subject:"RE\: Another F\(\*\^ virus\!"

RE: Another F(*&^ virus!

2001-09-27 Thread RZorz

Title: Another F(*&^ virus!



thanks. Still don't see a virus-specific newsletter with alerts like 
other vendors seem to have.  And they were way, way behind in getting the 
Nimda and Vote defs out the door. 

  -Original Message-From: Lagerstrom, Lanette 
  [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 26, 2001 
  4:44 PMTo: NT System Admin IssuesSubject: RE: Another 
  F(*&^ virus!
  
  Just FYI --
  * VIRUS CENTER
  Panda Software and the Windows 2000 Magazine Network have 
  teamed to 
  bring you the Center for Virus Control. Visit the site often 
  to remain 
  informed about the latest threats to your system 
  security.
  http://www.secadministrator.com/panda
  Lanette 
  Lagerstrom
  Northrop 
  Grumman
  Information 
  Technology
  Internal Information 
  Services
  Network 
  Administrator
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 25, 
2001 6:51 AMTo: NT System Admin IssuesSubject: RE: 
Another F(*&^ virus!
Actually one of my users sent that to me. I use Panda, which of 
course once again seems to be the last to know.

  -Original Message-From: Danny Iaconetti 
  [mailto:[EMAIL PROTECTED]]Sent: Monday, 
  September 24, 2001 4:03 PMTo: NT System Admin 
  IssuesSubject: RE: Another F(*&^ 
virus!
  According to SARC, updating your definitions will detect this worm. 
  Although, the latest update I get is dated Sep. 20. What's the 
  scoop?
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]Sent: Monday, September 
24, 2001 4:37 PMTo: NT System Admin IssuesSubject: 
Another F(*&^ virus!
Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! 
Name of attachment: WTC.exe Size of attachment: 55808 Bytes 
Symantec Security Response http://securityresponse.symantec.com 
  W32.Vote.A@mm Discovered on: September 
24, 2001 Last Updated on: September 24, 2001 at 
09:56:27 AM PDT 
W32.Vote.A@mm is a mass-mailing worm that is written in 
Visual Basic. When executed, it will email itself out to all email 
addresses in the Microsoft Outlook address book. The worm will insert 
two .vbs files on the system, and it will also attempt to delete files 
from several antivirus products. 
Type: Worm 
Infection Length: 55,808 Bytes 
Virus Definitions: September 24, 2001 
Threat Assessment: 
   Wild: 
Low  Damage: High  Distribution: High  
  
Wild: 
Number of infections: 0 - 49 Number of sites: 3 - 9 Geographical 
distribution: Medium Threat containment: 
Moderate Removal: Moderate Damage: 
Payload: Large scale e-mailing: 
Emails everyone in the Microsoft Outlook addressbook Deletes files: After reboot, the worm attempts to delete all 
files in the Windows folder Modifies files: All 
files with the extension "htm" or "html" will be overwritten. 
Compromises security settings: If the 
Backdoor.Trojan was successfully downloaded and installed, anyone could 
gain full access to the computer. 
Distribution: 
Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! 
Name of attachment: WTC.exe Size of attachment: 55808 Bytes 
Technical description: 
W32.Vote.A@mm is a mass-mailing worm written in the 
Visual Basic language. It requires the file Msvbvm50.dll to 
execute.
When executed, the worm will attempt to email itself to 
all contacts in the Microsoft Outlook address book. The email will 
appear as follows.
Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM! 

Message: Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's Vote To Live in Peace! 
Attachment: WTC.EXE 
Next, the worm will insert two .vbs files on the 
system: 
\\ZaCker.vbs \\MixDaLaL.vbs 
In addition, the worm will attempt to download and 
execute a file. This file is detected as Backdoor.Trojan by Norton 
Antivirus.
Finally, the worm will attempt to delete all files from 
several folders. These folders appear to be the default installation 
folders for several antivirus products. For Norton AntiVirus, this worm 
will only attempt to delete the files if Norton Antivirus is located in 
C:\Program Files\Norton AntiVirus.
What the dropped files do 
MixDaLaL.vbs MixDaLaL.vbs is a 
Visual Basic Script file that is inserted in the \Windows\System folder. 
This file is executed by the worm. As the file is executed, it will look 
through all folders on all fixed drives and network drives for files 
with the extensions .htm or .html. If such a

RE: Another F(*&^ virus!

2001-09-26 Thread Lagerstrom, Lanette

Title: Another F(*&^ virus!

Just FYI --
* VIRUS CENTER
Panda Software and the Windows 2000 Magazine Network have teamed
to
bring you the Center for Virus Control. Visit the site often to
remain
informed about the latest threats to your system
security.
http://www.secadministrator.com/panda
Lanette Lagerstrom
Northrop Grumman
Information Technology
Internal Information
Services
Network
Administrator

-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 25,
2001 6:51 AMTo: NT System Admin IssuesSubject: RE:
Another F(*&^ virus!
Actually one of my users sent that to me. I use Panda, which of course
once again seems to be the last to know.

-Original Message-From: Danny Iaconetti
[mailto:[EMAIL PROTECTED]]Sent: Monday, September
24, 2001 4:03 PMTo: NT System Admin IssuesSubject: RE:
Another F(*&^ virus!
According to SARC, updating your definitions will detect this worm.
Although, the latest update I get is dated Sep. 20. What's the
scoop?

Payload: Large scale e-mailing:
Emails everyone in the Microsoft Outlook addressbook Deletes files: After reboot, the worm attempts to delete all files
in the Windows folder Modifies files: All files
with the extension "htm" or "html" will be overwritten. Compromises security settings: If the Backdoor.Trojan was
successfully downloaded and installed, anyone could gain full access to
the computer.
Distribution:
Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
Name of attachment: WTC.exe Size of attachment: 55808 Bytes
Technical description:
W32.Vote.A@mm is a mass-mailing worm written in the Visual
Basic language. It requires the file Msvbvm50.dll to execute.
When executed, the worm will attempt to email itself to
all contacts in the Microsoft Outlook address book. The email will appear
as follows.
Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM!
Message: Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's Vote To Live in Peace!
Attachment: WTC.EXE
Next, the worm will insert two .vbs files on the
system:
\\ZaCker.vbs \\MixDaLaL.vbs
In addition, the worm will attempt to download and execute
a file. This file is detected as Backdoor.Trojan by Norton
Antivirus.
Finally, the worm will attempt to delete all files from
several folders. These folders appear to be the default installation
folders for several antivirus products. For Norton AntiVirus, this worm
will only attempt to delete the files if Norton Antivirus is located in
C:\Program Files\Norton AntiVirus.
What the dropped files do
MixDaLaL.vbs MixDaLaL.vbs is a
Visual Basic Script file that is inserted in the \Windows\System folder.
This file is executed by the worm. As the file is executed, it will look
through all folders on all fixed drives and network drives for files with
the extensions .htm or .html. If such a files are found, they are
overwritten with the message:
AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's
Our Turn >>> ZaCkEr is So Sorry For You
ZaCker.VBS This file is inserted
in the \Windows\System folder. It is not executed by the worm. Instead,
the value
Norton.Thar \Windows\System\ZaCker.vbs
is added to the registry key
HKEY_LOCAL_MACHINE\Microsoft\ Windows\CurrentVersion\Run
so that the file is executed when you start
Windows.
When executed at the next restart, this file will att

RE: Another F(*&^ virus! (OT)

2001-09-25 Thread RZorz

Title: RE: Another F(*&^ virus! (OT)





I finally got it to autoupdate for Exchange. But as I said earlier, I'm still not sure if they have Vote in their defs, their website doesn't get updated quick enough and they don't send alerts. 

-Original Message-
From: Hasan Dervish [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 25, 2001 9:19 AM
To: NT System Admin Issues
Subject: Re: Another F(*&^ virus! (OT)



I use panda on BackOffice and BackOffice SBS
the only problem I have seen its inability to fully autoupdate in sbs, and
autoupdate exchange server in BackOffice.
- Original Message -
From: "Miranda, Fausto" <[EMAIL PROTECTED]>
To: "NT System Admin Issues" <[EMAIL PROTECTED]>
Sent: Tuesday, September 25, 2001 2:57 PM
Subject: RE: Another F(*&^ virus! (OT)



> dump it, I have never seen it work correctly.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 25, 2001 9:21 AM
> To: NT System Admin Issues
> Subject: RE: Another F(*&^ virus! (OT)
>
>
>
> A little off the topic here, but how do you find Panda?  We use Norton AV
> for desktop and server protection, but have Panda for Lotus Notes
> protection (I think it's a good idea to have a double layer sometimes).
> Panda was suggested by our Notes Admin guy, and it has not worked
correctly
> since!  Currently it is only running on one of our 4 Notes servers, and I
> don't think it is doing too well there!  I'm about ready to dump it, and
> have put Norton on the other Notes servers to make sure they are covered.
> Anyone else out there use Panda, and would actually recommend it?
>
> G.
>
>
>
>
> RZorz@ScottsdaleC
>
> hamber.com  To: "NT System Admin
Issues"
>
>
> <[EMAIL PROTECTED]>
> 25/09/2001 13:51    cc:
>
> Please respond to   Subject: RE: Another F(*&^
> virus!
> "NT System Admin
>
> Issues"
>
>
>
>
>
>
>
>
>
> Actually one of my users sent that to me. I use Panda, which of course
once
> again seems to be the last to know.
>  -Original Message-
>  From: Danny Iaconetti [mailto:[EMAIL PROTECTED]]
>  Sent: Monday, September 24, 2001 4:03 PM
>  To: NT System Admin Issues
>  Subject: RE: Another F(*&^ virus!
>
>  According to SARC, updating your definitions will detect this worm.
>  Although, the latest update I get is dated Sep. 20. What's the scoop?
>   -Original Message-
>   From: [EMAIL PROTECTED]
>   [mailto:[EMAIL PROTECTED]]
>   Sent: Monday, September 24, 2001 4:37 PM
>   To: NT System Admin Issues
>   Subject: Another F(*&^ virus!
>
>
>
>
>   Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
>   Name of attachment: WTC.exe
>   Size of attachment: 55808 Bytes
>
>
>   Symantec Security Response
>   http://securityresponse.symantec.com
>
>   W32.Vote.A@mm
>   Discovered on: September 24, 2001
>   Last Updated on: September 24, 2001 at 09:56:27 AM PDT
>
>
>   W32.Vote.A@mm is a mass-mailing worm that is written in Visual
>   Basic. When executed, it will email itself out to all email
>   addresses in the Microsoft Outlook address book. The worm will
>   insert two .vbs files on the system, and it will also attempt to
>   delete files from several antivirus products.
>
>
>   Type: Worm
>
>
>   Infection Length: 55,808 Bytes
>
>
>   Virus Definitions: September 24, 2001
>
>
>   Threat Assessment:
>
>
>
>   Wild:
>   Low  Damage:
>   High  Distribution:
>   High
>
>
>
>   Wild:
>
>
>   Number of infections: 0 - 49
>   Number of sites: 3 - 9
>   Geographical distribution: Medium
>   Threat containment: Moderate
>   Removal: Moderate
>   Damage:
>
>
>   Payload:
>   Large scale e-mailing: Emails everyone in the Microsoft Outlook
>   addressbook
>   Deletes files: After reboot, the worm attempts to delete all
>   files in the Windows folder
>   Modifies files: All files with the extension "htm" or "html"
will
>   be overwritten.
>   Compromises security settings: If the Backdoor.Trojan was
>   successfully downloaded

RE: Another F(*&^ virus! (OT)

2001-09-25 Thread RZorz

Title: RE: Another F(*&^ virus! (OT)



Again, 
not  a problem here. They all logout, and they all shutdown.  If they 
don't for some reason, it shows up on the Panda Administrator screen, and I log 
them off myself.  Hasn't been that big a problem here, but I've only got 50 
users. 

  -Original Message-From: Randal, Phil 
  [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 25, 
  2001 7:45 AMTo: NT System Admin IssuesSubject: RE: 
  Another F(*&^ virus! (OT)
  Sorry to be pedantic, but a login script is a pull, not a push, and if 
  your users habitually
  don't log out the login script ain't going to get run in a 
  hurry.
   
  Phil
  -Phil 
  RandalNetwork EngineerHerefordshire CouncilHereford, UK 

  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]Sent: 25 September 2001 
15:01To: NT System Admin IssuesSubject: RE: Another 
F(*&^ virus! (OT)
I haven't worked with any of the other packages, so I can't 
compare.  It seems to do ok, although they don't have any "ALERT" 
system, and always seem to be the last to get a definition out. I still 
don't know if they have the Vote virus covered.
They automatically create a logon script to push the defs to 
the desktop, so as long as you make sure the server gets updated before 
everyone logs on it works fine.  Our work hours make this a 
non-issue.  Remote users have a problem with the speed. 
I do know that I gave up on active desktop scanning.  
It slowed my workstations down too much.  I've been lucky that my folks 
get a lot of e-mail, but aren't big on downloading files.   So I'm 
scanning Exchange and Outlook.  Personally, I think way too many of the 
virii are being caught at the desktop rather than the Exchange server.  
They also have no filtering/blocking.
As soon as I can free up some money I'll most likely dump 
the Panda for Exchange and get Sybari. Want to unsub? 
  Do that 
  here:http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english
Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english

Re: Another F(*&^ virus! (OT)

2001-09-25 Thread Hasan Dervish


I use panda on BackOffice and BackOffice SBS
the only problem I have seen its inability to fully autoupdate in sbs, and
autoupdate exchange server in BackOffice.
- Original Message -
From: "Miranda, Fausto" <[EMAIL PROTECTED]>
To: "NT System Admin Issues" <[EMAIL PROTECTED]>
Sent: Tuesday, September 25, 2001 2:57 PM
Subject: RE: Another F(*&^ virus! (OT)


> dump it, I have never seen it work correctly.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 25, 2001 9:21 AM
> To: NT System Admin Issues
> Subject: RE: Another F(*&^ virus! (OT)
>
>
>
> A little off the topic here, but how do you find Panda?  We use Norton AV
> for desktop and server protection, but have Panda for Lotus Notes
> protection (I think it's a good idea to have a double layer sometimes).
> Panda was suggested by our Notes Admin guy, and it has not worked
correctly
> since!  Currently it is only running on one of our 4 Notes servers, and I
> don't think it is doing too well there!  I'm about ready to dump it, and
> have put Norton on the other Notes servers to make sure they are covered.
> Anyone else out there use Panda, and would actually recommend it?
>
> G.
>
>
>
>
> RZorz@ScottsdaleC
>
> hamber.com  To: "NT System Admin
Issues"
>
>
> <[EMAIL PROTECTED]>
> 25/09/2001 13:51cc:
>
> Please respond to   Subject: RE: Another F(*&^
> virus!
> "NT System Admin
>
> Issues"
>
>
>
>
>
>
>
>
>
> Actually one of my users sent that to me. I use Panda, which of course
once
> again seems to be the last to know.
>  -Original Message-
>  From: Danny Iaconetti [mailto:[EMAIL PROTECTED]]
>  Sent: Monday, September 24, 2001 4:03 PM
>  To: NT System Admin Issues
>  Subject: RE: Another F(*&^ virus!
>
>  According to SARC, updating your definitions will detect this worm.
>  Although, the latest update I get is dated Sep. 20. What's the scoop?
>   -Original Message-
>   From: [EMAIL PROTECTED]
>   [mailto:[EMAIL PROTECTED]]
>   Sent: Monday, September 24, 2001 4:37 PM
>   To: NT System Admin Issues
>   Subject: Another F(*&^ virus!
>
>
>
>
>   Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
>   Name of attachment: WTC.exe
>   Size of attachment: 55808 Bytes
>
>
>   Symantec Security Response
>   http://securityresponse.symantec.com
>
>   W32.Vote.A@mm
>   Discovered on: September 24, 2001
>   Last Updated on: September 24, 2001 at 09:56:27 AM PDT
>
>
>   W32.Vote.A@mm is a mass-mailing worm that is written in Visual
>   Basic. When executed, it will email itself out to all email
>   addresses in the Microsoft Outlook address book. The worm will
>   insert two .vbs files on the system, and it will also attempt to
>   delete files from several antivirus products.
>
>
>   Type: Worm
>
>
>   Infection Length: 55,808 Bytes
>
>
>   Virus Definitions: September 24, 2001
>
>
>   Threat Assessment:
>
>
>
>   Wild:
>   Low  Damage:
>   High  Distribution:
>   High
>
>
>
>   Wild:
>
>
>   Number of infections: 0 - 49
>   Number of sites: 3 - 9
>   Geographical distribution: Medium
>   Threat containment: Moderate
>   Removal: Moderate
>   Damage:
>
>
>   Payload:
>   Large scale e-mailing: Emails everyone in the Microsoft Outlook
>   addressbook
>   Deletes files: After reboot, the worm attempts to delete all
>   files in the Windows folder
>   Modifies files: All files with the extension "htm" or "html"
will
>   be overwritten.
>   Compromises security settings: If the Backdoor.Trojan was
>   successfully downloaded and installed, anyone could gain full
>   access to the computer.
>
>
>   Distribution:
>
>
>   Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
>   Name of attachment: WTC.exe
>   Size of attachment: 55808 Bytes
>
>
>   Technical description:
>
>
>   W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic
>

RE: Another F(*&^ virus! (OT)

2001-09-25 Thread Heavner, Charlie

Title: RE: Another F(*&^ virus! (OT)





As of 9:50am E.D.T. (that I know of and we're running them) NAV is offering sigs with a 9/24/01 date.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 25, 2001 9:21 AM
To: NT System Admin Issues
Subject: RE: Another F(*&^ virus! (OT)




A little off the topic here, but how do you find Panda?  We use Norton AV
for desktop and server protection, but have Panda for Lotus Notes
protection (I think it's a good idea to have a double layer sometimes).
Panda was suggested by our Notes Admin guy, and it has not worked correctly
since!  Currently it is only running on one of our 4 Notes servers, and I
don't think it is doing too well there!  I'm about ready to dump it, and
have put Norton on the other Notes servers to make sure they are covered.
Anyone else out there use Panda, and would actually recommend it?


G.



    
    RZorz@ScottsdaleC   
    hamber.com  To: "NT System Admin Issues"    
 <[EMAIL PROTECTED]>    
    25/09/2001 13:51    cc: 
        Please respond to   Subject: RE: Another F(*&^ virus!   
    "NT System Admin    
    Issues" 
    
    





Actually one of my users sent that to me. I use Panda, which of course once
again seems to be the last to know.
 -Original Message-
 From: Danny Iaconetti [mailto:[EMAIL PROTECTED]]
 Sent: Monday, September 24, 2001 4:03 PM
     To: NT System Admin Issues
 Subject: RE: Another F(*&^ virus!


 According to SARC, updating your definitions will detect this worm.
 Although, the latest update I get is dated Sep. 20. What's the scoop?
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED]]
  Sent: Monday, September 24, 2001 4:37 PM
  To: NT System Admin Issues
  Subject: Another F(*&^ virus!





  Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
  Name of attachment: WTC.exe
  Size of attachment: 55808 Bytes



  Symantec Security Response
  http://securityresponse.symantec.com


  W32.Vote.A@mm
  Discovered on: September 24, 2001
  Last Updated on: September 24, 2001 at 09:56:27 AM PDT



  W32.Vote.A@mm is a mass-mailing worm that is written in Visual
  Basic. When executed, it will email itself out to all email
  addresses in the Microsoft Outlook address book. The worm will
  insert two .vbs files on the system, and it will also attempt to
  delete files from several antivirus products.



  Type: Worm



  Infection Length: 55,808 Bytes



  Virus Definitions: September 24, 2001



  Threat Assessment:




  Wild:
  Low  Damage:
  High  Distribution:
  High




  Wild:



  Number of infections: 0 - 49
  Number of sites: 3 - 9
  Geographical distribution: Medium
  Threat containment: Moderate
  Removal: Moderate
  Damage:



  Payload:
  Large scale e-mailing: Emails everyone in the Microsoft Outlook
  addressbook
  Deletes files: After reboot, the worm attempts to delete all
  files in the Windows folder
  Modifies files: All files with the extension "htm" or "html" will
  be overwritten.
  Compromises security settings: If the Backdoor.Trojan was
  successfully downloaded and installed, anyone could gain full
  access to the computer.



  Distribution:



  Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
  Name of attachment: WTC.exe
  Size of attachment: 55808 Bytes



  Technical description:



  W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic
  language. It requires the file Msvbvm50.dll to execute.



  When executed, the worm will attempt to email itself to all
  contacts in the Microsoft Outlook address book. The email will
  appear

RE: Another F(*&^ virus! (OT)

2001-09-25 Thread Randal, Phil

Title: RE: Another F(*&^ virus! (OT)

Sorry
to be pedantic, but a login script is a pull, not a push, and if your users
habitually
don't
log out the login script ain't going to get run in a hurry.
Phil
-Phil
RandalNetwork EngineerHerefordshire CouncilHereford, UK

-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Sent: 25 September 2001
15:01To: NT System Admin IssuesSubject: RE: Another
F(*&^ virus! (OT)
I haven't worked with any of the other packages, so I can't
compare. It seems to do ok, although they don't have any "ALERT" system,
and always seem to be the last to get a definition out. I still don't know if
they have the Vote virus covered.
They automatically create a logon script to push the defs to
the desktop, so as long as you make sure the server gets updated before
everyone logs on it works fine. Our work hours make this a
non-issue. Remote users have a problem with the speed.
I do know that I gave up on active desktop scanning. It
slowed my workstations down too much. I've been lucky that my folks get
a lot of e-mail, but aren't big on downloading files. So I'm
scanning Exchange and Outlook. Personally, I think way too many of the
virii are being caught at the desktop rather than the Exchange server.
They also have no filtering/blocking.
As soon as I can free up some money I'll most likely dump the
Panda for Exchange and get Sybari.
Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english

RE: Another F(*&^ virus! (OT)

2001-09-25 Thread Miranda, Fausto

dump it, I have never seen it work correctly.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 25, 2001 9:21 AM
To: NT System Admin Issues
Subject: RE: Another F(*&^ virus! (OT)

A little off the topic here, but how do you find Panda?  We use Norton AV
for desktop and server protection, but have Panda for Lotus Notes
protection (I think it's a good idea to have a double layer sometimes).
Panda was suggested by our Notes Admin guy, and it has not worked correctly
since!  Currently it is only running on one of our 4 Notes servers, and I
don't think it is doing too well there!  I'm about ready to dump it, and
have put Norton on the other Notes servers to make sure they are covered.
Anyone else out there use Panda, and would actually recommend it?

G.

RZorz@ScottsdaleC

hamber.com  To: "NT System Admin Issues"

<[EMAIL PROTECTED]>
25/09/2001 13:51cc:

Please respond to   Subject: RE: Another F(*&^
virus!   
"NT System Admin

Issues"

Actually one of my users sent that to me. I use Panda, which of course once
again seems to be the last to know.
 -Original Message-
 From: Danny Iaconetti [mailto:[EMAIL PROTECTED]]
 Sent: Monday, September 24, 2001 4:03 PM
 To: NT System Admin Issues
 Subject: RE: Another F(*&^ virus!

 According to SARC, updating your definitions will detect this worm.
 Although, the latest update I get is dated Sep. 20. What's the scoop?
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED]]
  Sent: Monday, September 24, 2001 4:37 PM
  To: NT System Admin Issues
  Subject: Another F(*&^ virus!

  Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
  Name of attachment: WTC.exe
  Size of attachment: 55808 Bytes

  Symantec Security Response
  http://securityresponse.symantec.com

  W32.Vote.A@mm
  Discovered on: September 24, 2001
  Last Updated on: September 24, 2001 at 09:56:27 AM PDT

  W32.Vote.A@mm is a mass-mailing worm that is written in Visual
  Basic. When executed, it will email itself out to all email
  addresses in the Microsoft Outlook address book. The worm will
  insert two .vbs files on the system, and it will also attempt to
  delete files from several antivirus products.

  Type: Worm

  Infection Length: 55,808 Bytes

  Virus Definitions: September 24, 2001

  Threat Assessment:

  Wild:
  Low  Damage:
  High  Distribution:
  High

  Wild:

  Number of infections: 0 - 49
  Number of sites: 3 - 9
  Geographical distribution: Medium
  Threat containment: Moderate
  Removal: Moderate
  Damage:

  Payload:
  Large scale e-mailing: Emails everyone in the Microsoft Outlook
  addressbook
  Deletes files: After reboot, the worm attempts to delete all
  files in the Windows folder
  Modifies files: All files with the extension "htm" or "html" will
  be overwritten.
  Compromises security settings: If the Backdoor.Trojan was
  successfully downloaded and installed, anyone could gain full
  access to the computer.

  Distribution:

  Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
  Name of attachment: WTC.exe
  Size of attachment: 55808 Bytes

  Technical description:

  W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic
  language. It requires the file Msvbvm50.dll to execute.

  When executed, the worm will attempt to email itself to all
  contacts in the Microsoft Outlook address book. The email will
  appear as follows.

  Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM!

  Message:
  Hi
  iS iT A waR Against AmeriCa Or IsLaM !?
  Let's Vote To Live in Peace!

  Attachment: WTC.EXE

  Next, the worm will insert two .vbs files on the system:

  \\ZaCker.vbs
  \\MixDaLaL.vbs

  In addition, the worm will attempt to download and execute a
  file. This file is detected as Backdoor.Trojan by Norton
  Antivirus.

  Finally, the worm will attempt to delete all files from several
  folders. These folders appear to be the default installation
  folders for several antivirus products. For Norton AntiVirus,
  this worm will only attempt to delete the files if Norton

RE: Another F(*&^ virus! (OT)

2001-09-25 Thread RZorz

Title: RE: Another F(*&^ virus! (OT)





I haven't worked with any of the other packages, so I can't compare.  It seems to do ok, although they don't have any "ALERT" system, and always seem to be the last to get a definition out. I still don't know if they have the Vote virus covered.

They automatically create a logon script to push the defs to the desktop, so as long as you make sure the server gets updated before everyone logs on it works fine.  Our work hours make this a non-issue.  Remote users have a problem with the speed. 

I do know that I gave up on active desktop scanning.  It slowed my workstations down too much.  I've been lucky that my folks get a lot of e-mail, but aren't big on downloading files.   So I'm scanning Exchange and Outlook.  Personally, I think way too many of the virii are being caught at the desktop rather than the Exchange server.  They also have no filtering/blocking.

As soon as I can free up some money I'll most likely dump the Panda for Exchange and get Sybari.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 25, 2001 6:21 AM
To: NT System Admin Issues
Subject: RE: Another F(*&^ virus! (OT)




A little off the topic here, but how do you find Panda?  We use Norton AV
for desktop and server protection, but have Panda for Lotus Notes
protection (I think it's a good idea to have a double layer sometimes).
Panda was suggested by our Notes Admin guy, and it has not worked correctly
since!  Currently it is only running on one of our 4 Notes servers, and I
don't think it is doing too well there!  I'm about ready to dump it, and
have put Norton on the other Notes servers to make sure they are covered.
Anyone else out there use Panda, and would actually recommend it?


G.



    
    RZorz@ScottsdaleC   
    hamber.com  To: "NT System Admin Issues"    
 <[EMAIL PROTECTED]>    
    25/09/2001 13:51    cc:                 
    Please respond to   Subject: RE: Another F(*&^ virus!   
    "NT System Admin    
    Issues" 
    
    





Actually one of my users sent that to me. I use Panda, which of course once
again seems to be the last to know.
 -Original Message-
 From: Danny Iaconetti [mailto:[EMAIL PROTECTED]]
     Sent: Monday, September 24, 2001 4:03 PM
 To: NT System Admin Issues
 Subject: RE: Another F(*&^ virus!


 According to SARC, updating your definitions will detect this worm.
 Although, the latest update I get is dated Sep. 20. What's the scoop?
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED]]
  Sent: Monday, September 24, 2001 4:37 PM
  To: NT System Admin Issues
  Subject: Another F(*&^ virus!





  Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
  Name of attachment: WTC.exe
  Size of attachment: 55808 Bytes



  Symantec Security Response
  http://securityresponse.symantec.com


  W32.Vote.A@mm
  Discovered on: September 24, 2001
  Last Updated on: September 24, 2001 at 09:56:27 AM PDT



  W32.Vote.A@mm is a mass-mailing worm that is written in Visual
  Basic. When executed, it will email itself out to all email
  addresses in the Microsoft Outlook address book. The worm will
  insert two .vbs files on the system, and it will also attempt to
  delete files from several antivirus products.



  Type: Worm



  Infection Length: 55,808 Bytes



  Virus Definitions: September 24, 2001



  Threat Assessment:




  Wild:
  Low  Damage:
  High  Distribution:
  High




  Wild:



  Number of infections: 0 - 49
  Number of sites: 3 - 9
  Geographical distribution: Medium
  Threat containment: Moderate
  Removal: Moderate
  Damage:



  Payload:
  Large scale e-mailing: Emails everyone in the Microsoft Outlook
  addressbook
  D

RE: Another F(*&^ virus! (OT)

2001-09-25 Thread GMasters



A little off the topic here, but how do you find Panda?  We use Norton AV
for desktop and server protection, but have Panda for Lotus Notes
protection (I think it's a good idea to have a double layer sometimes).
Panda was suggested by our Notes Admin guy, and it has not worked correctly
since!  Currently it is only running on one of our 4 Notes servers, and I
don't think it is doing too well there!  I'm about ready to dump it, and
have put Norton on the other Notes servers to make sure they are covered.
Anyone else out there use Panda, and would actually recommend it?

G.


   
 
RZorz@ScottsdaleC  
 
hamber.com  To: "NT System Admin Issues"   
 
 <[EMAIL PROTECTED]>   
 
25/09/2001 13:51cc:
 
Please respond to   Subject: RE: Another F(*&^ virus!  
 
"NT System Admin   
 
Issues"
 
   
 
   
 




Actually one of my users sent that to me. I use Panda, which of course once
again seems to be the last to know.
 -Original Message-
 From: Danny Iaconetti [mailto:[EMAIL PROTECTED]]
 Sent: Monday, September 24, 2001 4:03 PM
     To: NT System Admin Issues
 Subject: RE: Another F(*&^ virus!

 According to SARC, updating your definitions will detect this worm.
 Although, the latest update I get is dated Sep. 20. What's the scoop?
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED]]
  Sent: Monday, September 24, 2001 4:37 PM
  To: NT System Admin Issues
  Subject: Another F(*&^ virus!




  Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
  Name of attachment: WTC.exe
  Size of attachment: 55808 Bytes


  Symantec Security Response
  http://securityresponse.symantec.com

  W32.Vote.A@mm
  Discovered on: September 24, 2001
  Last Updated on: September 24, 2001 at 09:56:27 AM PDT


  W32.Vote.A@mm is a mass-mailing worm that is written in Visual
  Basic. When executed, it will email itself out to all email
  addresses in the Microsoft Outlook address book. The worm will
  insert two .vbs files on the system, and it will also attempt to
  delete files from several antivirus products.


  Type: Worm


  Infection Length: 55,808 Bytes


  Virus Definitions: September 24, 2001


  Threat Assessment:



  Wild:
  Low  Damage:
  High  Distribution:
  High



  Wild:


  Number of infections: 0 - 49
  Number of sites: 3 - 9
  Geographical distribution: Medium
  Threat containment: Moderate
  Removal: Moderate
  Damage:


  Payload:
  Large scale e-mailing: Emails everyone in the Microsoft Outlook
  addressbook
  Deletes files: After reboot, the worm attempts to delete all
  files in the Windows folder
  Modifies files: All files with the extension "htm" or "html" will
  be overwritten.
  Compromises security settings: If the Backdoor.Trojan was
  successfully downloaded and installed, anyone could gain full
  access to the computer.


  Distribution:


  Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
  Name of attachment: WTC.exe
  Size of attachment: 55808 Bytes


  Technical description:


  W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic
  language. It requires the file Msvbvm50.dll to execute.


  When executed, the worm will attempt to email itself to all
  contacts in the Microsoft Outlook address book. The email will
  appear as follows.


  Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM!


  Message:
  Hi
  iS iT A waR Against AmeriCa Or IsLaM !?
  Let's Vote To Live in Peace!


  Attachment: WTC.EXE


  Next, the worm will insert two .vbs files on the system:





  \\ZaCker.vbs
  \\MixDaLaL.vbs

RE: Another F(*&^ virus!

2001-09-25 Thread RZorz

Title: Another F(*&^ virus!



Actually one of my users sent that to me. I use Panda, which of course 
once again seems to be the last to know.

  -Original Message-From: Danny Iaconetti 
  [mailto:[EMAIL PROTECTED]]Sent: Monday, September 
  24, 2001 4:03 PMTo: NT System Admin IssuesSubject: RE: 
  Another F(*&^ virus!
  According to SARC, updating your definitions will detect this worm. 
  Although, the latest update I get is dated Sep. 20. What's the 
  scoop?
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]Sent: Monday, September 24, 
2001 4:37 PMTo: NT System Admin IssuesSubject: Another 
F(*&^ virus!
Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! 
Name of attachment: WTC.exe Size of attachment: 55808 Bytes 
Symantec Security Response http://securityresponse.symantec.com 
  W32.Vote.A@mm 
Discovered on: September 24, 2001 Last Updated on: September 24, 2001 at 09:56:27 AM PDT 
W32.Vote.A@mm is a mass-mailing worm that is written in 
Visual Basic. When executed, it will email itself out to all email addresses 
in the Microsoft Outlook address book. The worm will insert two .vbs files 
on the system, and it will also attempt to delete files from several 
antivirus products. 
Type: Worm 
Infection Length: 55,808 Bytes 
Virus Definitions: September 24, 2001 
Threat Assessment: 
   Wild: Low  Damage: High  Distribution: 
High    

Wild: 
Number of infections: 0 - 49 Number 
of sites: 3 - 9 Geographical distribution: Medium 
Threat containment: Moderate Removal: Moderate Damage: 
Payload: Large scale e-mailing: 
Emails everyone in the Microsoft Outlook addressbook Deletes files: After reboot, the worm attempts to delete all files in 
the Windows folder Modifies files: All files with 
the extension "htm" or "html" will be overwritten. Compromises security settings: If the Backdoor.Trojan was 
successfully downloaded and installed, anyone could gain full access to the 
computer. 
Distribution: 
Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! 
Name of attachment: WTC.exe Size of attachment: 55808 Bytes 
Technical description: 
W32.Vote.A@mm is a mass-mailing worm written in the Visual 
Basic language. It requires the file Msvbvm50.dll to execute.
When executed, the worm will attempt to email itself to all 
contacts in the Microsoft Outlook address book. The email will appear as 
follows.
Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM! 
Message: Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's 
Vote To Live in Peace! 
Attachment: WTC.EXE 
Next, the worm will insert two .vbs files on the 
system: 
\\ZaCker.vbs \\MixDaLaL.vbs 
In addition, the worm will attempt to download and execute a 
file. This file is detected as Backdoor.Trojan by Norton 
Antivirus.
Finally, the worm will attempt to delete all files from 
several folders. These folders appear to be the default installation folders 
for several antivirus products. For Norton AntiVirus, this worm will only 
attempt to delete the files if Norton Antivirus is located in C:\Program 
Files\Norton AntiVirus.
What the dropped files do 
MixDaLaL.vbs MixDaLaL.vbs is a 
Visual Basic Script file that is inserted in the \Windows\System folder. 
This file is executed by the worm. As the file is executed, it will look 
through all folders on all fixed drives and network drives for files with 
the extensions .htm or .html. If such a files are found, they are 
overwritten with the message:
AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's 
Our Turn >>> ZaCkEr is So Sorry For You 
ZaCker.VBS This file is inserted in 
the \Windows\System folder. It is not executed by the worm. Instead, the 
value 
Norton.Thar \Windows\System\ZaCker.vbs 
is added to the registry key 
HKEY_LOCAL_MACHINE\Microsoft\ Windows\CurrentVersion\Run 
so that the file is executed when you start Windows. 

When executed at the next restart, this file will attempt to 
delete all files in the \Windows folder. Next, the worm will create or 
overwrite the file C:\Autoexec.bat. Inside the file there will be a command 
that formats the C drive. The Autoexec.bat file is executed on Windows 
95/98/Me and DOS systems when you start the computer.
Finally, the worm will displays the message 

The worm does attempt to shut down Windows after the message 
has been displayed. However, because the files required for this event to 
occur have been deleted from the \Windows folder, the computer probably will 
not shut down.
Removal instructions: 
1. Run LiveUpdate to make sure that you have the most recent 
virus definitions. 2. Start Norton AntiVirus (NAV), 
and

Re: Another F(*&^ virus!

2001-09-24 Thread Richard Jones

Title: Message

I'm on the east coast and when I left at 5:30pm
this evening our systems were at the 920 sigs.
Gotta love it you subscribe and pay annual fees and
the fringing firms don't even email you that you need an emergency update
between your systems scheduled updates.
This list has paid off handsomely over the past
week ... pretty much the early warnings system for latest and greatest
virus's

- Original Message -
From:
Allan
Muchmore
To: NT System Admin Issues

Sent: Monday, September 24, 2001 7:44
PM
Subject: RE: Another F(*&^
virus!

Just
now (4:40 pacific) when I hit LiveUpdate, I got the 9/20 updates. W32.Vote.A@mm was not included.
When I downloaded from their web page, I got the 9/24 updates and W32.Vote.A@mm.
I
have not noticed this discrepency before. Has anyone else? If so,
that would argue against using the liveupdate button when hot new viruses are
about.

-Original Message-From: Danny
Iaconetti [mailto:[EMAIL PROTECTED]] Sent:
Monday, September 24, 2001 4:03 PMTo: NT System Admin
IssuesSubject: RE: Another F(*&^ virus!
According to SARC, updating your definitions will detect this worm.
Although, the latest update I get is dated Sep. 20. What's the
scoop?

RE: Another F(*&^ virus!

2001-09-24 Thread Gisler, Johnny

Title: Message



yes it 
is avail. auto DL, try again

  
  -Original Message-From: Clark, Steve 
  [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 
  16:44To: NT System Admin IssuesSubject: RE: Another 
  F(*&^ virus!
  
  Haven't 
  seen anything at all from NAI - have you?
   
  Steve 
  Clark
  Clark 
  Systems Support, LLC
  AVIEN 
  Charter Member
  "Who's 
  watching your network?"
  www.clarksupport.com
    
  301-610-9584 voice
    
  240-465-0323 Efax
   
  -Original 
  Message-From: Martin 
  Blackstone [mailto:[EMAIL PROTECTED]]Sent: Monday, September 24, 2001 5:41 
  PMTo: NT System Admin 
  IssuesSubject: RE: Another 
  F(*&^ virus!
   
  Trend 
  has a def file for it.
  945
  It isn't 
  available via automatic DL yet, but you can DL the ZIP file and manually put 
  it in.
  -Original 
  Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 1:37 
  PMTo: NT System Admin 
  IssuesSubject: Another 
  F(*&^ virus!
   
  Subject of email: Fwd:Peace 
  BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe 
  Size of attachment: 55808 Bytes 
  
  Symantec Security 
  Response 
  http://securityresponse.symantec.com   W32.Vote.A@mm Discovered on: September 
  24, 2001 Last Updated on: September 24, 2001 at 
  09:56:27 AM PDT 
  W32.Vote.A@mm is a 
  mass-mailing worm that is written in Visual Basic. When executed, it will 
  email itself out to all email addresses in the Microsoft Outlook address book. 
  The worm will insert two .vbs files on the system, and it will also attempt to 
  delete files from several antivirus products. 
  Type: Worm 
  
  Infection Length: 55,808 
  Bytes 
  Virus Definitions: 
  September 24, 2001 
  Threat Assessment: 
  
     
  Wild: Low  Damage: 
  High  Distribution: 
  High    
  Wild: 
  Number of infections: 0 - 
  49 Number of sites: 3 - 9 
  Geographical distribution: Medium 
  Threat containment: Moderate 
  Removal: Moderate Damage: 
  Payload: 
  Large scale e-mailing: Emails everyone 
  in the Microsoft Outlook addressbook Deletes files: After reboot, the worm 
  attempts to delete all files in the Windows folder Modifies files: All files 
  with the extension "htm" or "html" will be overwritten. Compromises security 
  settings: If the Backdoor.Trojan was successfully downloaded and installed, 
  anyone could gain full access to the computer. 
  Distribution: 
  
  Subject of email: Fwd:Peace 
  BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe 
  Size of attachment: 55808 Bytes 
  
  Technical description: 
  
  W32.Vote.A@mm is a 
  mass-mailing worm written in the Visual Basic language. It requires the file 
  Msvbvm50.dll to execute.
  When executed, the worm 
  will attempt to email itself to all contacts in the Microsoft Outlook address 
  book. The email will appear as follows.
  Subject: Fwd:Peace BeTweeN 
  AmeriCa and IsLaM! 
  
  Message: 
  Hi iS iT A waR Against AmeriCa Or IsLaM 
  !? 
  Let's Vote To Live in 
  Peace! 
  
  Attachment: 
  WTC.EXE 
  
  Next, the worm will insert 
  two .vbs files on the system: 
   
  \\ZaCker.vbs \\MixDaLaL.vbs 
  In addition, the worm will 
  attempt to download and execute a file. This file is detected as 
  Backdoor.Trojan by Norton Antivirus.
  Finally, the worm will 
  attempt to delete all files from several folders. These folders appear to be 
  the default installation folders for several antivirus products. For Norton 
  AntiVirus, this worm will only attempt to delete the files if Norton Antivirus 
  is located in C:\Program Files\Norton AntiVirus.
  What the dropped files 
  do 
  
  MixDaLaL.vbs MixDaLaL.vbs is a Visual 
  Basic Script file that is inserted in the \Windows\System folder. This file is 
  executed by the worm. As the file is executed, it will look through all 
  folders on all fixed drives and network drives for files with the extensions 
  .htm or .html. If such a files are found, they are overwritten with the 
  message:
  AmeRiCa ...Few Days WiLL 
  Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For 
  You 
  
  ZaCker.VBS This file is inserted in 
  the \Windows\System folder. It is not executed by the worm. Instead, the 
  value 
  
  Norton.Thar 
  \Windows\System\ZaCker.vbs 
  is added to the registry 
  key 
  
  HKEY_LOCAL_MACHINE\Microsoft\ Windows\CurrentVersion\Run 
  so that the file is 
  executed when you start Windows. 
  When executed at the next 
  restart, this file will attempt to delete all files in the \Windows folder. 
  Next, the worm will create or overwrite the file C:\Autoexec.bat. Inside the 
  file there will be a command that formats the C drive. The Autoexec.bat file 
  is executed on Windows 95/98/Me and DOS systems when you start the 
  computer.
  Finally, the worm will 
  displays the message 
   
  The worm does attempt to 
  shut down Windows afte

RE: Another F(*&^ virus!

2001-09-24 Thread Allan Muchmore

Title: Message



Just 
now (4:40 pacific) when I hit LiveUpdate, I got the 9/20 updates.  W32.Vote.A@mm was not included.  When 
I downloaded from their web page, I got the 9/24 updates and  W32.Vote.A@mm.
 
I have 
not noticed this discrepency before.  Has anyone else?  If so, that 
would argue against using the liveupdate button when hot new viruses are 
about.

  
  -Original Message-From: Danny Iaconetti 
  [mailto:[EMAIL PROTECTED]] Sent: Monday, September 
  24, 2001 4:03 PMTo: NT System Admin IssuesSubject: RE: 
  Another F(*&^ virus!
  According to SARC, updating your definitions will detect this worm. 
  Although, the latest update I get is dated Sep. 20. What's the 
  scoop?
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]Sent: Monday, September 24, 
2001 4:37 PMTo: NT System Admin IssuesSubject: Another 
F(*&^ virus!
Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! 
Name of attachment: WTC.exe Size of attachment: 55808 Bytes 
Symantec Security Response http://securityresponse.symantec.com 
  W32.Vote.A@mm 
Discovered on: September 24, 2001 Last Updated on: September 24, 2001 at 09:56:27 AM PDT 
W32.Vote.A@mm is a mass-mailing worm that is written in 
Visual Basic. When executed, it will email itself out to all email addresses 
in the Microsoft Outlook address book. The worm will insert two .vbs files 
on the system, and it will also attempt to delete files from several 
antivirus products. 
Type: Worm 
Infection Length: 55,808 Bytes 
Virus Definitions: September 24, 2001 
Threat Assessment: 
   Wild: Low  Damage: High  Distribution: 
High    

Wild: 
Number of infections: 0 - 49 Number 
of sites: 3 - 9 Geographical distribution: Medium 
Threat containment: Moderate Removal: Moderate Damage: 
Payload: Large scale e-mailing: 
Emails everyone in the Microsoft Outlook addressbook Deletes files: After reboot, the worm attempts to delete all files in 
the Windows folder Modifies files: All files with 
the extension "htm" or "html" will be overwritten. Compromises security settings: If the Backdoor.Trojan was 
successfully downloaded and installed, anyone could gain full access to the 
computer. 
Distribution: 
Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! 
Name of attachment: WTC.exe Size of attachment: 55808 Bytes 
Technical description: 
W32.Vote.A@mm is a mass-mailing worm written in the Visual 
Basic language. It requires the file Msvbvm50.dll to execute.
When executed, the worm will attempt to email itself to all 
contacts in the Microsoft Outlook address book. The email will appear as 
follows.
Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM! 
Message: Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's 
Vote To Live in Peace! 
Attachment: WTC.EXE 
Next, the worm will insert two .vbs files on the 
system: 
\\ZaCker.vbs \\MixDaLaL.vbs 
In addition, the worm will attempt to download and execute a 
file. This file is detected as Backdoor.Trojan by Norton 
Antivirus.
Finally, the worm will attempt to delete all files from 
several folders. These folders appear to be the default installation folders 
for several antivirus products. For Norton AntiVirus, this worm will only 
attempt to delete the files if Norton Antivirus is located in C:\Program 
Files\Norton AntiVirus.
What the dropped files do 
MixDaLaL.vbs MixDaLaL.vbs is a 
Visual Basic Script file that is inserted in the \Windows\System folder. 
This file is executed by the worm. As the file is executed, it will look 
through all folders on all fixed drives and network drives for files with 
the extensions .htm or .html. If such a files are found, they are 
overwritten with the message:
AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's 
Our Turn >>> ZaCkEr is So Sorry For You 
ZaCker.VBS This file is inserted in 
the \Windows\System folder. It is not executed by the worm. Instead, the 
value 
Norton.Thar \Windows\System\ZaCker.vbs 
is added to the registry key 
HKEY_LOCAL_MACHINE\Microsoft\ Windows\CurrentVersion\Run 
so that the file is executed when you start Windows. 

When executed at the next restart, this file will attempt to 
delete all files in the \Windows folder. Next, the worm will create or 
overwrite the file C:\Autoexec.bat. Inside the file there will be a command 
that formats the C drive. The Autoexec.bat file is executed on Windows 
95/98/Me and DOS systems when you start the computer.
Finally, the worm will displays the message 

The worm does attempt to shut down Windows after the message 
has been displayed. However, because the files required for this event to 
occur have been deleted

RE: Another F(*&^ virus!

2001-09-24 Thread Danny Iaconetti

Title: Another F(*&^ virus!



It 
finally took in an update.

  -Original Message-From: Danny Iaconetti 
  [mailto:[EMAIL PROTECTED]]Sent: Monday, September 
  24, 2001 7:03 PMTo: NT System Admin IssuesSubject: RE: 
  Another F(*&^ virus!
  According to SARC, updating your definitions will detect this worm. 
  Although, the latest update I get is dated Sep. 20. What's the 
  scoop?
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]Sent: Monday, September 24, 
2001 4:37 PMTo: NT System Admin IssuesSubject: Another 
F(*&^ virus!
Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! 
Name of attachment: WTC.exe Size of attachment: 55808 Bytes 
Symantec Security Response http://securityresponse.symantec.com 
  W32.Vote.A@mm 
Discovered on: September 24, 2001 Last Updated on: September 24, 2001 at 09:56:27 AM PDT 
W32.Vote.A@mm is a mass-mailing worm that is written in 
Visual Basic. When executed, it will email itself out to all email addresses 
in the Microsoft Outlook address book. The worm will insert two .vbs files 
on the system, and it will also attempt to delete files from several 
antivirus products. 
Type: Worm 
Infection Length: 55,808 Bytes 
Virus Definitions: September 24, 2001 
Threat Assessment: 
   Wild: Low  Damage: High  Distribution: 
High    

Wild: 
Number of infections: 0 - 49 Number 
of sites: 3 - 9 Geographical distribution: Medium 
Threat containment: Moderate Removal: Moderate Damage: 
Payload: Large scale e-mailing: 
Emails everyone in the Microsoft Outlook addressbook Deletes files: After reboot, the worm attempts to delete all files in 
the Windows folder Modifies files: All files with 
the extension "htm" or "html" will be overwritten. Compromises security settings: If the Backdoor.Trojan was 
successfully downloaded and installed, anyone could gain full access to the 
computer. 
Distribution: 
Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! 
Name of attachment: WTC.exe Size of attachment: 55808 Bytes 
Technical description: 
W32.Vote.A@mm is a mass-mailing worm written in the Visual 
Basic language. It requires the file Msvbvm50.dll to execute.
When executed, the worm will attempt to email itself to all 
contacts in the Microsoft Outlook address book. The email will appear as 
follows.
Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM! 
Message: Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's 
Vote To Live in Peace! 
Attachment: WTC.EXE 
Next, the worm will insert two .vbs files on the 
system: 
\\ZaCker.vbs \\MixDaLaL.vbs 
In addition, the worm will attempt to download and execute a 
file. This file is detected as Backdoor.Trojan by Norton 
Antivirus.
Finally, the worm will attempt to delete all files from 
several folders. These folders appear to be the default installation folders 
for several antivirus products. For Norton AntiVirus, this worm will only 
attempt to delete the files if Norton Antivirus is located in C:\Program 
Files\Norton AntiVirus.
What the dropped files do 
MixDaLaL.vbs MixDaLaL.vbs is a 
Visual Basic Script file that is inserted in the \Windows\System folder. 
This file is executed by the worm. As the file is executed, it will look 
through all folders on all fixed drives and network drives for files with 
the extensions .htm or .html. If such a files are found, they are 
overwritten with the message:
AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's 
Our Turn >>> ZaCkEr is So Sorry For You 
ZaCker.VBS This file is inserted in 
the \Windows\System folder. It is not executed by the worm. Instead, the 
value 
Norton.Thar \Windows\System\ZaCker.vbs 
is added to the registry key 
HKEY_LOCAL_MACHINE\Microsoft\ Windows\CurrentVersion\Run 
so that the file is executed when you start Windows. 

When executed at the next restart, this file will attempt to 
delete all files in the \Windows folder. Next, the worm will create or 
overwrite the file C:\Autoexec.bat. Inside the file there will be a command 
that formats the C drive. The Autoexec.bat file is executed on Windows 
95/98/Me and DOS systems when you start the computer.
Finally, the worm will displays the message 

The worm does attempt to shut down Windows after the message 
has been displayed. However, because the files required for this event to 
occur have been deleted from the \Windows folder, the computer probably will 
not shut down.
Removal instructions: 
1. Run LiveUpdate to make sure that you have the most recent 
virus definitions. 2. Start Norton AntiVirus (NAV), 
and make sure that NAV is configured to scan all files. For instructions on 
h

RE: Another F(*&^ virus!

2001-09-24 Thread Clark, Steve

Title: Message









Haven’t
seen anything at all from NAI – have you?

 

Steve Clark

Clark Systems Support, LLC

AVIEN Charter Member

“Who's watching your network?”

www.clarksupport.com

  301-610-9584
voice

  240-465-0323
Efax

 

-Original
Message-
From: Martin Blackstone
[mailto:[EMAIL PROTECTED]]
Sent: Monday, September 24, 2001
5:41 PM
To: NT System Admin Issues
Subject: RE: Another F(*&^
virus!

 

Trend has a def file for
it.

945

It isn't available via
automatic DL yet, but you can DL the ZIP file and manually put it in.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] 
Sent: Monday, September 24, 2001
1:37 PM
To: NT System Admin Issues
Subject: Another F(*&^ virus!

 

Subject of email: Fwd:Peace BeTweeN
AmeriCa and IsLaM! 
Name of attachment: WTC.exe 
Size of attachment: 55808 Bytes 

Symantec Security Response 
http://securityresponse.symantec.com

  
W32.Vote.A@mm 
Discovered on: September 24, 2001 
Last Updated on: September 24, 2001 at 09:56:27 AM PDT 

W32.Vote.A@mm is a mass-mailing worm that
is written in Visual Basic. When executed, it will email itself out to all
email addresses in the Microsoft Outlook address book. The worm will insert two
.vbs files on the system, and it will also attempt to delete files from several
antivirus products. 

Type: Worm 

Infection Length: 55,808 Bytes 

Virus Definitions: September 24, 2001 

Threat Assessment: 

   
Wild: 
Low  Damage: 
High  Distribution: 
High  
  

Wild: 

Number of infections: 0 - 49 
Number of sites: 3 - 9 
Geographical distribution: Medium 
Threat containment: Moderate 
Removal: Moderate 
Damage: 

Payload: 
Large scale e-mailing: Emails everyone in the Microsoft Outlook
addressbook 
Deletes files: After reboot, the worm attempts to delete all files
in the Windows folder 
Modifies files: All files with the extension "htm" or
"html" will be overwritten. 
Compromises security settings: If the Backdoor.Trojan was
successfully downloaded and installed, anyone could gain full access to the
computer. 

Distribution: 

Subject of email: Fwd:Peace BeTweeN
AmeriCa and IsLaM! 
Name of attachment: WTC.exe 
Size of attachment: 55808 Bytes 

Technical description: 

W32.Vote.A@mm is a mass-mailing worm
written in the Visual Basic language. It requires the file Msvbvm50.dll to
execute.

When executed, the worm will attempt to
email itself to all contacts in the Microsoft Outlook address book. The email
will appear as follows.

Subject: Fwd:Peace BeTweeN AmeriCa and
IsLaM! 

Message: 
Hi 
iS iT A waR Against AmeriCa Or IsLaM !? 
Let's Vote To Live in Peace! 

Attachment: WTC.EXE 

Next, the worm will insert two .vbs files
on the system: 

 

\\ZaCker.vbs 
\\MixDaLaL.vbs 

In addition, the worm will attempt to
download and execute a file. This file is detected as Backdoor.Trojan by Norton
Antivirus.

Finally, the worm will attempt to delete
all files from several folders. These folders appear to be the default
installation folders for several antivirus products. For Norton AntiVirus, this
worm will only attempt to delete the files if Norton Antivirus is located in
C:\Program Files\Norton AntiVirus.

What the dropped files do 

MixDaLaL.vbs 
MixDaLaL.vbs is a Visual Basic Script file that is inserted in the
\Windows\System folder. This file is executed by the worm. As the file is
executed, it will look through all folders on all fixed drives and network
drives for files with the extensions .htm or .html. If such a files are found,
they are overwritten with the message:

AmeRiCa ...Few Days WiLL Show You What We
Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You 

ZaCker.VBS 
This file is inserted in the \Windows\System folder. It is not
executed by the worm. Instead, the value 

Norton.Thar \Windows\System\ZaCker.vbs 

is added to the registry key 

HKEY_LOCAL_MACHINE\Microsoft\ 
Windows\CurrentVersion\Run 

so that the file is executed when you
start Windows. 

When executed at the next restart, this
file will attempt to delete all files in the \Windows folder. Next, the worm
will create or overwrite the file C:\Autoexec.bat. Inside the file there will
be a command that formats the C drive. The Autoexec.bat file is executed on
Windows 95/98/Me and DOS systems when you start the computer.

Finally, the worm will displays the
message 

 

The worm does attempt to shut down Windows
after the message has been displayed. However, because the files required for
this event to occur have been deleted from the \Windows folder, the computer
probably will not shut down.

 

Removal instructions: 

 

1. Run LiveUpdate to make sure that you
have the most recent virus definitions. 
2. Start Norton AntiVirus (NAV), and make sure that NAV is
configured to scan all files. For instructions on how to do this, read the
document How to configure Norton AntiVirus to scan all files.

3. Run a full system scan. 
4. Delete all files that are

RE: Another F(*&^ virus!

2001-09-24 Thread Martin Blackstone

Title: Message

Trend
has a def file for it.
945
It
isn't available via automatic DL yet, but you can DL the ZIP file and manually
put it in.

-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 24, 2001 1:37 PMTo: NT System
Admin IssuesSubject: Another F(*&^
virus!
Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
Name of attachment: WTC.exe Size of attachment: 55808 Bytes
Symantec Security Response http://securityresponse.symantec.com W32.Vote.A@mm Discovered on: September 24, 2001 Last Updated
on: September 24, 2001 at 09:56:27 AM PDT
W32.Vote.A@mm is a mass-mailing worm that is written in Visual
Basic. When executed, it will email itself out to all email addresses in the
Microsoft Outlook address book. The worm will insert two .vbs files on the
system, and it will also attempt to delete files from several antivirus
products.
Type: Worm
Infection Length: 55,808 Bytes
Virus Definitions: September 24, 2001
Threat Assessment:
Wild: Low Damage: High Distribution:
High
Wild:
Number of infections: 0 - 49 Number of
sites: 3 - 9 Geographical distribution: Medium
Threat containment: Moderate Removal: Moderate Damage:
Payload: Large scale e-mailing: Emails
everyone in the Microsoft Outlook addressbook Deletes
files: After reboot, the worm attempts to delete all files in the Windows
folder Modifies files: All files with the extension
"htm" or "html" will be overwritten. Compromises
security settings: If the Backdoor.Trojan was successfully downloaded and
installed, anyone could gain full access to the computer.
Distribution:
Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
Name of attachment: WTC.exe Size of attachment: 55808 Bytes
Technical description:
W32.Vote.A@mm is a mass-mailing worm written in the Visual
Basic language. It requires the file Msvbvm50.dll to execute.
When executed, the worm will attempt to email itself to all
contacts in the Microsoft Outlook address book. The email will appear as
follows.
Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM!
Message: Hi iS
iT A waR Against AmeriCa Or IsLaM !? Let's Vote To
Live in Peace!
Attachment: WTC.EXE
Next, the worm will insert two .vbs files on the
system:
\\ZaCker.vbs \\MixDaLaL.vbs
In addition, the worm will attempt to download and execute a
file. This file is detected as Backdoor.Trojan by Norton Antivirus.
Finally, the worm will attempt to delete all files from
several folders. These folders appear to be the default installation folders
for several antivirus products. For Norton AntiVirus, this worm will only
attempt to delete the files if Norton Antivirus is located in C:\Program
Files\Norton AntiVirus.
What the dropped files do
MixDaLaL.vbs MixDaLaL.vbs is a Visual
Basic Script file that is inserted in the \Windows\System folder. This file is
executed by the worm. As the file is executed, it will look through all
folders on all fixed drives and network drives for files with the extensions
.htm or .html. If such a files are found, they are overwritten with the
message:
AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our
Turn >>> ZaCkEr is So Sorry For You
ZaCker.VBS This file is inserted in
the \Windows\System folder. It is not executed by the worm. Instead, the
value
Norton.Thar \Windows\System\ZaCker.vbs
is added to the registry key
HKEY_LOCAL_MACHINE\Microsoft\ Windows\CurrentVersion\Run
so that the file is executed when you start Windows.

When executed at the next restart, this file will attempt to
delete all files in the \Windows folder. Next, the worm will create or
overwrite the file C:\Autoexec.bat. Inside the file there will be a command
that formats the C drive. The Autoexec.bat file is executed on Windows
95/98/Me and DOS systems when you start the computer.
Finally, the worm will displays the message

The worm does attempt to shut down Windows after the message
has been displayed. However, because the files required for this event to
occur have been deleted from the \Windows folder, the computer probably will
not shut down.
Removal instructions:
1. Run LiveUpdate to make sure that you have the most recent
virus definitions. 2. Start Norton AntiVirus (NAV),
and make sure that NAV is configured to scan all files. For instructions on
how to do this, read the document How to configure Norton AntiVirus to scan
all files.
3. Run a full system scan. 4. Delete
all files that are detected as W32.Vote.A@mm. If the worm has run and Norton
AntiVirus is installed in C:\Program Files\Norton AntiVirus, you should
reinstall Norton Antivirus.
5. If the computer has been rebooted after the infection, or
if the computer seems very unstable, it is recommended that you reinstall the
operating system.
Addi

RE: Another F(*&^ virus!

2001-09-24 Thread Danny Iaconetti

Title: Another F(*&^ virus!

According to SARC, updating your definitions will detect this worm.
Although, the latest update I get is dated Sep. 20. What's the
scoop?

-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Sent: Monday, September 24,
2001 4:37 PMTo: NT System Admin IssuesSubject: Another
F(*&^ virus!
Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
Name of attachment: WTC.exe Size of attachment: 55808 Bytes
Symantec Security Response http://securityresponse.symantec.com
W32.Vote.A@mm
Discovered on: September 24, 2001 Last Updated on: September 24, 2001 at 09:56:27 AM PDT
W32.Vote.A@mm is a mass-mailing worm that is written in Visual
Basic. When executed, it will email itself out to all email addresses in the
Microsoft Outlook address book. The worm will insert two .vbs files on the
system, and it will also attempt to delete files from several antivirus
products.
Type: Worm
Infection Length: 55,808 Bytes
Virus Definitions: September 24, 2001
Threat Assessment:
Wild: Low Damage: High Distribution:
High
Wild:
Number of infections: 0 - 49 Number of
sites: 3 - 9 Geographical distribution: Medium
Threat containment: Moderate Removal: Moderate Damage:
Payload: Large scale e-mailing: Emails
everyone in the Microsoft Outlook addressbook Deletes
files: After reboot, the worm attempts to delete all files in the Windows
folder Modifies files: All files with the extension
"htm" or "html" will be overwritten. Compromises
security settings: If the Backdoor.Trojan was successfully downloaded and
installed, anyone could gain full access to the computer.
Distribution:
Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM!
Name of attachment: WTC.exe Size of attachment: 55808 Bytes
Technical description:
W32.Vote.A@mm is a mass-mailing worm written in the Visual
Basic language. It requires the file Msvbvm50.dll to execute.
When executed, the worm will attempt to email itself to all
contacts in the Microsoft Outlook address book. The email will appear as
follows.
Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM!
Message: Hi iS
iT A waR Against AmeriCa Or IsLaM !? Let's Vote To
Live in Peace!
Attachment: WTC.EXE
Next, the worm will insert two .vbs files on the
system:
\\ZaCker.vbs \\MixDaLaL.vbs
In addition, the worm will attempt to download and execute a
file. This file is detected as Backdoor.Trojan by Norton Antivirus.
Finally, the worm will attempt to delete all files from
several folders. These folders appear to be the default installation folders
for several antivirus products. For Norton AntiVirus, this worm will only
attempt to delete the files if Norton Antivirus is located in C:\Program
Files\Norton AntiVirus.
What the dropped files do
MixDaLaL.vbs MixDaLaL.vbs is a Visual
Basic Script file that is inserted in the \Windows\System folder. This file is
executed by the worm. As the file is executed, it will look through all
folders on all fixed drives and network drives for files with the extensions
.htm or .html. If such a files are found, they are overwritten with the
message:
AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our
Turn >>> ZaCkEr is So Sorry For You
ZaCker.VBS This file is inserted in
the \Windows\System folder. It is not executed by the worm. Instead, the
value
Norton.Thar \Windows\System\ZaCker.vbs
is added to the registry key
HKEY_LOCAL_MACHINE\Microsoft\ Windows\CurrentVersion\Run
so that the file is executed when you start Windows.

RE: Another F(*&^ virus!

RE: Another F(*&^ virus!

RE: Another F(*&^ virus! (OT)

RE: Another F(*&^ virus! (OT)

Re: Another F(*&^ virus! (OT)

RE: Another F(*&^ virus! (OT)

RE: Another F(*&^ virus! (OT)

RE: Another F(*&^ virus! (OT)

RE: Another F(*&^ virus! (OT)

RE: Another F(*&^ virus! (OT)

RE: Another F(*&^ virus!

Re: Another F(*&^ virus!

RE: Another F(*&^ virus!

RE: Another F(*&^ virus!

RE: Another F(*&^ virus!

RE: Another F(*&^ virus!

RE: Another F(*&^ virus!

RE: Another F(*&^ virus!

18 matches

Site Navigation

Mail list logo

Footer information