*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*
{ Sila lawat Laman Hizbi-Net - http://www.hizbi.net }
{ Hantarkan mesej anda ke: [EMAIL PROTECTED] }
{ Iklan barangan? Hantarkan ke [EMAIL PROTECTED] }
*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*
PAS : KE ARAH PEMERINTAHAN ISLAM YANG ADIL
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------- Original Message --------
Subject: [NEWS] New VBS Virus disguises as a JPG file
Date: Wed, 14 Feb 2001 00:59:30 +0800
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
The following security advisory is sent to the securiteam mailing list,
and can be found at the SecuriTeam web site: http://www.securiteam.com
New VBS Virus disguises as a JPG file
------------------------------------------------------------------------
SUMMARY
A new VBS Virus is spreading by e-mail, using the simple technique of a
VB
Script disguised as a JPEG picture (We described a similar method in our
past article:
<http://www.securiteam.com/windowsntfocus/HTML_dropper_vulnerability_allows_creation_of_emails_that_contain_hidden_attachments.html>
HTML.dropper vulnerability allows creation of emails that contain hidden
attachments).
The actual Virus is a script, but since the filename ends with a
.jpg.vbs
extension, some operating systems display the file name as '.jpg' and
show
the jpg icon, making the user think it's a harmless picture.
DETAILS
This Virus, dubbed AnnaKournikova, spreads via e-mails with the
following
subject line:
Here you have, ;o)
And an attachment called AnnKournikove.jpg.vbs. When the user opens the
file (mistakenly thinking it's a jpeg file), the script runs. This is
not
a new technique, but this Virus seems to be propagating quicker than
similar Viruses.
This new Virus also spreads by sending itself to the people on the
victim's address book.
Removal:
This Virus can be removed manually. To do that, stop any instance of
wscript.exe, search for and remove any AnnaKournikova.jpg.vbs files
(those
will generally be in C:\Windows, and C:\Windows\tmp), and remove the
OnTheFly key from the registry (under HKEY_CURRENT_USER\SOFTWARE).
Temporary solution:
With Outlook 2000, you can establish a rule that will likely prevent
this
from getting to your user's eyes. I'm not familiar myself as to how to
push a new rule out to all of your users, so maybe an email explaining
how
they can do this themselves would help mitigate this (and other such)
worm(s);
1. Create a new rule.
2. Choose "Check messages when they arrive", click Next.
3. Choose "with <specific words> in the message header" and place
".jpg.vbs" in the <specific words>.
4. Choose "which has an attachment" to minimize false positives, click
Next.
5. Choose "move it to a <specified> folder", and create a Public Folder
which you can store all such messages in (or choose "permanently delete"
if you simply don't want to even know they ever arrived). If you
establish
a Public Folder, set its permissions appropriately (possibly denying
read
rights to your users).
6. Choose "Stop processing more rules", click Finish.
This rule will be a server side-rule, preventing your users from seeing
the message at all, and allowing them to be processed whether the client
is connected and running or not. If its not a server-side rule its
because
the folder you specified is local and not on their server.
Searching for .jpg.vbs in the message "body" isn't going to work since
the
only place the file name exists is in the MIME header. This means that
this type of rule filtering is only available with Outlook 2000 (since
its
the first version that can scan the header during rules processing).
Solution:
Update your antivirus program to the latest version.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:[EMAIL PROTECTED]> Chris Schuerger and
<mailto:[EMAIL PROTECTED]> Russ.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and
body to: [EMAIL PROTECTED]
In order to subscribe to the mailing list, simply forward this email to:
[EMAIL PROTECTED]
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of
any kind.
In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages.
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
**********************************************************************
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
( Melanggan ? To : [EMAIL PROTECTED] pada body : SUBSCRIBE HIZB)
( Berhenti ? To : [EMAIL PROTECTED] pada body: UNSUBSCRIBE HIZB)
( Segala pendapat yang dikemukakan tidak menggambarkan )
( pandangan rasmi & bukan tanggungjawab HIZBI-Net )
( Bermasalah? Sila hubungi [EMAIL PROTECTED] )
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pengirim: "Harisfazillah Jamel" <[EMAIL PROTECTED]>
