[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NFC: Fw: It is a biggie Worm ...



Hello...sorry for the intrusion with non-Native stuff but there seems to be
another Melissa-type virus around and wanted all to know about it.........
Have a Nice and Safe Christmas all !!!
Charles Anderton
----- Original Message -----
From: dakota at startext_com
To: <NFC at actwin_com
Sent: Wednesday, December 22, 1999 4:01 PM
Subject: It is a biggie Worm ...


> Okay folks  here it is ...
>
> I just received this from Dr. Solomons
>
>
> Long explanation:
>
> Profile
>
> Name
> W32/NewApt.worm
>
> Aliases
> I-Worm/MesMate, TROJ_NEWAPT.WORM, W32.NewApt.worm, W32/NewApt.worm
>
> Variants
> None
>
> Date Added
> 12/15/99
>
> Information
>   Discovery Date: 12/14/99
>   Type: Virus
>   SubType: worm
>   Risk Assessment: High
>   Minimum DAT: 4058
>   Minimum Engine: 4.0.25
>
>
> Characteristics
> This worm has been reported to AVERT in several countries during the week
of
> December 13, 1999. The file may be received by email with a size of 69,632
> bytes. The worm arrives by email and depending on if the email application
> supports HTML email body content or not, one of two messages is displayed.
> If HTML is supported, the message content looks like this:
>
> ---------------------------------------------------------------
>
>
> http://stuart.messagemates.com/index.html
>
>
>
> Hypercool Happy New Year 2000 funny programs and animations...
>
> We attached our recent animation from this site in our mail ! Check it out
>
> ---------------------------------------------------------------
>
> If the email client does not support HTML, the email message will have
this
> content:
>
> ---------------------------------------------------------------
>
> he, your lame client cant read HTML, haha. click attachment to see some
> stunningly HOT
> stuff ---------------------------------------------------------------
>
> The email contains an attachment of a randomly selected name from the
> following list:
> baby.exe
> bboy.exe
> boss.exe
> casper.exe
> chestburst.exe
> cooler1.exe
> cooler3.exe
> copier.exe
> cupid2.exe
> farter.exe
> fborfw.exe
> goal.exe
> goal1.exe
> g-zilla.exe
> irngiant.exe
> hog.exe
> monica.exe
> panther.exe
> panthr.exe
> party.exe
> pirate.exe
> s.exe
> saddam.exe
> theobbq.exe
> video.exe
>
> Please note that the file is not a "messagemates" game program and is not
> related to the web site listed in the email message! Messagemates.com has
> issued a notice about this also on their web site at this location:
> http://stuart.messagemates.com/notice.htm There is no icon associated with
> this 32 bit file other than the one associated with command line
executables
> such as COMMAND.COM. If this worm is run, a "dummy" error message is
> displayed with the text-
>
> The dinamic link library giface.dll could not be found in the specified
path
> (list of directory names)
>
> The list of directory names are taken from they system environment
variable
> "path" which is set in AUTOEXEC.BAT in Windows 9x and also configurable in
> Windows NT through the control panel. Note the misspelling of the word
> "dinamic".
>
> The machine is then checked for the installation of MS Outlook Express. If
> found, two files are written in the c:\windows folder
>
> mma. - contains a listing of email addresses
> mmail. - contains the directory of MS Outlook Express
>
> The list of email addresses is captured by checking all folders in Outlook
> Express for email messages received!
>
> A file is then saved to the Windows folder and the registry is modified to
> load the file at the next Windows startup with a command line option of
> "/x". For example, if the executable "chestburst.exe" is run, the registry
> entry would look like this on a Windows 95 system:
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tpawen =
> c:\windows\chestburst.exe /x
>
> On the next Windows startup, the file is loaded. When the worm loads into
> memory, it waits for an unspecified amount of time and then sends an email
> message to one of the listed entries from the file "mma." with the format
> mentioned at the beginning of this description.
>
> While the worm is active on Windows 9x system, the following DLLs are
> implemented:
>
> C:\WINDOWS\SYSTEM\WSOCK32.DLL
> C:\WINDOWS\SYSTEM\WININET.DLL
> C:\WINDOWS\SYSTEM\SHLWAPI.DLL
> C:\WINDOWS\SYSTEM\USER32.DLL
> C:\WINDOWS\SYSTEM\GDI32.DLL
> C:\WINDOWS\SYSTEM\ADVAPI32.DLL
> C:\WINDOWS\SYSTEM\KERNEL32.DLL
>
> When an email application such as MS Outlook is in use, the additional DLL
> loaded is TAPI32.DLL.
>
> At this time, AVERT is analyzing the distribution method for this worm.
> Strings within the executable suggest that it uses information stored in
the
> file "prefs.js" which is a reference to Netscape.
>
>
> Symptoms
> Existence of this file on the local system - modifications to the system
> registry as mentioned above - email mailings as mentioned above.
>
>
> Method Of Infection
> Running the executable will directly copy itself and run the mailing
> routine.
>
>
>
>
>
>
>


Follow-Ups: