Read about other virus
-
1.
W32.Badtrans.B@mm
-
Low-risk WTC.exe virus spreads
-
W32.Nimda.A@mm Removal Tool
-
W32.Sircam.Worm@mm
-
RED CODE Running on NT or Windows 2000 with IIS
-
1. W32.Badtrans.B@mm
Download
Removal Tool from Symantec (J.
Blanton sent the link. Thank you.)
a. You download the 121 kb file
b. Run the file
c. ME users note special instructions.
Go into safe mode, disable
system restore, reboot,
rerun removal tool.
It seems to me that you need to disable system restore
while in safe mode.
d. Program seems to check EVERY file on the hard drive.
e. Program appears to be completely automatic.
It may pay to run the program periodically.
Manual REMOVAL INSTRUCTIONS
Read about
other virus
SNIP from SANS NEWSBITES
The SANS Weekly Security News Overview
Volume 3, Number 48
November 28, 2001
TOP OF THE NEWS
--26 November 2001 Badtrans.b Worm Spreading Rapidly
Badtrans.B exploits an Outlook and Outlook Express vulnerability to
execute its infected attachment automatically when the e-mail is opened.
The worm's subject line appears to be a reply to a previously sent
message. Badtrans.B self-propagates, then installs a back door on
the computer, sends the machine's IP address to the worm's author, and
runs a key logging program.
http://www.infoworld.com/articles/hn/xml/01/11/26/011126hnbadtrans.xml?1126alert
http://www.cnn.com/2001/TECH/internet/11/26/badtrans.worm/index.html
http://news.cnet.com/news/0-1003-200-7979449.html
End Sans Newsbites
Snip from Symantec
W32.Badtrans.B@mm is a MAPI worm that emails itself out as a file with
one of several different names. This worm also creates a .dll in the
\Windows\System directory as Kdll.dll. It uses functions from
this .dll to log keystrokes. Virus definitions dated November 24, 2001
will detect this worm. For additional information, point your Web
browser to:
REMOVAL INSTRUCTIONS
http://www.symantec.com/techsupp/vURL.cgi/nav108
_____________________________
2. W32.Aliz.Worm
W32.Aliz.Worm is a very simple SMTP mass-mailer worm. The worm currently
only replicates on Windows 9x computers. It does not seem to spread on
Windows NT platforms. The worm spreads by obtaining email addresses from
the Windows address book and sending itself to those addresses. Virus
definitions dated May 22, 2001 will detect this worm.
When the worm arrives by email, the worm uses a MIME exploit that allows
the virus to be run just by reading or previewing the email. Information
on and a patch for this exploit can be found at
http://www.symantec.com/techsupp/vURL.cgi/nav110
For additional information, point your Web browser to:
http://www.symantec.com/techsupp/vURL.cgi/nav109
End of Email from Symantec
11/27/2001
Good
articles from TECWEB.COM 2. DANGEROUS NEW VIRUS, SAME OLD
HOLE
The latest worm -- W32/BadTrans.B-mm -- takes advantage of an Internet
Explorer flaw and is spreading rapidly.
New, Slower Version Of Nimda Worm Spreads
http://update.techweb.com/cgi-bin4/flo?y=eFE70CKlax0H30Zgm0AX
Virus Definition Update Rings False Alarm On Nimda
http://update.techweb.com/cgi-bin4/flo?y=eFE70CKlax0H30aAT0Ab
Microsoft Leads Vulnerability-Disclosure Initiative
http://update.techweb.com/cgi-bin4/flo?y=eFE70CKlax0H30Zyn0Aq End of Tecweb.com snip
Begin MSNBC
Article
New
low-risk WTC.exe virus spreads
Program
claims to let recipients vote for peace after attacks
Sept. 24 —
Antivirus researchers have discovered a new computer virus with a tempting
attachment called WTC.exe. The virus masquerades as an attempt to
“vote” for peace between “America and Islam.” The virus is nasty
— it attempts a mass deletion of data on the victim’s computer. But it
hasn’t spread widely, according to most antivirus firms, so it’s not
yet clear how severe a risk the virus will be.
End
snip from MSNBC article
Read entire article > http://msnbc.com/news/633320.asp
The Nimba
Virus appears to be a
SERIOUS THREAT and a DANGER
NOW!!
September 21, 2001
W32.Nimba.A
THE
FOLLOWING IS PART OF A PAGE FROM SYMANTEC
|
Last Updated
on: September 21, 2001 at 08:07:52 AM PDT
|
Symantec has provided a
fixtool to remove infections of W32.Nimda.A
NOTE: Once a computer has been attacked by
W32.Nimda.A@mm, it is very difficult to determine what
security settings have been compromised. Unless, by
reading the logs, you can be absolutely sure that
nothing else malicious has been done to the computer, it
may be best to backup all data files, reformat the hard
drive, and then completely
reinstall the operating system and all programs. This is
the only way that you can be 100 percent certain that
the computer is clean.
To obtain and run the tool:
--End of snip--
|
|
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
W32.Sircam.Worm@mm
I have personally received
this virus over 14 times. The Chamber of Commerce has received it multiple
times. And at least one computer in Beeville that I know about is
infected. So far, Norton has protected my computer.
July 25, 2001 10:27 pm
0PEN
ATTACHMENTS FROM FRIENDS, FAMILY, AND OTHERS CAREFULLY!!!
If you
are infected PLEASE, take the time to read the recourses on removing it.
Email Header info may look like this:
Subject: Document file name (without extension)
From: [[email protected]]
To: [[email protected]]
The body of the email may read something
link this:
Hi! How are you?
I send you this file in order to have your advice
See you later! Thanks
If you receive an email like the one described above (even from a
family member)
Resources
Check these sites! Update your virus scripts NOW!!!
One possible way
to help prevent this virus from infecting your computer is to
deleting it on your mail server before you downloading it to your
computer.
In
Internet Explorer: Tools | Message Rules | Mail | Mail Rules
| New 1. In "Select the Conditions
Conditions for your rule"
2. In "Select the actions for
your rule"
3. In "Rule Description"
4. In "Name of the Rule"
Click OK
If you have successfully created this rule, the next time you access
your email the rule should delete the infected email from the mail
server before it is downloaded to your computer.
In Netscape
I do not know how to do this in Netscape. If you do please contact me
with the correct information.
You should consider your own particular situation before using
the above suggestion. No one method of protection, is 100% effective. I
have implemented the above procedure on my computer and it
"appears" to be working. But, as with everything in
computers/internet, there is no guarantee that this will prevent
infection.
The following is a copy of an email from
CERTS that I received today July 25, 2001. The CERT® Coordination
Center is part of the Software Engineering Institute. The Software
Engineering Institute is operated by Carnegie Mellon University for the
Department of Defense.
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2001-22 W32/Sircam Malicious Code
Original release date: July 25, 2001
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this
file.
Systems Affected
* Microsoft Windows (all versions)
Overview
"W32/Sircam" is malicious code that spreads
through email and
potentially through unprotected network shares. Once the
malicious
code has been executed on a system, it may reveal or delete
sensitive
information.
As of 10:00EST(GMT-4) Jul 25, 2001 the CERT/CC has received
reports of
W32/Sircam from over 300 individual sites.
I. Description
W32/Sircam can infect a machine in one of two ways:
* When executed by opening an email attachment
containing the
malicious code
* By copying itself into unprotected network
shares
Propagation Via Email
The virus can appear in an email message written in either
English or
Spanish with a seemingly random subject line. All known
versions of
W32/Sircam use the following format in the body of the
message:
English
Hi! How are you?
[middle line]
See you later. Thanks
Spanish
Hola como estas ?
[middle line]
Nos vemos pronto, gracias.
Where [middle line] is one of the following:
English
I send you this file in order to
have your advice
I hope you like the file that I
sendo you
I hope you can help me with this
file that I send
This is the file with the
information you ask for
Spanish
Te mando este archivo para que me
des tu punto de vista
Espero te guste este archivo que te
mando
Espero me puedas ayudar con el
archivo que te mando
Este es el archivo con la
informacion que me pediste
Users who receive copies of the malicious code through
electronic mail
might recognize the sender. We encourage users to avoid
opening
attachments received through electronic mail, regardless of
the
sender's name, without prior knowledge of the origin of the
file or a
valid digital signature.
The email message will contain an attachment whose name
matches the
subject line and has a double file extension (e.g.
subject.ZIP.BAT or
subject.DOC.EXE). The CERT/CC has confirmed reports that
the first
extension may be .DOC, .XLS, or .ZIP. Anti-virus vendors
have referred
to additional extensions, including .GIF, .JPG, .JPEG,
.MPEG, .MOV,
.MPG, .PDF, .PNG, and .PS. The second extension will be
.EXE, .COM,
.BAT, .PIF, or .LNK. The attached file contains both the
malicious
code and the contents of a file copied from an infected
system.
When the attachment is opened, the copied file is extracted
to both
the %TEMP% folder (usually C:\WINDOWS\TEMP) and the
Recycled folder on
the affected system. The original file is then opened using
the
appropriate default viewer while the infection process
continues in
the background.
It is possible for the recipient to be tricked into opening
this
malicious attachment since the file will appear without the
.EXE,
.BAT, .COM, .LNK, or .PIF extensions if the "Hide file
extensions for
known file types" is enabled in Windows. See
IN-2000-07 for additional
information on the exploitation of hidden file extensions.
W32/Sircam includes its own SMTP client capabilities, which
it uses to
propagate via email. It determines its recipient list by
recursively
searching for email addresses contained in all *.wab
(Windows Address
Book) files in the %SYSTEM% folder. Additionally, it
searches the
folders referred to by
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Exp
lorer\Shell
Folders\Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Exp
lorer\Shell
Folders\Desktop
for files containing email addresses. All addresses found
are stored
in SC??.DLL or S??.DLL files hidden in the %SYSTEM% folder.
W32/Sircam first attempts to send messages using the
default email
settings for the current user. If the default settings are
not
present, it appears to use one of the following SMTP
relays:
* prodigy.net.mx
* NetBIOS name for 'MAIL'
* mail.<defaultdomain> (e.g.,
mail.example.org)
* dobleclick.com.mx
* enlace.net
* goeke.net
Propagation Via Network Shares
In addition to email-based propagation, analysis by
anti-virus vendors
suggests that W32/Sircam can spread through unprotected
network
shares. Unlike the email propagation method, which requires
a user to
open an attachment to infect the machine, propagation of
W32/Sircam
via network shares requires no human intervention.
If W32/Sircam detects Windows networking shares with write
access, it
1. copies itself to \\[share]\Recycled\SirC32.EXE
2. appends "@ win\Recycled\SirC32.exe" to
AUTOEXEC.BAT
If the share contains a Windows folder, it also
3. copies \\[share]\Windows\rundll32.exe
to
\\[share]\Windows\run32.exe
4. copies itself to \\[share]\Windows\rundll32.exe
5. when virus is executed from rundll32.exe, it calls
run32.exe
Infection process
1. When installed on a victim machine, W32/Sircam
installs a copy of
itself in two hidden files:
+
%SYSTEM%\SCam32.exe
+
Recycled\SirC32.exe
Installing in Recycled may hide it
from anti-virus software since
some do not check this folder by
default.
Based on external analyses, there
is also a probability that
W32/Sircam will copy itself to the
%SYSTEM% folder as ScMx32.exe.
In that case, another copy is
created in the folder referred to by
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explor
er\Shell Folders\Startup (the
current user's personal startup
folder). The copy created in that
location is named Microsoft
Internet Office.exe. When the
affected user next logs in, this
copy of W32/Sircam will be started
automatically.
2. The registry entry
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunSe
rvices\Driver32 is set to
%SYSTEM%\SCam32.exe so that W32/Sircam
will run automatically at system
startup.
3. The registry entry HKEY_CLASSES_ROOT\exefile\shell\open\command
is
set to
"C:\Recycled\SirC32.exe" "%1" %*", causing W32/Sircam
to
execute whenever another executable
is run.
4. A new registry entry, HKEY_LOCAL_MACHINE\Software\SirCam,
is
created to store data required by
W32/Sircam during execution.
5. W32/Sircam searches for filenames with .DOC, .XLS,
.ZIP extensions
in the folders referred to by
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersi
on\Explorer\Shell Folders\Personal
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersi
on\Explorer\Shell Folders\Desktop
While the personal folder may vary
with configuration, it is often
set to \My Documents or
\Windows\Profiles\%username%\Personal. A
list of these files is stored in
%SYSTEM%\scd.dll.
6. W32/Sircam attaches its own binary to selected
files it finds and
stores the combined file in the
Recycled folder.
II. Impact
W32/Sircam can have a direct impact on both the computer
which was
infected as well as those with which it communicates over
email.
* Breaches of confidentiality: The malicious
code will at a minimum
search through select folders and
mail potentially sensitive
files. This form of attack is
extremely serious since it is one
from which it is impossible to
recover. Once a file has been
publicly distributed, any
potentially sensitive information in it
cannot be retracted.
* Limit Availibility (Denial of Service)
+ Fill entire
hard drive: Based on external analyses, on any
given
day, there is a probability that it will create a file
named
C:\Recycled\sircam.sys which consumes all free space on
the
C: drive. A full disk will prevent users from saving
files
to that drive, and in certain configurations impede
system-level tasks (e.g., swapping, printing).
+ Propagation via
mass emailing: W32/Sircam will attempt to
propagate by sending itself through email to addresses
obtained as described above. This propagation can lead to
congestion in mail servers that may prevent them from
functioning as expected.
NOTE:
Since W32/Sircam uses native SMTP routines connecting
to
pre-defined mail servers, propagation is independent of
the
mail client software used.
* Loss of Integrity: Published reports indicate
that on October 16
there is a reasonable probability
that W32/Sircam will attempt to
recursively delete all files from
the drive on which Windows is
installed (typically C:).
III. Solution
Run and Maintain an Anti-Virus Product
It is important for users to update their anti-virus
software. Most
anti-virus software vendors have released updated
information, tools,
or virus databases to help detect and partially recover
from this
malicious code. A list of vendor-specific anti-virus
information can
be found in Appendix A.
Many anti-virus packages support automatic updates of virus
definitions. We recommend using these automatic updates
when
available.
Exercise Caution When Opening Attachments
Exercise caution when receiving email with attachments.
Users should
never open attachments from an untrusted origin, or ones
that appear
suspicious in any way. Finally, cryptographic checksums
should also be
used to validate the integrity of the file.
The effects of this class of malicious code are activated
only when
the file in question is executed. Social engineering is
typically
employed to trick a recipient into executing the malicious
file. The
best advice with regard to malicious files is to avoid
executing them
in the first place. The following tech tip offers
suggestions as to
how to avoid them:
Protecting
yourself from Email-borne Viruses and Other
Malicious Code
During Y2K and Beyond
Filter the Email or use a Firewall
Sites can use email filtering techniques to delete messages
containing
subject lines known to contain the malicious code, or they
can filter
all attachments.
Likewise, a firewall or border router can be used to stop
the
W32/Sircam outbound SMTP connections to mail servers
outside of the
local network. This filtering strategy will prevent further
propagation of the worm from a particular host when the
local mail
configuration is not used.
Appendix A. - Vendor Information
Aladdin Knowledge Systems
http://www.esafe.com/home/csrt/valerts2.asp?virus_no=10068
Central Command, Inc.
http://support.centralcommand.com/cgi-bin/command.cfg/php/endus
er/std_adp.php?p_refno=010718-000010
Command Software Systems
http://www.commandsoftware.com/virus/sircam.html
Computer Associates
http://www.cai.com/virusinfo/encyclopedia/descriptions/s/sircam
137216.htm
Data Fellows Corp
http://www.datafellows.com/v-descs/sircam.shtml
McAfee
http://vil.mcafee.com/dispVirus.asp?virus_k=99141&
Norman Data Defense Systems
http://www.norman.com/virus_info/w32_sircam.shtml
Panda Software
http://www.pandasoftware.es/vernoticia.asp?noticia=987
Proland Software
http://www.pspl.com/virus_info/worms/sircam.htm
Sophos
http://www.sophos.com/virusinfo/analyses/w32sircama.html
Symantec
http://www.symantec.com/avcenter/venc/data/[email protected]
tml
Trend Micro
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=
TROJ_SIRCAM.A
You may wish to visit the CERT/CC's Computer Virus
Resources Page
located at:
http://www.cert.org/other_sources/viruses.html
______________________________________________________________________
Authors: Roman Danyliw, Chad Dougherty, Allen Householder
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2001-22.html
______________________________________________________________________
CERT/CC Contact Information
Email: [email protected]
Phone: +1
412-268-7090 (24-hour hotline)
Fax: +1
412-268-6989
Postal address:
CERT Coordination
Center
Software
Engineering Institute
Carnegie Mellon
University
Pittsburgh PA
15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4)
Monday through Friday; they are on call for emergencies
during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent
by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for
more
information.
Getting security information
CERT publications and other security information are
available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and
bulletins,
send email to [email protected].
Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center"
are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and
the Software
Engineering Institute is furnished on an "as is"
basis. Carnegie
Mellon University makes no warranties of any kind, either
expressed or
implied as to any matter including, but not limited to,
warranty of
fitness for a particular purpose or merchantability,
exclusivity or
results obtained from use of the material. Carnegie Mellon
University
does not make any warranty of any kind with respect to
freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship
information
Copyright 2001 Carnegie Mellon University.
Revision History
July 25, 2001: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQCVAwUBO18P/QYcfu8gsZJZAQH2XAP/dFPRLX4MGRYxKSc67J+hRclhijxGIFn+
Jo7M4jWb2GeImjxdzRO5bbqGHUfV7Jm7gjXRdIdBTJuK0xIN2tdGjdp3/kEbaWE7
oqise1azNitAWSn2pEaVXidHyY3wm3ed5XHKZmShU/5PXGoa/avhnXqRrv7p/yup
hBWgsoeBiLI=
=WuU+
-----END PGP SIGNATURE-----
Do you have a Fire Wall? You need one.
Check out our old The Internet and You (TIY)
RED
CODE Running on NT or Windows 2000 with IIS MESSAGE
COPIED from email from SANS and CERTS
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SANS Security Alert. Code Red Is Set to Come Storming Back!
SANS, Microsoft, the NIPC, CERT/CC and four other leading security
organizations released the following alert today (Sunday, January 29)
at 4 pm. EDT.
A Very Real and Present Threat to the Internet: July 31 Deadline
For Action
Summary: The Code Red Worm and mutations of the worm pose a continued
and serious threat to Internet users. Immediate action is required
to combat this threat. Users who have deployed software that is
vulnerable to the worm (Microsoft IIS Versions 4.0 and 5.0) must
install, if they have not done so already, a vital security patch.
How Big Is The Problem? On July 19, the Code Red worm infected more
than 250,000 systems in just 9 hours. The worm scans the Internet,
identifies vulnerable systems, and infects these systems by installing
itself. Each newly installed worm joins all the others causing
the rate of scanning to grow rapidly. This uncontrolled growth in
scanning directly decreases the speed of the Internet and can cause
sporadic but widespread outages among all types of systems. Code Red
is likely to start spreading again on July 31st, 2001 8:00 PM EDT and
has mutated so that it may be even more dangerous. This spread has
the potential to disrupt business and personal use of the Internet
for applications such as electronic commerce, email and entertainment.
Who Must Act? Every organization or person who has Windows NT or
Windows 2000 systems AND the IIS web server software may be vulnerable.
IIS is installed automatically for many applications. If you are not
certain, follow the instructions attached to determine whether you
are running IIS 4.0 or 5.0. If you are using Windows 95, Windows
98,
or Windows Me, there is no action that you need to take in response
to this alert.
What To Do If You Are Vulnerable?
a. To rid your machine of the current worm, reboot your computer.
b. To protect your system from re-infection: Install Microsoft's
patch for the Code Red vulnerability problem:
Windows NT version 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833
Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800
Step-by-step instructions for these actions are posted at
www.digitalisland.net/codered
Microsoft's description of the patch and its installation, and the
vulnerability it addresses is posted at:
http://www.microsoft.com/technet/treeview/default.asp?url=
/technet/security/bulletin/MS01-033.asp
Because of the importance of this threat, this alert is being made
jointly by:
Microsoft
The National Infrastructure Protection Center
Federal Computer Incident Response Center (FedCIRC)
Information Technology Association of America (ITAA)
CERT Coordination Center
SANS Institute
Internet Security Systems
Internet Security Alliance
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7ZHA1+LUG5KFpTkYRAr3wAJ9Qbm7xQRylXGHwXnBKtyz1n0mN6QCeN6xN
Ss2P7G4lgD2goLm70RDIKGc=
=i8ro
-----END PGP SIGNATURE-----
|
Portal to Beeville, Bee County, and beyond
. . .
