================================================ Subject: Another one for Win2K and NT users From: "]\\[][G}{T§TÖ®]v[" To: Date: Tue 7 Aug 2001 13:03:42 -0400 ================================================ Geez... makes me glad that I'm too damn stubborn to bother upgrading my version of Windows... thinking my next upgrade is going to be to a dual-boot system running Linux. Hardly ever see a virus warning for that OS. -NightStorm TAKEN FROM http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_POTOK.A VBS_POTOK.A Risk rating: L Virus type: VBScript Destructive: Y Aliases: VBS_STREAM.A, New Generation of Drivers Description: This destructive mass-mailing worm affects Windows 2000 and Windows NT users only. It propagates via Microsoft Outlook by emailing a copy of itself to the first 50 addresses listed in an infected user's address book. It arrives in an email with the subject line: "New Generation of drivers" and the attachment DRIVER.DOC.VBS. It may also create a new account with Administrator privileges on your system, therefore compromising network security. Solution: Scan your system with Trend Micro antivirus and delete all files detected as VBS_POTOK.A. To do this Trend Micro customers must download the latest pattern file (http://www.antivirus.com/download/pattern.asp) and scan their system. Other email users may use HouseCall (http://housecall.antivirus.com/), Trend Micro's free online virus scanner. Technical Details In the wild: Yes Trigger condition 1: Upon execution Payload 1: Others (drops files, sends emails, compromises network security) Detected by pattern file#: 920 Detected by scan engine#: 5.170 Language: English Platform: Windows Encrypted: No Size of virus: 9,262 Bytes Details: Upon execution, the worm first creates a copy of itself as DRIVER.DOC.VBS in the Windows directory. It then checks whether the user is running Windows NT or Windows 2000. If not, it quits. If the user is running Windows NT or Windows 2000, the worm adds four streams or virus codes to the ODBC.INI file: mail mail user group Then it drops the file GO.VBS in the Windows System32 directory and waits 10 seconds before executing GO.VBS. GO.VBS creates the file NOTEPAD.VBS inside the Windows System32\RAS folder. NOTEPAD.VBS is created from pieces of virus codes placed earlier in ODBC.INI. It then waits 10 seconds before executing NOTEPAD.VBS. NOTEPAD.VBS uses Microsoft Outlook to send copies of itself to the first 50 addresses in the infected user's address book. The email contains the following: Subject: New Generation of drivers. Body: Microsoft has published new driver for all types Video Cards, compatible with Windows 95/98/NT/2000/XP. You can read about it in attachment document. Best wishes Microsoft. Attachment: DRIVER.DOC.VBS The worm then checks whether the user is running Windows NT or 2000. If so, it attempts to create a new user account. The Login Name of this new user account is "Lord_Nikon" and "password" as the password. If successful, it attempts to add the account "Lord_Nikon" to the list of Administrators. This will be successful if the current user is using an Administrator account. The following text is found in the virus body: 'Lord Nikon To unsubscribe or change your preferences for the Creed-Discuss list, visit: http://www.winduplist.com/ls/discuss/form.asp