*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~* { Sila lawat Laman Hizbi-Net - http://www.hizbi.net } { Hantarkan mesej anda ke: [EMAIL PROTECTED] } { Iklan barangan? Hantarkan ke [EMAIL PROTECTED] } *~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~* PAS : KE ARAH PEMERINTAHAN ISLAM YANG ADIL ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -------- Original Message -------- Subject: [NEWS] New VBS Virus disguises as a JPG file Date: Wed, 14 Feb 2001 00:59:30 +0800 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com New VBS Virus disguises as a JPG file ------------------------------------------------------------------------ SUMMARY A new VBS Virus is spreading by e-mail, using the simple technique of a VB Script disguised as a JPEG picture (We described a similar method in our past article: <http://www.securiteam.com/windowsntfocus/HTML_dropper_vulnerability_allows_creation_of_emails_that_contain_hidden_attachments.html> HTML.dropper vulnerability allows creation of emails that contain hidden attachments). The actual Virus is a script, but since the filename ends with a .jpg.vbs extension, some operating systems display the file name as '.jpg' and show the jpg icon, making the user think it's a harmless picture. DETAILS This Virus, dubbed AnnaKournikova, spreads via e-mails with the following subject line: Here you have, ;o) And an attachment called AnnKournikove.jpg.vbs. When the user opens the file (mistakenly thinking it's a jpeg file), the script runs. This is not a new technique, but this Virus seems to be propagating quicker than similar Viruses. This new Virus also spreads by sending itself to the people on the victim's address book. Removal: This Virus can be removed manually. To do that, stop any instance of wscript.exe, search for and remove any AnnaKournikova.jpg.vbs files (those will generally be in C:\Windows, and C:\Windows\tmp), and remove the OnTheFly key from the registry (under HKEY_CURRENT_USER\SOFTWARE). Temporary solution: With Outlook 2000, you can establish a rule that will likely prevent this from getting to your user's eyes. I'm not familiar myself as to how to push a new rule out to all of your users, so maybe an email explaining how they can do this themselves would help mitigate this (and other such) worm(s); 1. Create a new rule. 2. Choose "Check messages when they arrive", click Next. 3. Choose "with <specific words> in the message header" and place ".jpg.vbs" in the <specific words>. 4. Choose "which has an attachment" to minimize false positives, click Next. 5. Choose "move it to a <specified> folder", and create a Public Folder which you can store all such messages in (or choose "permanently delete" if you simply don't want to even know they ever arrived). If you establish a Public Folder, set its permissions appropriately (possibly denying read rights to your users). 6. Choose "Stop processing more rules", click Finish. This rule will be a server side-rule, preventing your users from seeing the message at all, and allowing them to be processed whether the client is connected and running or not. If its not a server-side rule its because the folder you specified is local and not on their server. Searching for .jpg.vbs in the message "body" isn't going to work since the only place the file name exists is in the MIME header. This means that this type of rule filtering is only available with Outlook 2000 (since its the first version that can scan the header during rules processing). Solution: Update your antivirus program to the latest version. ADDITIONAL INFORMATION The information has been provided by <mailto:[EMAIL PROTECTED]> Chris Schuerger and <mailto:[EMAIL PROTECTED]> Russ. ======================================== This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [EMAIL PROTECTED] In order to subscribe to the mailing list, simply forward this email to: [EMAIL PROTECTED] ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. ********************************************************************** ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ( Melanggan ? To : [EMAIL PROTECTED] pada body : SUBSCRIBE HIZB) ( Berhenti ? To : [EMAIL PROTECTED] pada body: UNSUBSCRIBE HIZB) ( Segala pendapat yang dikemukakan tidak menggambarkan ) ( pandangan rasmi & bukan tanggungjawab HIZBI-Net ) ( Bermasalah? Sila hubungi [EMAIL PROTECTED] ) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pengirim: "Harisfazillah Jamel" <[EMAIL PROTECTED]>