Navagation Bar
Virus Info Page

September 18-01 (4:00 PM CST)

Subject: Nimba Virus Attacks

The virus causing this attack on the internet today is being called W32.Nimda.A@mm. The virus attaches a file called readme.eml to web pages served from infected web servers. Internet Explorer version 5.x will automatically open this file and infect the user's computer.

If you access ANY web site that prompts you download or open an unexpected file, especially if that file's name contains README.EXE, DO NOT download or open that file. Leave that web site immediately and close your web browser

Mia.Net is filtering all .exe and eml attachments now and forever. If you need to send a .exe attachment, use WinZip to zip the file. Again, we are filtering and rejecting any and all .exe's. There will be no exceptions to this policy ever.

For more information on W32/Nimda@MM and or the "Nimba" virus, please visit the following links:

http://vil.nai.com/vil/virusSummary.asp?virus_k=99209

http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html

http://www.microsoft.com/technet/security/bulletin/ms00-078.asp

http://www.cnn.com/2001/TECH/internet/09/18/internet.attack.ap/index.html

 

5/19/2000

NAME:

VBS/NewLove-A - (See ILOVEU Virus - 5/4/00)

Aliases:
VBS/Loveletter.ed, VBS/Loveletter.Gen, VBS_SPAMMER,
VBS.Loveletter.FW.A, NEWLOVE.A, VBS/Spammer.A,
VBS.Loveletter.FW, Spammer, Newlove

Type: Visual Basic Script worm

Date: 19 May 2000

Sophos has issued an alert about a new polymorphic email-aware worm which has been reported in the wild. The worm, called VBS/NewLove-A is a Visual Basic Script virus that mutates its appearance in an attempt to avoid detection by anti-virus products.

If you are infected by the virus it will do the following:

The virus chooses a random filename and attempts to forward a mutated version of itself to everybody in your Microsoft Outlook address book. The name of the file it forwards is determined by randomly choosing one of the filenames in your Windows\Recent folder, appended with ".Vbs" (for instance, EXPENSES.XLS becomes EXPENSES.XLS.Vbs).

The filename attached will have one of the following extensions:
Doc.Vbs
Xls.Vbs
Mdb.Vbs
Bmp.Vbs
Mp3.Vbs
Txt.Vbs
Jpg.Vbs
Gif.Vbs
Mov.Vbs
Url.Vbs
Htm.Vbs

The message has the subject line: "FW: <filename>" where filename is the name of the file it is forwarding, with the extension ".Vbs" removed. So, if the attached infected file is

README.DOC.Vbs then the subject line will be "FW: README.DOC".

Because of this VBS/NewLove-A does not use the same filename or subject line on different infections. The email message has no message text. The virus attempts to reduce all files on local and remote drives to zero. This means that Windows may stop working correctly, and that your system will not start up properly upon reboot. Users who have disabled Windows Scripting Host (WSH) on their computers will not be infected by this virus. Details on how to disable WSH are published at: http://www.sophos.com/support/faqs/wsh.html

Users who are blocking any Visual Basic Script filename (the infected message always arrives with end suffix of ".Vbs" on the (filename) will not be affected.

Due to the way in which the virus mutates it rapidly increases in size on each infection. This means that your mail server may become increasingly slowed down by larger and larger amounts of email.

Sophos researchers are working on a method of detecting this virus, and will be issuing an update later today.

Mia.Net Blocks all ".vbs" attachments, so this virus cannot be propagated on our network.

5/4/2000

NAME:

LoveLetter

VBS/LoveLetter is a VBScript worm. It spreads thru email as a chain letter.

The worm uses the Outlook e-mail application to spread. LoveLetter is also a overwriting VBS virus, and it spreads itself using mIRC client as well.

When it is executed, it first copies itself to Windows System directory as:

    - MSKernel32.vbs
    - LOVE-LETTER-FOR-YOU.TXT.vbs
 

and to Windows directory:

    - Win32DLL.vbs
 

Then it adds itself to registry, so it will be executed when the system is restarted. The registry keys that it adds are:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
 

Next the worm replaces the Internet Explorer home page with a link that points to an executable program, "WIN-BUGSFIX.exe". If the file is downloaded, the worm adds this to registry as well; causing that the program will be executed when the system is restarted.

After that, the worm creates a HTML file, "LOVE-LETTER-FOR-YOU.HTM", to the Windows System directory. This file contains the worm, and it will be sent using mIRC whenever the user joins an IRC channel.

Then the worm will use Outlook to mass mail itself to everyone in each address book. The message that it sends will be as follows:

    Subject:    ILOVEYOU
    Body:       kindly check the attached LOVELETTER coming from me.
    Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

 

LoveLetter sends the mail once to each recipient. After a mail has been sent, it adds a marker to the registry and does not mass mail itself any more.

The virus then searches for certain filetypes on all folders on all local and remote drives and overwrites them with its own code. The files that are overwritten have either "vbs" or "vbe" extension.

For the files with the following extensions: ".js", ".jse", ".css", ".wsh", ".sct" and ".hta", the virus will create a new file with the same name, but using the extension ".vbs". The original file will be deleted.

Next the the virus locates files with ".jpg", ".jpeg", ".mp3" or ".mp2", adds a new file next to it and deletes the original file. For example, a picture named "pic.jpg" will cause a new file called "pic.jpg.vbs" to be created.

LoveLetter was found globally in-the-wild on May 4th, 2000. It looks like the virus is Philippine origin. At the beginning of the code, the virus contains the following text:

    rem  barok -loveletter(vbe) <i hate go to school>
    rem 			by: spyder  /  ispyder@mail.com  /  @GRAMMERSoft Group  /  Manila,Philippines
 

[Analysis: Katrin Tocheva, Mikko Hypponen and Sami Rautiainen, F-Secure]  

For more information visit: http://www.datafellows.com/v-descs/love.htm

 

12/14/1999 W32.NewApt.Worm

Detected as:

W32.NewApt.Worm

Aliases:

Worm.NewApt

Infection Length:

69,632 bytes

Likelihood:

Common

Region Reported:

US, Europe

Characteristics:

Worm

Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the Download Virus Definition Updates page.

Description

W32.NewApt.Worm was discovered on December 14, 1999 in Italy. This worm will email itself out when receiving email via Microsoft Outlook or Netscape Navigator. When activated, the worm will display an error dialog and modify the registry so the worm is reloaded each time the computer is restarted. The error message box will appear as:

When received by email (and if you do not have an HTML capable email client), the message body will be:

he, your lame client cant read HTML, haha.
click attachment to see some stunningly HOT stuff
 

Otherwise, the text will include a reference to a website and the following message:

Hypercool Happy Year 2000 funny programs and 
animationsÖ.
We attached our recent animation from this 
site in our mail ! Check it out!
 

Attached to the message will be one of the following file names: g-zilla.exe, cooler3.exe, cooler1.exe, copier.exe, video.exe, pirate.exe, goal1.exe, hog.exe, party.exe, saddam.exe, monica.exe, boss.exe, farter.exe, cheeseburst.exe, panther.exe, theobbq.exe, goal.exe, baby.exe, bboy.exe, cupid2.exe, fborfw.exe, casper.exe, irnglant.exe, or gadget.exe

The worm will add the following registry key:

HKLM/Software/Microsoft/Windows/CurrentVersion/
Run/tpanew

To remove the worm from memory, remove the above registry key and then restart. Delete all infected files.

Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the Download Virus Definition Updates page.

Write-up by: Eric Chien
Dec 14, 1999


12/13/1999 W97M.Thus.A Virus

Aliases:

W97.Thursday, W97M.Automat.K

Area of Infection:

Word 97 Documents

Likelihood:

Common

Trigger Date:

December, 13th

Detection Added:

August 16, 1999

Description:

W97M.Thus.A is a simple macro virus that infects Word 97 documents. It has a payload that triggers on December 13th which will try to delete all files and subdirectories from the root of the C: drive. This virus will also disable the macro virus protection in Word 97.

At the top of the viral macro code, it has a comment line "Thus_001". The virus will check this comment line to determine whether the document is already infected or not to avoid multiple infection. This is where the virus gets it name.

Detection and repair for this macro virus was created automatically by SARA (Symantec AntiVirus Research Automation) on Aug 16, 1999 under the auto-generated virus name called W97M.Automat.K virus. The virus name has recently been renamed to W97M.Thus.A virus.

Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the following web page:

http://www.symantec.com/avcenter/download.html

Write-up by: Motoaki Yamamura
September 2, 1999


6/9/1999 Worm.ExploreZip

Virus Name: Worm.ExploreZip
Aliases: W32.ExploreZip Worm
Infection Length: 210,432 bytes
Area of Infection: C:\Windows\System\, Email Attachments
Likelihood: Common
Detected as of: June 6, 1999
Characteristics: Worm, Trojan Horse

Description:

Worm.ExploreZip is a worm that contains a malicious payload. The worm utilizes MAPI commands and Microsoft Outlook on Windows systems to propagate itself. Worm.ExploreZip was first discovered in Israel and submitted to the Symantec AntiVirus Research Center on June 6, 1999.

For full information and details on Virus please visit: http://www.symantec.com/avcenter/venc/data/worm.explore.zip.html

(Data obtained from Symantec Corp. http://www.symantec.com) For more information about this and other viruses, as well as how to detect and cure viruses visit: http://www.symantec.com

4/23/1999 Chernobyl Anniversary Virus

Sophos, the anti-virus and security company, has issued a warning about a dangerous new virus that triggers on Apr. 26 to apparently "celebrate" the 13th anniversary of the Chernobyl nuclear power plant accident.

The virus, called Network Nuke, will automatically trash a user's PC hard disk, Sophos said. According to company officials, the virus, which was first identified last summer and is also known as the CIH virus, has dominated the firm's "top 10" virus table.

When Network Nuke is triggered on Apr. 26, it starts its campaign of terror by wiping out the user's hard disk. Then it overwrites the re-writable elements of the PC's BIOS chipset, making the infected PC unusable in the process.

More Information:

Vendor Information

Below is a list of anti-virus vendors that have futher infomation and tools relating to the CIH virus.

Computer Associates InoculateIT

http://www.cai.com/virusinfo/melissa_virus.htm#cih

    Current Virus Signature Versions that Detect and Cure the CIH virus are as follows:
  • Any version of InoculateIT signature file later than 4.15 will detect and cure CIH.
  • Current version of InoculateIT signature file is 4.20.

    Any of the above virus signatures files can be downloaded at www.support.cai.com

Network Associates/McAfee

http://www.avertlabs.com/public/datafiles/valerts/vinfo/spacefiller411.asp

ProLand Software

http://www.pspl.com/faqs/cihfaq.htm
http://www.pspl.com/download/cleancih.htm

Sophos

http://www.sophos.de/companyinfo/pressrel/uk/19990310chernobyl.html

Symantec/Norton AntiVirus

http://www.symantec.com/avcenter/venc/data/cih.html
http://www.symantec.com/avcenter/kill_cih.html

TrendMicro

http://216.33.21.51/vinfo/virusencyclo/default3.asp?VCode=EN001344


3/26/1999 Melissa

Now MailGoGoGo can find out W97M_Melissa and stops it!
Download MailGoGoGo and 'Melissa method' and now!

The new e-mail virus, W97M_Melissa is spreading rapidly.
Using the Microsoft Word macros and OutLook Address book, it automatically sends out spam to user's friends.
Mail servers could be overwhelmed by the virus.

 

For more information on virus, W97M_Melissa, go to:


http://www.news.com/News/Item/0,4,34334,00.html?feed.cnetbriefs

Cert Advisory: http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html

 

Download Melissa method for Windows (zip archive 1.2 kb)

Download Melissa method for Macintosh (stuffit archive 1.2 kb)


2/01/1999 Happy99.exe

What is Win32/Ska.A?

Happy99.exe is a Win32-based e-mail and newsgroup worm. It alters a file that your computer uses whenever you send out an email message or newsgroup posting so that every message that goes out has the virus attached to it. It does not corrupt any data on your hard drive or make your computer crash. It just attaches itself to your email and newsgroup messages.

How do I get it?

Happy99.exe arrives as an email attachment or news message attachment. Double clicking the Happy99.exe program infects your computer. You know that you're infected when you see a window named "Happy New Year 1999 !!" that contains a display of moving fireworks. Don't run the program and you won't get infected. Visit the following link for more information: http://pubweb.nwu.edu/~cds653/Happy99Cleaner.exe

Download the Happy99Cleaner program (717kb) Freeware
Alternate download site
Alternate download site
Click here (21kb) if you already have the MSVBVM50.dll file
(Win98 users use this link)


Services Support Software Subscribers Clients About Mia.Net Search Home

For information or comments please mail us
or call us at 262-248- 6759.
Our business address is:
Bella Mia, Inc.
401 Host Drive
Lake Geneva, WI 53147
Copyright © 1997-00

Last updated 5/19/00 Web Page Design by: Kingbloom Design and Bella Mia, Inc. Copyright 1997-00