================================================ Subject: Re: Another one for Win2K and NT users From: "Creed - 7M3 - Live" To: Date: Wed 8 Aug 2001 18:30:47 -0400 ================================================ The greatest thing about it is that there are quickly developed patches for ones like denial of service or memory overflow attacks. If there are certain protocols that are at danger. They will let you know. The FTP protocol was at danger and recommendations of not allowing FTP access to your machine was suggested. I believe that the last patch to thier kernel cleared up the vulnerability. If you have a CD burner and a quick connection. You can get the ISO images for free. There are several sites that you can get images from. I like the ability to use either one at will. Later, Jim ]\\[][G}{T§TÖ®]v[ wrote: > Geez... makes me glad that I'm too damn stubborn to bother upgrading my > version of Windows... thinking my next upgrade is going to be to a dual-boot > system running Linux. Hardly ever see a virus warning for that OS. > -NightStorm > > TAKEN FROM > http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_POTOK.A > VBS_POTOK.A > > Risk rating: L > Virus type: VBScript > Destructive: Y > Aliases: VBS_STREAM.A, New Generation of Drivers > > Description: > This destructive mass-mailing worm affects Windows 2000 and Windows NT users > only. It propagates via Microsoft Outlook by emailing a copy of itself to > the first 50 addresses listed in an infected user's address book. It arrives > in an email with the subject line: "New Generation of drivers" and the > attachment DRIVER.DOC.VBS. It may also create a new account with > Administrator privileges on your system, therefore compromising network > security. > > Solution: > Scan your system with Trend Micro antivirus and delete all files detected as > VBS_POTOK.A. To do this Trend Micro customers must download the latest > pattern file (http://www.antivirus.com/download/pattern.asp) and scan their > system. Other email users may use HouseCall > (http://housecall.antivirus.com/), Trend Micro's free online virus scanner. > > Technical Details > In the wild: Yes > Trigger condition 1: Upon execution > Payload 1: Others (drops files, sends emails, compromises network security) > Detected by pattern file#: 920 > Detected by scan engine#: 5.170 > Language: English > Platform: Windows > Encrypted: No > Size of virus: 9,262 Bytes > > Details: > Upon execution, the worm first creates a copy of itself as DRIVER.DOC.VBS in > the Windows directory. It then checks whether the user is running Windows NT > or Windows 2000. If not, it quits. > If the user is running Windows NT or Windows 2000, the worm adds four > streams or virus codes to the ODBC.INI file: > > mail > mail > user > group > > Then it drops the file GO.VBS in the Windows System32 directory and waits 10 > seconds before executing GO.VBS. > GO.VBS creates the file NOTEPAD.VBS inside the Windows System32\RAS folder. > NOTEPAD.VBS is created from pieces of virus codes placed earlier in > ODBC.INI. It then waits 10 seconds before executing NOTEPAD.VBS. > NOTEPAD.VBS uses Microsoft Outlook to send copies of itself to the first 50 > addresses in the infected user's address book. The email contains the > following: > > Subject: New Generation of drivers. > Body: Microsoft has published new driver for all types Video Cards, > compatible with Windows 95/98/NT/2000/XP. You can read about it in > attachment document. Best wishes Microsoft. > Attachment: DRIVER.DOC.VBS > > The worm then checks whether the user is running Windows NT or 2000. If so, > it attempts to create a new user account. The Login Name of this new user > account is "Lord_Nikon" and "password" as the password. If successful, it > attempts to add the account "Lord_Nikon" to the list of Administrators. This > will be successful if the current user is using an Administrator account. > The following text is found in the virus body: > > 'Lord Nikon > > To unsubscribe or change your preferences for the Creed-Discuss list, visit: > http://www.winduplist.com/ls/discuss/form.asp > > -- Old age is always fifteen years old than I am. -- B. Baruch To unsubscribe or change your preferences for the Creed-Discuss list, visit: http://www.winduplist.com/ls/discuss/form.asp