================================================ Subject: Re: DEADLY VIRUS JUST BEEN DISCOVERED ( NOT A HOAX!!! ) From: "creed -7m3 - live" To: Date: Mon 24 Sep 2001 19:08:03 -0400 ================================================ Thanks Scott, With the list activity and knowing of two other people that were infected by viruses it sounds like a great time to be cautious. Jim -------------------- On Mon, 2001-09-24 at 18:24, ]\\[][G}{T§TÖ®]v[ wrote: > You all think that NIMDA is bad... this one will quite literally wipe your > computer clean the next time you reboot... BE ON GUARD!!! Basically, if > someone sends you a mail with the subject line " Fwd: Peace BeTween AmeriCa > And IsLam ! " and/or contains the attachment WTC.exe, consider that person > starting from scratch (e-mail or phone them if you can and tell them they > have a deadly virus, and MUST NOT reboot)... but do NOT open the e-mail > yourself. > -NightStorm > > http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_VOTE.A > > TROJ_VOTE.A > Risk rating: Medium > Virus type: Trojan > Destructive: Yes > > Aliases: > W32.Vote.a@mm > Description: > TROJ_VOTE.A is currently spreading in-the-wild. This destructive, > mass-mailing Trojan was created using Visual Basic 5. It propagates via > Microsoft Outlook by sending emails to all addresses listed in an infected > user's address book. It arrives in an email with the following: > > Subject: Fwd: Peace BeTween AmeriCa And IsLam ! > > Message Body: Hi! iS iT A waR Against AmeriCa Or IsLam! Let's Vote To Live > in Peace! > > Attachment: WTC.EXE > > TROJ_VOTE.A deletes certain antivirus products installed in a system, drops > the files WTC.exe MixDaLaL.vbs, and Zacker.vbs. It also modifies the > infected user's Internet Explorer startup page, and formats the infected > user's drive c:\. > It parses drives and directories in search of HTM and HTML files and > overwrites them with the following string: > AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> > ZaCkEr is So Sorry For You. > This program requires that the Visual Basic Runtime Library MSVBVM50.DLL is > installed in order to execute. > > Solution: > Run REGEDIT.EXE and delete the registry subkey "Norton.Thar" in the registry > path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run > Using NOTEPAD or any text editor, please remove the instruction "echo Y | > format C". > Using Windows Find utility, please search for *.htm and *.html files which > the Trojan may have overwritten. Delete all files found of 100 Bytes (or 1KB > as it is be displayed). > Scan your system with Trend Micro antivirus and delete all files detected as > TROJ_VOTE.A. To do this Trend Micro customers must download the latest > pattern file and scan their system. Other email users may use HouseCall, > Trend Micro's free online virus scanner. > > TECHNICAL DETAILS: > Related to:VBS_VOTE.A > In the wild:Yes > Payload 1:Others (sends emails via Microsoft Outlook) > Trigger condition 1:upon execution > Payload 2:Others (modifies Internet Explorer startup page) > Trigger condition 2:upon execution > Payload 3:Formats Hard Disk (deletes contents of infected user's drive c:\, > restarts system) > Trigger condition 3:Upon next system startup > Payload 4:Displays Message > Trigger condition 4:upon next system startup > Payload 5:Modifies Files (overwrites HTM & HTML files,deletes AV > directories) > Trigger condition 5:Upon execution > Discovered:14 hours 57 minutes ago > (September 24, 2001 12:00:00 AM GMT -0800) > Detected by pattern file#:945 > Detected by scan engine#: 5.200 > Language:English > Platform:Windows > Encrypted:No > Size of virus:55,808 Bytes > > Details: > > Upon execution, this worm opens the following sites: > http://us.f1..com/users/da36d538/bc/TimeUpdate.exe?bcaVq97ATaW0yAxk > http://love135.cjb.net/ > http://.cjb.net/ > > The first site seems to contain an executable that the worm attempts to > download and execute. This may be a virus or another Trojan. > > It drops the following files: > C:\\WTC.exe > C:\\ MixDaLaL.vbs > C:\\Zacker.vbs > > Trend Micro detects both files, Zacker.vbs and MixDaLaL.vbs, as VBS_VOTE.A. > > It deletes the contents of the following directories used by antivirus > products: > C:\Program Files\Antiviral Toolkit Pro > C:\eSafe\Protect > C:\Program Files\Command Software\F-PROT95 > C:\PC-Cillin 95 > C:\PC-Cillin 97 > C:\Program Files\Quick Heal > C:\Program Files\FWIN32 > C:\Program Files\Find Virus > C:\Toolkit\FindVirus > C:\f-macro > C:\Program Files\McAfee\VirusScan95 > C:\TBAVW95 > C:\VS95 > > It then modifies the infected user's Internet Explorer start up page using > the registry keys below: > HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Start > Page=http://us.f1.yahoofs.com/users/da36d538/ > bc/TimeUpdate.exe?bcaVq97ATaW0yAxk > > It then executes the dropped file MixDaLaL.vbs This script parses drives and > directories in search of HTM and HTML files, and overwrites them with the > following string: > AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> > ZaCkEr is So Sorry For You . > > It also sets the attributes of the files found, to either system or hidden. > It creates an auto start registry key below for the dropped file Zacker.vbs > so that it executes at every subsequent Windows reboot: > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ > CurrentVersion\Run Norton.Thar="C:\WINDOWS\SYSTEM\ > ZaCker.vbs" > > It propagates via Microsoft Outlook by sending emails to all users listed in > the infected user's address book. The email arrives with the attachment > "WTC.EXE". Upon next reboot, the dropped file Zacker.vbs is executed. It > appends an instruction to autoexec.bat to format drive C:\. It then deletes > every file it finds in the Windows directory. > > It displays a message box with the following: > I promiss We WiLL Rule The World Again...By The Way,You Are Captured By > ZaCker !!!" > and reboots the machine. Since the autoexec.bat has been modified, drive C:\ > will be formatted on the next reboot. > > To unsubscribe or change your preferences for the Creed-Discuss list, visit: > http://www.winduplist.com/ls/discuss/form.asp -- Good government never depends upon laws, but upon the personal qualities of those who govern. The machinery of government is always subordinate to the will of those who administer that machinery. The most important element of government, therefore, is the method of choosing leaders. -- Frank Herbert, "Children of Dune" To unsubscribe or change your preferences for the Creed-Discuss list, visit: http://www.winduplist.com/ls/discuss/form.asp