================================================ Subject: Re: Another one for Win2K and NT users From: "Kevin L. Brown" To: Date: Wed 8 Aug 2001 15:59:17 -0700 ================================================ The "patch" for these is to not open attachments you don't know. Or upgrade to Outlook 2002 in Office XP as it won't let you open an attachment with a VBS extension. ----- Original Message ----- From: "Creed - 7M3 - Live" To: Sent: Wednesday, August 08, 2001 3:30 PM Subject: Re: Another one for Win2K and NT users > The greatest thing about it is that there are quickly developed patches > for ones like denial of service or memory overflow attacks. > > If there are certain protocols that are at danger. They will let you > know. The FTP protocol was at danger and recommendations of not allowing > FTP access to your machine was suggested. I believe that the last patch > to thier kernel cleared up the vulnerability. > > If you have a CD burner and a quick connection. You can get the ISO > images for free. There are several sites that you can get images from. > > I like the ability to use either one at will. > > Later, > > Jim > > > ]\\[][G}{T§TÖ®]v[ wrote: > > > Geez... makes me glad that I'm too damn stubborn to bother upgrading my > > version of Windows... thinking my next upgrade is going to be to a dual-boot > > system running Linux. Hardly ever see a virus warning for that OS. > > -NightStorm > > > > TAKEN FROM > > http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_POTOK.A > > VBS_POTOK.A > > > > Risk rating: L > > Virus type: VBScript > > Destructive: Y > > Aliases: VBS_STREAM.A, New Generation of Drivers > > > > Description: > > This destructive mass-mailing worm affects Windows 2000 and Windows NT users > > only. It propagates via Microsoft Outlook by emailing a copy of itself to > > the first 50 addresses listed in an infected user's address book. It arrives > > in an email with the subject line: "New Generation of drivers" and the > > attachment DRIVER.DOC.VBS. It may also create a new account with > > Administrator privileges on your system, therefore compromising network > > security. > > > > Solution: > > Scan your system with Trend Micro antivirus and delete all files detected as > > VBS_POTOK.A. To do this Trend Micro customers must download the latest > > pattern file (http://www.antivirus.com/download/pattern.asp) and scan their > > system. Other email users may use HouseCall > > (http://housecall.antivirus.com/), Trend Micro's free online virus scanner. > > > > Technical Details > > In the wild: Yes > > Trigger condition 1: Upon execution > > Payload 1: Others (drops files, sends emails, compromises network security) > > Detected by pattern file#: 920 > > Detected by scan engine#: 5.170 > > Language: English > > Platform: Windows > > Encrypted: No > > Size of virus: 9,262 Bytes > > > > Details: > > Upon execution, the worm first creates a copy of itself as DRIVER.DOC.VBS in > > the Windows directory. It then checks whether the user is running Windows NT > > or Windows 2000. If not, it quits. > > If the user is running Windows NT or Windows 2000, the worm adds four > > streams or virus codes to the ODBC.INI file: > > > > mail > > mail > > user > > group > > > > Then it drops the file GO.VBS in the Windows System32 directory and waits 10 > > seconds before executing GO.VBS. > > GO.VBS creates the file NOTEPAD.VBS inside the Windows System32\RAS folder. > > NOTEPAD.VBS is created from pieces of virus codes placed earlier in > > ODBC.INI. It then waits 10 seconds before executing NOTEPAD.VBS. > > NOTEPAD.VBS uses Microsoft Outlook to send copies of itself to the first 50 > > addresses in the infected user's address book. The email contains the > > following: > > > > Subject: New Generation of drivers. > > Body: Microsoft has published new driver for all types Video Cards, > > compatible with Windows 95/98/NT/2000/XP. You can read about it in > > attachment document. Best wishes Microsoft. > > Attachment: DRIVER.DOC.VBS > > > > The worm then checks whether the user is running Windows NT or 2000. If so, > > it attempts to create a new user account. The Login Name of this new user > > account is "Lord_Nikon" and "password" as the password. If successful, it > > attempts to add the account "Lord_Nikon" to the list of Administrators. This > > will be successful if the current user is using an Administrator account. > > The following text is found in the virus body: > > > > 'Lord Nikon > > > > To unsubscribe or change your preferences for the Creed-Discuss list, visit: > > http://www.winduplist.com/ls/discuss/form.asp > > > > > > > -- > Old age is always fifteen years old than I am. > -- B. Baruch > > To unsubscribe or change your preferences for the Creed-Discuss list, visit: > http://www.winduplist.com/ls/discuss/form.asp > To unsubscribe or change your preferences for the Creed-Discuss list, visit: http://www.winduplist.com/ls/discuss/form.asp