================================================ Subject: DEADLY VIRUS JUST BEEN DISCOVERED ( NOT A HOAX!!! ) From: "]\\[][G}{T§TÖ®]v[" To: Date: Mon 24 Sep 2001 18:24:46 -0400 ================================================ You all think that NIMDA is bad... this one will quite literally wipe your computer clean the next time you reboot... BE ON GUARD!!! Basically, if someone sends you a mail with the subject line " Fwd: Peace BeTween AmeriCa And IsLam ! " and/or contains the attachment WTC.exe, consider that person starting from scratch (e-mail or phone them if you can and tell them they have a deadly virus, and MUST NOT reboot)... but do NOT open the e-mail yourself. -NightStorm http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_VOTE.A TROJ_VOTE.A Risk rating: Medium Virus type: Trojan Destructive: Yes Aliases: W32.Vote.a@mm Description: TROJ_VOTE.A is currently spreading in-the-wild. This destructive, mass-mailing Trojan was created using Visual Basic 5. It propagates via Microsoft Outlook by sending emails to all addresses listed in an infected user's address book. It arrives in an email with the following: Subject: Fwd: Peace BeTween AmeriCa And IsLam ! Message Body: Hi! iS iT A waR Against AmeriCa Or IsLam! Let's Vote To Live in Peace! Attachment: WTC.EXE TROJ_VOTE.A deletes certain antivirus products installed in a system, drops the files WTC.exe MixDaLaL.vbs, and Zacker.vbs. It also modifies the infected user's Internet Explorer startup page, and formats the infected user's drive c:\. It parses drives and directories in search of HTM and HTML files and overwrites them with the following string: AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You. This program requires that the Visual Basic Runtime Library MSVBVM50.DLL is installed in order to execute. Solution: Run REGEDIT.EXE and delete the registry subkey "Norton.Thar" in the registry path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Using NOTEPAD or any text editor, please remove the instruction "echo Y | format C". Using Windows Find utility, please search for *.htm and *.html files which the Trojan may have overwritten. Delete all files found of 100 Bytes (or 1KB as it is be displayed). Scan your system with Trend Micro antivirus and delete all files detected as TROJ_VOTE.A. To do this Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner. TECHNICAL DETAILS: Related to:VBS_VOTE.A In the wild:Yes Payload 1:Others (sends emails via Microsoft Outlook) Trigger condition 1:upon execution Payload 2:Others (modifies Internet Explorer startup page) Trigger condition 2:upon execution Payload 3:Formats Hard Disk (deletes contents of infected user's drive c:\, restarts system) Trigger condition 3:Upon next system startup Payload 4:Displays Message Trigger condition 4:upon next system startup Payload 5:Modifies Files (overwrites HTM & HTML files,deletes AV directories) Trigger condition 5:Upon execution Discovered:14 hours 57 minutes ago (September 24, 2001 12:00:00 AM GMT -0800) Detected by pattern file#:945 Detected by scan engine#: 5.200 Language:English Platform:Windows Encrypted:No Size of virus:55,808 Bytes Details: Upon execution, this worm opens the following sites: http://us.f1..com/users/da36d538/bc/TimeUpdate.exe?bcaVq97ATaW0yAxk http://love135.cjb.net/ http://.cjb.net/ The first site seems to contain an executable that the worm attempts to download and execute. This may be a virus or another Trojan. It drops the following files: C:\\WTC.exe C:\\ MixDaLaL.vbs C:\\Zacker.vbs Trend Micro detects both files, Zacker.vbs and MixDaLaL.vbs, as VBS_VOTE.A. It deletes the contents of the following directories used by antivirus products: C:\Program Files\Antiviral Toolkit Pro C:\eSafe\Protect C:\Program Files\Command Software\F-PROT95 C:\PC-Cillin 95 C:\PC-Cillin 97 C:\Program Files\Quick Heal C:\Program Files\FWIN32 C:\Program Files\Find Virus C:\Toolkit\FindVirus C:\f-macro C:\Program Files\McAfee\VirusScan95 C:\TBAVW95 C:\VS95 It then modifies the infected user's Internet Explorer start up page using the registry keys below: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Start Page=http://us.f1.yahoofs.com/users/da36d538/ bc/TimeUpdate.exe?bcaVq97ATaW0yAxk It then executes the dropped file MixDaLaL.vbs This script parses drives and directories in search of HTM and HTML files, and overwrites them with the following string: AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You . It also sets the attributes of the files found, to either system or hidden. It creates an auto start registry key below for the dropped file Zacker.vbs so that it executes at every subsequent Windows reboot: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run Norton.Thar="C:\WINDOWS\SYSTEM\ ZaCker.vbs" It propagates via Microsoft Outlook by sending emails to all users listed in the infected user's address book. The email arrives with the attachment "WTC.EXE". Upon next reboot, the dropped file Zacker.vbs is executed. It appends an instruction to autoexec.bat to format drive C:\. It then deletes every file it finds in the Windows directory. It displays a message box with the following: I promiss We WiLL Rule The World Again...By The Way,You Are Captured By ZaCker !!!" and reboots the machine. Since the autoexec.bat has been modified, drive C:\ will be formatted on the next reboot. To unsubscribe or change your preferences for the Creed-Discuss list, visit: http://www.winduplist.com/ls/discuss/form.asp