NFC: Re: Fw: It is a biggie Worm ...

["Jim Capelle" <JCapelle at tampabay_rr.com>]

Would my flu shot cover that one too?  ~(;>)) JiM C.
-----Original Message-----
From: dakota <dakota at startext_com>
To: NFC <nfc at actwin_com>
Cc: Breeder's <nfcbreeders at actwin_com>
Date: Wednesday, December 22, 1999 5:55 PM
Subject: NFC: Fw: It is a biggie Worm ...


>Hello...sorry for the intrusion with non-Native stuff but there seems to be
>another Melissa-type virus around and wanted all to know about it.........
>Have a Nice and Safe Christmas all !!!
>Charles Anderton
>----- Original Message -----
>From: dakota at startext_com
>To: <NFC at actwin_com
>Sent: Wednesday, December 22, 1999 4:01 PM
>Subject: It is a biggie Worm ...
>
>
>> Okay folks  here it is ...
>>
>> I just received this from Dr. Solomons
>>
>>
>> Long explanation:
>>
>> Profile
>>
>> Name
>> W32/NewApt.worm
>>
>> Aliases
>> I-Worm/MesMate, TROJ_NEWAPT.WORM, W32.NewApt.worm, W32/NewApt.worm
>>
>> Variants
>> None
>>
>> Date Added
>> 12/15/99
>>
>> Information
>>   Discovery Date: 12/14/99
>>   Type: Virus
>>   SubType: worm
>>   Risk Assessment: High
>>   Minimum DAT: 4058
>>   Minimum Engine: 4.0.25
>>
>>
>> Characteristics
>> This worm has been reported to AVERT in several countries during the week
>of
>> December 13, 1999. The file may be received by email with a size of
69,632
>> bytes. The worm arrives by email and depending on if the email
application
>> supports HTML email body content or not, one of two messages is
displayed.
>> If HTML is supported, the message content looks like this:
>>
>> ---------------------------------------------------------------
>>
>>
>> http://stuart.messagemates.com/index.html
>>
>>
>>
>> Hypercool Happy New Year 2000 funny programs and animations...
>>
>> We attached our recent animation from this site in our mail ! Check it
out
>>
>> ---------------------------------------------------------------
>>
>> If the email client does not support HTML, the email message will have
>this
>> content:
>>
>> ---------------------------------------------------------------
>>
>> he, your lame client cant read HTML, haha. click attachment to see some
>> stunningly HOT
>> stuff ---------------------------------------------------------------
>>
>> The email contains an attachment of a randomly selected name from the
>> following list:
>> baby.exe
>> bboy.exe
>> boss.exe
>> casper.exe
>> chestburst.exe
>> cooler1.exe
>> cooler3.exe
>> copier.exe
>> cupid2.exe
>> farter.exe
>> fborfw.exe
>> goal.exe
>> goal1.exe
>> g-zilla.exe
>> irngiant.exe
>> hog.exe
>> monica.exe
>> panther.exe
>> panthr.exe
>> party.exe
>> pirate.exe
>> s.exe
>> saddam.exe
>> theobbq.exe
>> video.exe
>>
>> Please note that the file is not a "messagemates" game program and is not
>> related to the web site listed in the email message! Messagemates.com has
>> issued a notice about this also on their web site at this location:
>> http://stuart.messagemates.com/notice.htm There is no icon associated
with
>> this 32 bit file other than the one associated with command line
>executables
>> such as COMMAND.COM. If this worm is run, a "dummy" error message is
>> displayed with the text-
>>
>> The dinamic link library giface.dll could not be found in the specified
>path
>> (list of directory names)
>>
>> The list of directory names are taken from they system environment
>variable
>> "path" which is set in AUTOEXEC.BAT in Windows 9x and also configurable
in
>> Windows NT through the control panel. Note the misspelling of the word
>> "dinamic".
>>
>> The machine is then checked for the installation of MS Outlook Express.
If
>> found, two files are written in the c:\windows folder
>>
>> mma. - contains a listing of email addresses
>> mmail. - contains the directory of MS Outlook Express
>>
>> The list of email addresses is captured by checking all folders in
Outlook
>> Express for email messages received!
>>
>> A file is then saved to the Windows folder and the registry is modified
to
>> load the file at the next Windows startup with a command line option of
>> "/x". For example, if the executable "chestburst.exe" is run, the
registry
>> entry would look like this on a Windows 95 system:
>>
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tpawen =
>> c:\windows\chestburst.exe /x
>>
>> On the next Windows startup, the file is loaded. When the worm loads into
>> memory, it waits for an unspecified amount of time and then sends an
email
>> message to one of the listed entries from the file "mma." with the format
>> mentioned at the beginning of this description.
>>
>> While the worm is active on Windows 9x system, the following DLLs are
>> implemented:
>>
>> C:\WINDOWS\SYSTEM\WSOCK32.DLL
>> C:\WINDOWS\SYSTEM\WININET.DLL
>> C:\WINDOWS\SYSTEM\SHLWAPI.DLL
>> C:\WINDOWS\SYSTEM\USER32.DLL
>> C:\WINDOWS\SYSTEM\GDI32.DLL
>> C:\WINDOWS\SYSTEM\ADVAPI32.DLL
>> C:\WINDOWS\SYSTEM\KERNEL32.DLL
>>
>> When an email application such as MS Outlook is in use, the additional
DLL
>> loaded is TAPI32.DLL.
>>
>> At this time, AVERT is analyzing the distribution method for this worm.
>> Strings within the executable suggest that it uses information stored in
>the
>> file "prefs.js" which is a reference to Netscape.
>>
>>
>> Symptoms
>> Existence of this file on the local system - modifications to the system
>> registry as mentioned above - email mailings as mentioned above.
>>
>>
>> Method Of Infection
>> Running the executable will directly copy itself and run the mailing
>> routine.
>>
>>
>>
>>
>>
>>
>>
>
>

---

• Prev by Date: Re: NFC: Fish Kill in Indiana
• Next by Date: Re: NFC: Fish Kill in Indiana
• Prev by thread: Re: NFC: Fw: It is a biggie Worm ...
• Next by thread: NFC: link to newspaper article on Indiana fish kill
• Index(es):
  • Date
  • Thread