recommend updating your virus definitions monthly at a minimum and weekly if at all possible.
I take this opportunity to apologise for sending out the DELETE command to the newsletter distribution list instead of sending the command to our sever maintaining the distribution list, a classic list management error.
If you wish to unsubscribe from this information service could you please email the server directly at email@example.com, instructions are at the end of this email, a reply to this newsletter will unfortunately not delete you from the distribution list.
Back Orifice 2000 is a new version of BackOrifice.Trojan. When installed on a Microsoft Windows system, this backdoor trojan horse program allows others to gain full access to the system. Similar to the original BackOrifice, it consists of two pieces: a server and a client application. Unlike the old version, both applications now run under Windows NT. The client application, running on one machine, can be used to monitor and control a second machine running the server application. The operations the client application can perform on the target machine are mostly similar to the previous version of BackOrifice.Trojan.
By:Raul K. Elnitiarta and Wason Han
W95.K32 is a memory resident virus that infects Windows executables. This virus is not destructive but does contain a payload. If the current date is February 19 and an infected file is executed, it will display a message box with the caption "nIgr0_lives_here!!!!" and the following message:
Virus K32 por nIgr0 ... "Hazlo o no lo hagas pero no lo intentes".
The virus uses Windows functions that are exported from KERNEL32.DLL. It searches for the following functions in memory: CreateFile, SetFilePointer, ReadFile, WriteFile, CloseHandle, CreateProcessA, GetModuleHandleA, and GetProcAddress. Then, it hooks CreateProcessA so that it can infect files that are executed. The virus writes itself into the copy of KERNEL32.DLL in memory.
During infection, the virus appends itself to the end of the file that was executed. The size of infected files will increase by 3030 bytes. To repair an infected system, reset the PC, and boot to a clean boot floppy. Then, run NAV to detect and repair infected files.
Microsoft made available an update to Outlook 97, 98 and 2000 mid June that makes it harder for users to inadvertently launch potentially harmful attachments from email. A warning message is displayed and the user has then to save the attachment before running or opening it. At this point a virus scan would be the prudent thing to do. The following link takes you to the download page for Outlook 2000.
SARC AntiVirus News Update is published periodically by Symantec Corporation. Copyright © 1996-1999 Symantec Corporation. All rights reserved. No Reprint without Permission in writing, in advance.
To be added to the subscription mailing list, please fill out the form available on the SARC website at:
If you want to be removed from this mailing list, simply send an e-mail to
with the following on a line by itself in the body of the message:
Worm.ExploreZip is a worm that contains a malicious payload. The worm utilizes Microsoft Outlook, Outlook Express, Exchange to mail itself out by replying to unread messages in your Inbox. The worm will also search the mapped drives and networked machines for Windows installations and copy itself to the Windows directory of the remote machine and modify the WIN.INI accordingly.
The payload of the worm will destroy any file with the extension .h, .c, .cpp, .asm, .doc, .ppt, or .xls on your hard drives, any mapped drives, and any network machines that are accessible each time it is executed. This continues to occur until the worm is removed.
You may receive the worm as an attachment called zipped_files.exe. When run, this executable will copy itself to your Windows System directory with the filename Explore.exe or to your Windows directory with the filename _setup.exe. The worm modifies your WIN.INI or registry such that the file Explore.exe is executed each time you start Windows
The worm was first discovered in Israel and submitted to the Symantec AntiVirus Research Center on June 6, 1999.
By: Eric Chien
W97M.Ethan.A is a macro virus. This MS Word 97 macro virus inserts its viral code to the beginning of "ThisDocument" VBA module. "ThisDocument" is a default module in MS Word 97 template that is not listed in Tools-Macro macro list.
While infecting a document or global template, this macro virus uses a temporary text file "C:\ETHAN.___" The virus marks this temporary text file as hidden-system file.
The first report of this macro virus from the field came to Symantec AntiVirus Research Center on January 12, 1999 through Norton Anti-Virus Scan-and-Deliver system.
By:Raul K. Elnitiarta
W97M.JulyKiller is a MS Word 97 macro virus that was first discovered in Taiwan. Although the virus has received media attention, Symantec AntiVirus Research Center does not believe it presents any serious threat. There has been only a couple of reports of W97M.JulyKiller infections in the region as of the date of publication of this newsletter.
This macro virus infects Global Template (NORMAL.DOT), opened documents, and adds a new start-up template: "C:\AUTOEXEC.DOT". The payload is triggered on opening or closing document, creating a new document, or loading MS Word during the month of July. As described in detail below, the payload may replace "C:\AUTOEXEC.BAT" with one that includes a command to delete all files from "C:" drive. It has been confirmed that the virus can infect non-Chinese versions of MS Word 97.
By::Raul K. Elnitiarta and Peter Pak
Address all correspondence by email to: firstname.lastname@example.org or in writing to
AntiVirus Research Center
attn.: AntiVirus News Update
2500 Broadway, Suite 200
Santa Monica, CA 90404, USA
Archives of these newsletters are available for reading on the SARC WWW site at:
|All information contained in this newsletter is accurate and valid as of the date of issue.||
SARC Virus Hotline