RE: Another F(*&^ virus!
Title: Another F(*&^ virus! thanks. Still don't see a virus-specific newsletter with alerts like other vendors seem to have. And they were way, way behind in getting the Nimda and Vote defs out the door. -Original Message-From: Lagerstrom, Lanette [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 26, 2001 4:44 PMTo: NT System Admin IssuesSubject: RE: Another F(*&^ virus! Just FYI -- * VIRUS CENTER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda Lanette Lagerstrom Northrop Grumman Information Technology Internal Information Services Network Administrator -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 25, 2001 6:51 AMTo: NT System Admin IssuesSubject: RE: Another F(*&^ virus! Actually one of my users sent that to me. I use Panda, which of course once again seems to be the last to know. -Original Message-From: Danny Iaconetti [mailto:[EMAIL PROTECTED]]Sent: Monday, September 24, 2001 4:03 PMTo: NT System Admin IssuesSubject: RE: Another F(*&^ virus! According to SARC, updating your definitions will detect this worm. Although, the latest update I get is dated Sep. 20. What's the scoop? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: Monday, September 24, 2001 4:37 PMTo: NT System Admin IssuesSubject: Another F(*&^ virus! Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Symantec Security Response http://securityresponse.symantec.com W32.Vote.A@mm Discovered on: September 24, 2001 Last Updated on: September 24, 2001 at 09:56:27 AM PDT W32.Vote.A@mm is a mass-mailing worm that is written in Visual Basic. When executed, it will email itself out to all email addresses in the Microsoft Outlook address book. The worm will insert two .vbs files on the system, and it will also attempt to delete files from several antivirus products. Type: Worm Infection Length: 55,808 Bytes Virus Definitions: September 24, 2001 Threat Assessment: Wild: Low Damage: High Distribution: High Wild: Number of infections: 0 - 49 Number of sites: 3 - 9 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate Damage: Payload: Large scale e-mailing: Emails everyone in the Microsoft Outlook addressbook Deletes files: After reboot, the worm attempts to delete all files in the Windows folder Modifies files: All files with the extension "htm" or "html" will be overwritten. Compromises security settings: If the Backdoor.Trojan was successfully downloaded and installed, anyone could gain full access to the computer. Distribution: Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Technical description: W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic language. It requires the file Msvbvm50.dll to execute. When executed, the worm will attempt to email itself to all contacts in the Microsoft Outlook address book. The email will appear as follows. Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM! Message: Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's Vote To Live in Peace! Attachment: WTC.EXE Next, the worm will insert two .vbs files on the system: \\ZaCker.vbs \\MixDaLaL.vbs In addition, the worm will attempt to download and execute a file. This file is detected as Backdoor.Trojan by Norton Antivirus. Finally, the worm will attempt to delete all files from several folders. These folders appear to be the default installation folders for several antivirus products. For Norton AntiVirus, this worm will only attempt to delete the files if Norton Antivirus is located in C:\Program Files\Norton AntiVirus. What the dropped files do MixDaLaL.vbs MixDaLaL.vbs is a Visual Basic Script file that is inserted in the \Windows\System folder. This file is executed by the worm. As the file is executed, it will look through all folders on all fixed drives and network drives for files with the extensions .htm or .html. If such a
RE: Another F(*&^ virus!
Title: Another F(*&^ virus! Just FYI -- * VIRUS CENTER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda Lanette Lagerstrom Northrop Grumman Information Technology Internal Information Services Network Administrator -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 25, 2001 6:51 AMTo: NT System Admin IssuesSubject: RE: Another F(*&^ virus! Actually one of my users sent that to me. I use Panda, which of course once again seems to be the last to know. -Original Message-From: Danny Iaconetti [mailto:[EMAIL PROTECTED]]Sent: Monday, September 24, 2001 4:03 PMTo: NT System Admin IssuesSubject: RE: Another F(*&^ virus! According to SARC, updating your definitions will detect this worm. Although, the latest update I get is dated Sep. 20. What's the scoop? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: Monday, September 24, 2001 4:37 PMTo: NT System Admin IssuesSubject: Another F(*&^ virus! Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Symantec Security Response http://securityresponse.symantec.com W32.Vote.A@mm Discovered on: September 24, 2001 Last Updated on: September 24, 2001 at 09:56:27 AM PDT W32.Vote.A@mm is a mass-mailing worm that is written in Visual Basic. When executed, it will email itself out to all email addresses in the Microsoft Outlook address book. The worm will insert two .vbs files on the system, and it will also attempt to delete files from several antivirus products. Type: Worm Infection Length: 55,808 Bytes Virus Definitions: September 24, 2001 Threat Assessment: Wild: Low Damage: High Distribution: High Wild: Number of infections: 0 - 49 Number of sites: 3 - 9 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate Damage: Payload: Large scale e-mailing: Emails everyone in the Microsoft Outlook addressbook Deletes files: After reboot, the worm attempts to delete all files in the Windows folder Modifies files: All files with the extension "htm" or "html" will be overwritten. Compromises security settings: If the Backdoor.Trojan was successfully downloaded and installed, anyone could gain full access to the computer. Distribution: Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Technical description: W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic language. It requires the file Msvbvm50.dll to execute. When executed, the worm will attempt to email itself to all contacts in the Microsoft Outlook address book. The email will appear as follows. Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM! Message: Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's Vote To Live in Peace! Attachment: WTC.EXE Next, the worm will insert two .vbs files on the system: \\ZaCker.vbs \\MixDaLaL.vbs In addition, the worm will attempt to download and execute a file. This file is detected as Backdoor.Trojan by Norton Antivirus. Finally, the worm will attempt to delete all files from several folders. These folders appear to be the default installation folders for several antivirus products. For Norton AntiVirus, this worm will only attempt to delete the files if Norton Antivirus is located in C:\Program Files\Norton AntiVirus. What the dropped files do MixDaLaL.vbs MixDaLaL.vbs is a Visual Basic Script file that is inserted in the \Windows\System folder. This file is executed by the worm. As the file is executed, it will look through all folders on all fixed drives and network drives for files with the extensions .htm or .html. If such a files are found, they are overwritten with the message: AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You ZaCker.VBS This file is inserted in the \Windows\System folder. It is not executed by the worm. Instead, the value Norton.Thar \Windows\System\ZaCker.vbs is added to the registry key HKEY_LOCAL_MACHINE\Microsoft\ Windows\CurrentVersion\Run so that the file is executed when you start Windows. When executed at the next restart, this file will att
RE: Another F(*&^ virus! (OT)
Title: RE: Another F(*&^ virus! (OT) I finally got it to autoupdate for Exchange. But as I said earlier, I'm still not sure if they have Vote in their defs, their website doesn't get updated quick enough and they don't send alerts. -Original Message- From: Hasan Dervish [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 9:19 AM To: NT System Admin Issues Subject: Re: Another F(*&^ virus! (OT) I use panda on BackOffice and BackOffice SBS the only problem I have seen its inability to fully autoupdate in sbs, and autoupdate exchange server in BackOffice. - Original Message - From: "Miranda, Fausto" <[EMAIL PROTECTED]> To: "NT System Admin Issues" <[EMAIL PROTECTED]> Sent: Tuesday, September 25, 2001 2:57 PM Subject: RE: Another F(*&^ virus! (OT) > dump it, I have never seen it work correctly. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, September 25, 2001 9:21 AM > To: NT System Admin Issues > Subject: RE: Another F(*&^ virus! (OT) > > > > A little off the topic here, but how do you find Panda? We use Norton AV > for desktop and server protection, but have Panda for Lotus Notes > protection (I think it's a good idea to have a double layer sometimes). > Panda was suggested by our Notes Admin guy, and it has not worked correctly > since! Currently it is only running on one of our 4 Notes servers, and I > don't think it is doing too well there! I'm about ready to dump it, and > have put Norton on the other Notes servers to make sure they are covered. > Anyone else out there use Panda, and would actually recommend it? > > G. > > > > > RZorz@ScottsdaleC > > hamber.com To: "NT System Admin Issues" > > > <[EMAIL PROTECTED]> > 25/09/2001 13:51 cc: > > Please respond to Subject: RE: Another F(*&^ > virus! > "NT System Admin > > Issues" > > > > > > > > > > Actually one of my users sent that to me. I use Panda, which of course once > again seems to be the last to know. > -Original Message- > From: Danny Iaconetti [mailto:[EMAIL PROTECTED]] > Sent: Monday, September 24, 2001 4:03 PM > To: NT System Admin Issues > Subject: RE: Another F(*&^ virus! > > According to SARC, updating your definitions will detect this worm. > Although, the latest update I get is dated Sep. 20. What's the scoop? > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] > Sent: Monday, September 24, 2001 4:37 PM > To: NT System Admin Issues > Subject: Another F(*&^ virus! > > > > > Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! > Name of attachment: WTC.exe > Size of attachment: 55808 Bytes > > > Symantec Security Response > http://securityresponse.symantec.com > > W32.Vote.A@mm > Discovered on: September 24, 2001 > Last Updated on: September 24, 2001 at 09:56:27 AM PDT > > > W32.Vote.A@mm is a mass-mailing worm that is written in Visual > Basic. When executed, it will email itself out to all email > addresses in the Microsoft Outlook address book. The worm will > insert two .vbs files on the system, and it will also attempt to > delete files from several antivirus products. > > > Type: Worm > > > Infection Length: 55,808 Bytes > > > Virus Definitions: September 24, 2001 > > > Threat Assessment: > > > > Wild: > Low Damage: > High Distribution: > High > > > > Wild: > > > Number of infections: 0 - 49 > Number of sites: 3 - 9 > Geographical distribution: Medium > Threat containment: Moderate > Removal: Moderate > Damage: > > > Payload: > Large scale e-mailing: Emails everyone in the Microsoft Outlook > addressbook > Deletes files: After reboot, the worm attempts to delete all > files in the Windows folder > Modifies files: All files with the extension "htm" or "html" will > be overwritten. > Compromises security settings: If the Backdoor.Trojan was > successfully downloaded
RE: Another F(*&^ virus! (OT)
Title: RE: Another F(*&^ virus! (OT) Again, not a problem here. They all logout, and they all shutdown. If they don't for some reason, it shows up on the Panda Administrator screen, and I log them off myself. Hasn't been that big a problem here, but I've only got 50 users. -Original Message-From: Randal, Phil [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 25, 2001 7:45 AMTo: NT System Admin IssuesSubject: RE: Another F(*&^ virus! (OT) Sorry to be pedantic, but a login script is a pull, not a push, and if your users habitually don't log out the login script ain't going to get run in a hurry. Phil -Phil RandalNetwork EngineerHerefordshire CouncilHereford, UK -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: 25 September 2001 15:01To: NT System Admin IssuesSubject: RE: Another F(*&^ virus! (OT) I haven't worked with any of the other packages, so I can't compare. It seems to do ok, although they don't have any "ALERT" system, and always seem to be the last to get a definition out. I still don't know if they have the Vote virus covered. They automatically create a logon script to push the defs to the desktop, so as long as you make sure the server gets updated before everyone logs on it works fine. Our work hours make this a non-issue. Remote users have a problem with the speed. I do know that I gave up on active desktop scanning. It slowed my workstations down too much. I've been lucky that my folks get a lot of e-mail, but aren't big on downloading files. So I'm scanning Exchange and Outlook. Personally, I think way too many of the virii are being caught at the desktop rather than the Exchange server. They also have no filtering/blocking. As soon as I can free up some money I'll most likely dump the Panda for Exchange and get Sybari. Want to unsub? Do that here:http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english Want to unsub? Do that here: http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english
Re: Another F(*&^ virus! (OT)
I use panda on BackOffice and BackOffice SBS the only problem I have seen its inability to fully autoupdate in sbs, and autoupdate exchange server in BackOffice. - Original Message - From: "Miranda, Fausto" <[EMAIL PROTECTED]> To: "NT System Admin Issues" <[EMAIL PROTECTED]> Sent: Tuesday, September 25, 2001 2:57 PM Subject: RE: Another F(*&^ virus! (OT) > dump it, I have never seen it work correctly. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, September 25, 2001 9:21 AM > To: NT System Admin Issues > Subject: RE: Another F(*&^ virus! (OT) > > > > A little off the topic here, but how do you find Panda? We use Norton AV > for desktop and server protection, but have Panda for Lotus Notes > protection (I think it's a good idea to have a double layer sometimes). > Panda was suggested by our Notes Admin guy, and it has not worked correctly > since! Currently it is only running on one of our 4 Notes servers, and I > don't think it is doing too well there! I'm about ready to dump it, and > have put Norton on the other Notes servers to make sure they are covered. > Anyone else out there use Panda, and would actually recommend it? > > G. > > > > > RZorz@ScottsdaleC > > hamber.com To: "NT System Admin Issues" > > > <[EMAIL PROTECTED]> > 25/09/2001 13:51cc: > > Please respond to Subject: RE: Another F(*&^ > virus! > "NT System Admin > > Issues" > > > > > > > > > > Actually one of my users sent that to me. I use Panda, which of course once > again seems to be the last to know. > -Original Message- > From: Danny Iaconetti [mailto:[EMAIL PROTECTED]] > Sent: Monday, September 24, 2001 4:03 PM > To: NT System Admin Issues > Subject: RE: Another F(*&^ virus! > > According to SARC, updating your definitions will detect this worm. > Although, the latest update I get is dated Sep. 20. What's the scoop? > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] > Sent: Monday, September 24, 2001 4:37 PM > To: NT System Admin Issues > Subject: Another F(*&^ virus! > > > > > Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! > Name of attachment: WTC.exe > Size of attachment: 55808 Bytes > > > Symantec Security Response > http://securityresponse.symantec.com > > W32.Vote.A@mm > Discovered on: September 24, 2001 > Last Updated on: September 24, 2001 at 09:56:27 AM PDT > > > W32.Vote.A@mm is a mass-mailing worm that is written in Visual > Basic. When executed, it will email itself out to all email > addresses in the Microsoft Outlook address book. The worm will > insert two .vbs files on the system, and it will also attempt to > delete files from several antivirus products. > > > Type: Worm > > > Infection Length: 55,808 Bytes > > > Virus Definitions: September 24, 2001 > > > Threat Assessment: > > > > Wild: > Low Damage: > High Distribution: > High > > > > Wild: > > > Number of infections: 0 - 49 > Number of sites: 3 - 9 > Geographical distribution: Medium > Threat containment: Moderate > Removal: Moderate > Damage: > > > Payload: > Large scale e-mailing: Emails everyone in the Microsoft Outlook > addressbook > Deletes files: After reboot, the worm attempts to delete all > files in the Windows folder > Modifies files: All files with the extension "htm" or "html" will > be overwritten. > Compromises security settings: If the Backdoor.Trojan was > successfully downloaded and installed, anyone could gain full > access to the computer. > > > Distribution: > > > Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! > Name of attachment: WTC.exe > Size of attachment: 55808 Bytes > > > Technical description: > > > W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic >
RE: Another F(*&^ virus! (OT)
Title: RE: Another F(*&^ virus! (OT) As of 9:50am E.D.T. (that I know of and we're running them) NAV is offering sigs with a 9/24/01 date. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 9:21 AM To: NT System Admin Issues Subject: RE: Another F(*&^ virus! (OT) A little off the topic here, but how do you find Panda? We use Norton AV for desktop and server protection, but have Panda for Lotus Notes protection (I think it's a good idea to have a double layer sometimes). Panda was suggested by our Notes Admin guy, and it has not worked correctly since! Currently it is only running on one of our 4 Notes servers, and I don't think it is doing too well there! I'm about ready to dump it, and have put Norton on the other Notes servers to make sure they are covered. Anyone else out there use Panda, and would actually recommend it? G. RZorz@ScottsdaleC hamber.com To: "NT System Admin Issues" <[EMAIL PROTECTED]> 25/09/2001 13:51 cc: Please respond to Subject: RE: Another F(*&^ virus! "NT System Admin Issues" Actually one of my users sent that to me. I use Panda, which of course once again seems to be the last to know. -Original Message- From: Danny Iaconetti [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 4:03 PM To: NT System Admin Issues Subject: RE: Another F(*&^ virus! According to SARC, updating your definitions will detect this worm. Although, the latest update I get is dated Sep. 20. What's the scoop? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 4:37 PM To: NT System Admin Issues Subject: Another F(*&^ virus! Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Symantec Security Response http://securityresponse.symantec.com W32.Vote.A@mm Discovered on: September 24, 2001 Last Updated on: September 24, 2001 at 09:56:27 AM PDT W32.Vote.A@mm is a mass-mailing worm that is written in Visual Basic. When executed, it will email itself out to all email addresses in the Microsoft Outlook address book. The worm will insert two .vbs files on the system, and it will also attempt to delete files from several antivirus products. Type: Worm Infection Length: 55,808 Bytes Virus Definitions: September 24, 2001 Threat Assessment: Wild: Low Damage: High Distribution: High Wild: Number of infections: 0 - 49 Number of sites: 3 - 9 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate Damage: Payload: Large scale e-mailing: Emails everyone in the Microsoft Outlook addressbook Deletes files: After reboot, the worm attempts to delete all files in the Windows folder Modifies files: All files with the extension "htm" or "html" will be overwritten. Compromises security settings: If the Backdoor.Trojan was successfully downloaded and installed, anyone could gain full access to the computer. Distribution: Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Technical description: W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic language. It requires the file Msvbvm50.dll to execute. When executed, the worm will attempt to email itself to all contacts in the Microsoft Outlook address book. The email will appear
RE: Another F(*&^ virus! (OT)
Title: RE: Another F(*&^ virus! (OT) Sorry to be pedantic, but a login script is a pull, not a push, and if your users habitually don't log out the login script ain't going to get run in a hurry. Phil -Phil RandalNetwork EngineerHerefordshire CouncilHereford, UK -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: 25 September 2001 15:01To: NT System Admin IssuesSubject: RE: Another F(*&^ virus! (OT) I haven't worked with any of the other packages, so I can't compare. It seems to do ok, although they don't have any "ALERT" system, and always seem to be the last to get a definition out. I still don't know if they have the Vote virus covered. They automatically create a logon script to push the defs to the desktop, so as long as you make sure the server gets updated before everyone logs on it works fine. Our work hours make this a non-issue. Remote users have a problem with the speed. I do know that I gave up on active desktop scanning. It slowed my workstations down too much. I've been lucky that my folks get a lot of e-mail, but aren't big on downloading files. So I'm scanning Exchange and Outlook. Personally, I think way too many of the virii are being caught at the desktop rather than the Exchange server. They also have no filtering/blocking. As soon as I can free up some money I'll most likely dump the Panda for Exchange and get Sybari. Want to unsub? Do that here: http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english
RE: Another F(*&^ virus! (OT)
dump it, I have never seen it work correctly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 9:21 AM To: NT System Admin Issues Subject: RE: Another F(*&^ virus! (OT) A little off the topic here, but how do you find Panda? We use Norton AV for desktop and server protection, but have Panda for Lotus Notes protection (I think it's a good idea to have a double layer sometimes). Panda was suggested by our Notes Admin guy, and it has not worked correctly since! Currently it is only running on one of our 4 Notes servers, and I don't think it is doing too well there! I'm about ready to dump it, and have put Norton on the other Notes servers to make sure they are covered. Anyone else out there use Panda, and would actually recommend it? G. RZorz@ScottsdaleC hamber.com To: "NT System Admin Issues" <[EMAIL PROTECTED]> 25/09/2001 13:51cc: Please respond to Subject: RE: Another F(*&^ virus! "NT System Admin Issues" Actually one of my users sent that to me. I use Panda, which of course once again seems to be the last to know. -Original Message- From: Danny Iaconetti [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 4:03 PM To: NT System Admin Issues Subject: RE: Another F(*&^ virus! According to SARC, updating your definitions will detect this worm. Although, the latest update I get is dated Sep. 20. What's the scoop? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 4:37 PM To: NT System Admin Issues Subject: Another F(*&^ virus! Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Symantec Security Response http://securityresponse.symantec.com W32.Vote.A@mm Discovered on: September 24, 2001 Last Updated on: September 24, 2001 at 09:56:27 AM PDT W32.Vote.A@mm is a mass-mailing worm that is written in Visual Basic. When executed, it will email itself out to all email addresses in the Microsoft Outlook address book. The worm will insert two .vbs files on the system, and it will also attempt to delete files from several antivirus products. Type: Worm Infection Length: 55,808 Bytes Virus Definitions: September 24, 2001 Threat Assessment: Wild: Low Damage: High Distribution: High Wild: Number of infections: 0 - 49 Number of sites: 3 - 9 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate Damage: Payload: Large scale e-mailing: Emails everyone in the Microsoft Outlook addressbook Deletes files: After reboot, the worm attempts to delete all files in the Windows folder Modifies files: All files with the extension "htm" or "html" will be overwritten. Compromises security settings: If the Backdoor.Trojan was successfully downloaded and installed, anyone could gain full access to the computer. Distribution: Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Technical description: W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic language. It requires the file Msvbvm50.dll to execute. When executed, the worm will attempt to email itself to all contacts in the Microsoft Outlook address book. The email will appear as follows. Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM! Message: Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's Vote To Live in Peace! Attachment: WTC.EXE Next, the worm will insert two .vbs files on the system: \\ZaCker.vbs \\MixDaLaL.vbs In addition, the worm will attempt to download and execute a file. This file is detected as Backdoor.Trojan by Norton Antivirus. Finally, the worm will attempt to delete all files from several folders. These folders appear to be the default installation folders for several antivirus products. For Norton AntiVirus, this worm will only attempt to delete the files if Norton
RE: Another F(*&^ virus! (OT)
Title: RE: Another F(*&^ virus! (OT) I haven't worked with any of the other packages, so I can't compare. It seems to do ok, although they don't have any "ALERT" system, and always seem to be the last to get a definition out. I still don't know if they have the Vote virus covered. They automatically create a logon script to push the defs to the desktop, so as long as you make sure the server gets updated before everyone logs on it works fine. Our work hours make this a non-issue. Remote users have a problem with the speed. I do know that I gave up on active desktop scanning. It slowed my workstations down too much. I've been lucky that my folks get a lot of e-mail, but aren't big on downloading files. So I'm scanning Exchange and Outlook. Personally, I think way too many of the virii are being caught at the desktop rather than the Exchange server. They also have no filtering/blocking. As soon as I can free up some money I'll most likely dump the Panda for Exchange and get Sybari. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 6:21 AM To: NT System Admin Issues Subject: RE: Another F(*&^ virus! (OT) A little off the topic here, but how do you find Panda? We use Norton AV for desktop and server protection, but have Panda for Lotus Notes protection (I think it's a good idea to have a double layer sometimes). Panda was suggested by our Notes Admin guy, and it has not worked correctly since! Currently it is only running on one of our 4 Notes servers, and I don't think it is doing too well there! I'm about ready to dump it, and have put Norton on the other Notes servers to make sure they are covered. Anyone else out there use Panda, and would actually recommend it? G. RZorz@ScottsdaleC hamber.com To: "NT System Admin Issues" <[EMAIL PROTECTED]> 25/09/2001 13:51 cc: Please respond to Subject: RE: Another F(*&^ virus! "NT System Admin Issues" Actually one of my users sent that to me. I use Panda, which of course once again seems to be the last to know. -Original Message- From: Danny Iaconetti [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 4:03 PM To: NT System Admin Issues Subject: RE: Another F(*&^ virus! According to SARC, updating your definitions will detect this worm. Although, the latest update I get is dated Sep. 20. What's the scoop? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 4:37 PM To: NT System Admin Issues Subject: Another F(*&^ virus! Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Symantec Security Response http://securityresponse.symantec.com W32.Vote.A@mm Discovered on: September 24, 2001 Last Updated on: September 24, 2001 at 09:56:27 AM PDT W32.Vote.A@mm is a mass-mailing worm that is written in Visual Basic. When executed, it will email itself out to all email addresses in the Microsoft Outlook address book. The worm will insert two .vbs files on the system, and it will also attempt to delete files from several antivirus products. Type: Worm Infection Length: 55,808 Bytes Virus Definitions: September 24, 2001 Threat Assessment: Wild: Low Damage: High Distribution: High Wild: Number of infections: 0 - 49 Number of sites: 3 - 9 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate Damage: Payload: Large scale e-mailing: Emails everyone in the Microsoft Outlook addressbook D
RE: Another F(*&^ virus! (OT)
A little off the topic here, but how do you find Panda? We use Norton AV for desktop and server protection, but have Panda for Lotus Notes protection (I think it's a good idea to have a double layer sometimes). Panda was suggested by our Notes Admin guy, and it has not worked correctly since! Currently it is only running on one of our 4 Notes servers, and I don't think it is doing too well there! I'm about ready to dump it, and have put Norton on the other Notes servers to make sure they are covered. Anyone else out there use Panda, and would actually recommend it? G. RZorz@ScottsdaleC hamber.com To: "NT System Admin Issues" <[EMAIL PROTECTED]> 25/09/2001 13:51cc: Please respond to Subject: RE: Another F(*&^ virus! "NT System Admin Issues" Actually one of my users sent that to me. I use Panda, which of course once again seems to be the last to know. -Original Message- From: Danny Iaconetti [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 4:03 PM To: NT System Admin Issues Subject: RE: Another F(*&^ virus! According to SARC, updating your definitions will detect this worm. Although, the latest update I get is dated Sep. 20. What's the scoop? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 4:37 PM To: NT System Admin Issues Subject: Another F(*&^ virus! Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Symantec Security Response http://securityresponse.symantec.com W32.Vote.A@mm Discovered on: September 24, 2001 Last Updated on: September 24, 2001 at 09:56:27 AM PDT W32.Vote.A@mm is a mass-mailing worm that is written in Visual Basic. When executed, it will email itself out to all email addresses in the Microsoft Outlook address book. The worm will insert two .vbs files on the system, and it will also attempt to delete files from several antivirus products. Type: Worm Infection Length: 55,808 Bytes Virus Definitions: September 24, 2001 Threat Assessment: Wild: Low Damage: High Distribution: High Wild: Number of infections: 0 - 49 Number of sites: 3 - 9 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate Damage: Payload: Large scale e-mailing: Emails everyone in the Microsoft Outlook addressbook Deletes files: After reboot, the worm attempts to delete all files in the Windows folder Modifies files: All files with the extension "htm" or "html" will be overwritten. Compromises security settings: If the Backdoor.Trojan was successfully downloaded and installed, anyone could gain full access to the computer. Distribution: Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Technical description: W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic language. It requires the file Msvbvm50.dll to execute. When executed, the worm will attempt to email itself to all contacts in the Microsoft Outlook address book. The email will appear as follows. Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM! Message: Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's Vote To Live in Peace! Attachment: WTC.EXE Next, the worm will insert two .vbs files on the system: \\ZaCker.vbs \\MixDaLaL.vbs
RE: Another F(*&^ virus!
Title: Another F(*&^ virus! Actually one of my users sent that to me. I use Panda, which of course once again seems to be the last to know. -Original Message-From: Danny Iaconetti [mailto:[EMAIL PROTECTED]]Sent: Monday, September 24, 2001 4:03 PMTo: NT System Admin IssuesSubject: RE: Another F(*&^ virus! According to SARC, updating your definitions will detect this worm. Although, the latest update I get is dated Sep. 20. What's the scoop? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: Monday, September 24, 2001 4:37 PMTo: NT System Admin IssuesSubject: Another F(*&^ virus! Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Symantec Security Response http://securityresponse.symantec.com W32.Vote.A@mm Discovered on: September 24, 2001 Last Updated on: September 24, 2001 at 09:56:27 AM PDT W32.Vote.A@mm is a mass-mailing worm that is written in Visual Basic. When executed, it will email itself out to all email addresses in the Microsoft Outlook address book. The worm will insert two .vbs files on the system, and it will also attempt to delete files from several antivirus products. Type: Worm Infection Length: 55,808 Bytes Virus Definitions: September 24, 2001 Threat Assessment: Wild: Low Damage: High Distribution: High Wild: Number of infections: 0 - 49 Number of sites: 3 - 9 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate Damage: Payload: Large scale e-mailing: Emails everyone in the Microsoft Outlook addressbook Deletes files: After reboot, the worm attempts to delete all files in the Windows folder Modifies files: All files with the extension "htm" or "html" will be overwritten. Compromises security settings: If the Backdoor.Trojan was successfully downloaded and installed, anyone could gain full access to the computer. Distribution: Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Technical description: W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic language. It requires the file Msvbvm50.dll to execute. When executed, the worm will attempt to email itself to all contacts in the Microsoft Outlook address book. The email will appear as follows. Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM! Message: Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's Vote To Live in Peace! Attachment: WTC.EXE Next, the worm will insert two .vbs files on the system: \\ZaCker.vbs \\MixDaLaL.vbs In addition, the worm will attempt to download and execute a file. This file is detected as Backdoor.Trojan by Norton Antivirus. Finally, the worm will attempt to delete all files from several folders. These folders appear to be the default installation folders for several antivirus products. For Norton AntiVirus, this worm will only attempt to delete the files if Norton Antivirus is located in C:\Program Files\Norton AntiVirus. What the dropped files do MixDaLaL.vbs MixDaLaL.vbs is a Visual Basic Script file that is inserted in the \Windows\System folder. This file is executed by the worm. As the file is executed, it will look through all folders on all fixed drives and network drives for files with the extensions .htm or .html. If such a files are found, they are overwritten with the message: AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You ZaCker.VBS This file is inserted in the \Windows\System folder. It is not executed by the worm. Instead, the value Norton.Thar \Windows\System\ZaCker.vbs is added to the registry key HKEY_LOCAL_MACHINE\Microsoft\ Windows\CurrentVersion\Run so that the file is executed when you start Windows. When executed at the next restart, this file will attempt to delete all files in the \Windows folder. Next, the worm will create or overwrite the file C:\Autoexec.bat. Inside the file there will be a command that formats the C drive. The Autoexec.bat file is executed on Windows 95/98/Me and DOS systems when you start the computer. Finally, the worm will displays the message The worm does attempt to shut down Windows after the message has been displayed. However, because the files required for this event to occur have been deleted from the \Windows folder, the computer probably will not shut down. Removal instructions: 1. Run LiveUpdate to make sure that you have the most recent virus definitions. 2. Start Norton AntiVirus (NAV), and
Re: Another F(*&^ virus!
Title: Message I'm on the east coast and when I left at 5:30pm this evening our systems were at the 920 sigs. Gotta love it you subscribe and pay annual fees and the fringing firms don't even email you that you need an emergency update between your systems scheduled updates. This list has paid off handsomely over the past week ... pretty much the early warnings system for latest and greatest virus's - Original Message - From: Allan Muchmore To: NT System Admin Issues Sent: Monday, September 24, 2001 7:44 PM Subject: RE: Another F(*&^ virus! Just now (4:40 pacific) when I hit LiveUpdate, I got the 9/20 updates. W32.Vote.A@mm was not included. When I downloaded from their web page, I got the 9/24 updates and W32.Vote.A@mm. I have not noticed this discrepency before. Has anyone else? If so, that would argue against using the liveupdate button when hot new viruses are about. -Original Message-From: Danny Iaconetti [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 4:03 PMTo: NT System Admin IssuesSubject: RE: Another F(*&^ virus! According to SARC, updating your definitions will detect this worm. Although, the latest update I get is dated Sep. 20. What's the scoop? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: Monday, September 24, 2001 4:37 PMTo: NT System Admin IssuesSubject: Another F(*&^ virus! Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Symantec Security Response http://securityresponse.symantec.com W32.Vote.A@mm Discovered on: September 24, 2001 Last Updated on: September 24, 2001 at 09:56:27 AM PDT W32.Vote.A@mm is a mass-mailing worm that is written in Visual Basic. When executed, it will email itself out to all email addresses in the Microsoft Outlook address book. The worm will insert two .vbs files on the system, and it will also attempt to delete files from several antivirus products. Type: Worm Infection Length: 55,808 Bytes Virus Definitions: September 24, 2001 Threat Assessment: Wild: Low Damage: High Distribution: High Wild: Number of infections: 0 - 49 Number of sites: 3 - 9 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate Damage: Payload: Large scale e-mailing: Emails everyone in the Microsoft Outlook addressbook Deletes files: After reboot, the worm attempts to delete all files in the Windows folder Modifies files: All files with the extension "htm" or "html" will be overwritten. Compromises security settings: If the Backdoor.Trojan was successfully downloaded and installed, anyone could gain full access to the computer. Distribution: Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Technical description: W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic language. It requires the file Msvbvm50.dll to execute. When executed, the worm will attempt to email itself to all contacts in the Microsoft Outlook address book. The email will appear as follows. Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM! Message: Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's Vote To Live in Peace! Attachment: WTC.EXE Next, the worm will insert two .vbs files on the system: \\ZaCker.vbs \\MixDaLaL.vbs In addition, the worm will attempt to download and execute a file. This file is detected as Backdoor.Trojan by Norton Antivirus. Finally, the worm will attempt to delete all files from several folders. These folders appear to be the default installation folders for several antivirus products. For Norton AntiVirus, this worm will only attempt to delete the files if Norton Antivirus is located in C:\Program Files\Norton AntiVirus. What the dropped files do MixDaLaL.vbs MixDaLaL.vbs is a Visual Basic Script file that is inserted in the \Windows\System folder. This file is executed by the worm. As the file is executed, it will look through all folders on all fixed drives and network drives for files with the extensions .htm or .html. If such a files are found, they are overwritten with the message: AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You ZaCker.VBS This file is inserted in the \Windows\System folder. It is not executed by the worm. Instead, the value Nor
RE: Another F(*&^ virus!
Title: Message yes it is avail. auto DL, try again -Original Message-From: Clark, Steve [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 16:44To: NT System Admin IssuesSubject: RE: Another F(*&^ virus! Haven't seen anything at all from NAI - have you? Steve Clark Clark Systems Support, LLC AVIEN Charter Member "Who's watching your network?" www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message-From: Martin Blackstone [mailto:[EMAIL PROTECTED]]Sent: Monday, September 24, 2001 5:41 PMTo: NT System Admin IssuesSubject: RE: Another F(*&^ virus! Trend has a def file for it. 945 It isn't available via automatic DL yet, but you can DL the ZIP file and manually put it in. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 1:37 PMTo: NT System Admin IssuesSubject: Another F(*&^ virus! Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Symantec Security Response http://securityresponse.symantec.com W32.Vote.A@mm Discovered on: September 24, 2001 Last Updated on: September 24, 2001 at 09:56:27 AM PDT W32.Vote.A@mm is a mass-mailing worm that is written in Visual Basic. When executed, it will email itself out to all email addresses in the Microsoft Outlook address book. The worm will insert two .vbs files on the system, and it will also attempt to delete files from several antivirus products. Type: Worm Infection Length: 55,808 Bytes Virus Definitions: September 24, 2001 Threat Assessment: Wild: Low Damage: High Distribution: High Wild: Number of infections: 0 - 49 Number of sites: 3 - 9 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate Damage: Payload: Large scale e-mailing: Emails everyone in the Microsoft Outlook addressbook Deletes files: After reboot, the worm attempts to delete all files in the Windows folder Modifies files: All files with the extension "htm" or "html" will be overwritten. Compromises security settings: If the Backdoor.Trojan was successfully downloaded and installed, anyone could gain full access to the computer. Distribution: Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Technical description: W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic language. It requires the file Msvbvm50.dll to execute. When executed, the worm will attempt to email itself to all contacts in the Microsoft Outlook address book. The email will appear as follows. Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM! Message: Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's Vote To Live in Peace! Attachment: WTC.EXE Next, the worm will insert two .vbs files on the system: \\ZaCker.vbs \\MixDaLaL.vbs In addition, the worm will attempt to download and execute a file. This file is detected as Backdoor.Trojan by Norton Antivirus. Finally, the worm will attempt to delete all files from several folders. These folders appear to be the default installation folders for several antivirus products. For Norton AntiVirus, this worm will only attempt to delete the files if Norton Antivirus is located in C:\Program Files\Norton AntiVirus. What the dropped files do MixDaLaL.vbs MixDaLaL.vbs is a Visual Basic Script file that is inserted in the \Windows\System folder. This file is executed by the worm. As the file is executed, it will look through all folders on all fixed drives and network drives for files with the extensions .htm or .html. If such a files are found, they are overwritten with the message: AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You ZaCker.VBS This file is inserted in the \Windows\System folder. It is not executed by the worm. Instead, the value Norton.Thar \Windows\System\ZaCker.vbs is added to the registry key HKEY_LOCAL_MACHINE\Microsoft\ Windows\CurrentVersion\Run so that the file is executed when you start Windows. When executed at the next restart, this file will attempt to delete all files in the \Windows folder. Next, the worm will create or overwrite the file C:\Autoexec.bat. Inside the file there will be a command that formats the C drive. The Autoexec.bat file is executed on Windows 95/98/Me and DOS systems when you start the computer. Finally, the worm will displays the message The worm does attempt to shut down Windows afte
RE: Another F(*&^ virus!
Title: Message Just now (4:40 pacific) when I hit LiveUpdate, I got the 9/20 updates. W32.Vote.A@mm was not included. When I downloaded from their web page, I got the 9/24 updates and W32.Vote.A@mm. I have not noticed this discrepency before. Has anyone else? If so, that would argue against using the liveupdate button when hot new viruses are about. -Original Message-From: Danny Iaconetti [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 4:03 PMTo: NT System Admin IssuesSubject: RE: Another F(*&^ virus! According to SARC, updating your definitions will detect this worm. Although, the latest update I get is dated Sep. 20. What's the scoop? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: Monday, September 24, 2001 4:37 PMTo: NT System Admin IssuesSubject: Another F(*&^ virus! Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Symantec Security Response http://securityresponse.symantec.com W32.Vote.A@mm Discovered on: September 24, 2001 Last Updated on: September 24, 2001 at 09:56:27 AM PDT W32.Vote.A@mm is a mass-mailing worm that is written in Visual Basic. When executed, it will email itself out to all email addresses in the Microsoft Outlook address book. The worm will insert two .vbs files on the system, and it will also attempt to delete files from several antivirus products. Type: Worm Infection Length: 55,808 Bytes Virus Definitions: September 24, 2001 Threat Assessment: Wild: Low Damage: High Distribution: High Wild: Number of infections: 0 - 49 Number of sites: 3 - 9 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate Damage: Payload: Large scale e-mailing: Emails everyone in the Microsoft Outlook addressbook Deletes files: After reboot, the worm attempts to delete all files in the Windows folder Modifies files: All files with the extension "htm" or "html" will be overwritten. Compromises security settings: If the Backdoor.Trojan was successfully downloaded and installed, anyone could gain full access to the computer. Distribution: Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Technical description: W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic language. It requires the file Msvbvm50.dll to execute. When executed, the worm will attempt to email itself to all contacts in the Microsoft Outlook address book. The email will appear as follows. Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM! Message: Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's Vote To Live in Peace! Attachment: WTC.EXE Next, the worm will insert two .vbs files on the system: \\ZaCker.vbs \\MixDaLaL.vbs In addition, the worm will attempt to download and execute a file. This file is detected as Backdoor.Trojan by Norton Antivirus. Finally, the worm will attempt to delete all files from several folders. These folders appear to be the default installation folders for several antivirus products. For Norton AntiVirus, this worm will only attempt to delete the files if Norton Antivirus is located in C:\Program Files\Norton AntiVirus. What the dropped files do MixDaLaL.vbs MixDaLaL.vbs is a Visual Basic Script file that is inserted in the \Windows\System folder. This file is executed by the worm. As the file is executed, it will look through all folders on all fixed drives and network drives for files with the extensions .htm or .html. If such a files are found, they are overwritten with the message: AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You ZaCker.VBS This file is inserted in the \Windows\System folder. It is not executed by the worm. Instead, the value Norton.Thar \Windows\System\ZaCker.vbs is added to the registry key HKEY_LOCAL_MACHINE\Microsoft\ Windows\CurrentVersion\Run so that the file is executed when you start Windows. When executed at the next restart, this file will attempt to delete all files in the \Windows folder. Next, the worm will create or overwrite the file C:\Autoexec.bat. Inside the file there will be a command that formats the C drive. The Autoexec.bat file is executed on Windows 95/98/Me and DOS systems when you start the computer. Finally, the worm will displays the message The worm does attempt to shut down Windows after the message has been displayed. However, because the files required for this event to occur have been deleted
RE: Another F(*&^ virus!
Title: Another F(*&^ virus! It finally took in an update. -Original Message-From: Danny Iaconetti [mailto:[EMAIL PROTECTED]]Sent: Monday, September 24, 2001 7:03 PMTo: NT System Admin IssuesSubject: RE: Another F(*&^ virus! According to SARC, updating your definitions will detect this worm. Although, the latest update I get is dated Sep. 20. What's the scoop? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: Monday, September 24, 2001 4:37 PMTo: NT System Admin IssuesSubject: Another F(*&^ virus! Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Symantec Security Response http://securityresponse.symantec.com W32.Vote.A@mm Discovered on: September 24, 2001 Last Updated on: September 24, 2001 at 09:56:27 AM PDT W32.Vote.A@mm is a mass-mailing worm that is written in Visual Basic. When executed, it will email itself out to all email addresses in the Microsoft Outlook address book. The worm will insert two .vbs files on the system, and it will also attempt to delete files from several antivirus products. Type: Worm Infection Length: 55,808 Bytes Virus Definitions: September 24, 2001 Threat Assessment: Wild: Low Damage: High Distribution: High Wild: Number of infections: 0 - 49 Number of sites: 3 - 9 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate Damage: Payload: Large scale e-mailing: Emails everyone in the Microsoft Outlook addressbook Deletes files: After reboot, the worm attempts to delete all files in the Windows folder Modifies files: All files with the extension "htm" or "html" will be overwritten. Compromises security settings: If the Backdoor.Trojan was successfully downloaded and installed, anyone could gain full access to the computer. Distribution: Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Technical description: W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic language. It requires the file Msvbvm50.dll to execute. When executed, the worm will attempt to email itself to all contacts in the Microsoft Outlook address book. The email will appear as follows. Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM! Message: Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's Vote To Live in Peace! Attachment: WTC.EXE Next, the worm will insert two .vbs files on the system: \\ZaCker.vbs \\MixDaLaL.vbs In addition, the worm will attempt to download and execute a file. This file is detected as Backdoor.Trojan by Norton Antivirus. Finally, the worm will attempt to delete all files from several folders. These folders appear to be the default installation folders for several antivirus products. For Norton AntiVirus, this worm will only attempt to delete the files if Norton Antivirus is located in C:\Program Files\Norton AntiVirus. What the dropped files do MixDaLaL.vbs MixDaLaL.vbs is a Visual Basic Script file that is inserted in the \Windows\System folder. This file is executed by the worm. As the file is executed, it will look through all folders on all fixed drives and network drives for files with the extensions .htm or .html. If such a files are found, they are overwritten with the message: AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You ZaCker.VBS This file is inserted in the \Windows\System folder. It is not executed by the worm. Instead, the value Norton.Thar \Windows\System\ZaCker.vbs is added to the registry key HKEY_LOCAL_MACHINE\Microsoft\ Windows\CurrentVersion\Run so that the file is executed when you start Windows. When executed at the next restart, this file will attempt to delete all files in the \Windows folder. Next, the worm will create or overwrite the file C:\Autoexec.bat. Inside the file there will be a command that formats the C drive. The Autoexec.bat file is executed on Windows 95/98/Me and DOS systems when you start the computer. Finally, the worm will displays the message The worm does attempt to shut down Windows after the message has been displayed. However, because the files required for this event to occur have been deleted from the \Windows folder, the computer probably will not shut down. Removal instructions: 1. Run LiveUpdate to make sure that you have the most recent virus definitions. 2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on h
RE: Another F(*&^ virus!
Title: Message Haven’t seen anything at all from NAI – have you? Steve Clark Clark Systems Support, LLC AVIEN Charter Member “Who's watching your network?” www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 5:41 PM To: NT System Admin Issues Subject: RE: Another F(*&^ virus! Trend has a def file for it. 945 It isn't available via automatic DL yet, but you can DL the ZIP file and manually put it in. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 1:37 PM To: NT System Admin Issues Subject: Another F(*&^ virus! Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Symantec Security Response http://securityresponse.symantec.com W32.Vote.A@mm Discovered on: September 24, 2001 Last Updated on: September 24, 2001 at 09:56:27 AM PDT W32.Vote.A@mm is a mass-mailing worm that is written in Visual Basic. When executed, it will email itself out to all email addresses in the Microsoft Outlook address book. The worm will insert two .vbs files on the system, and it will also attempt to delete files from several antivirus products. Type: Worm Infection Length: 55,808 Bytes Virus Definitions: September 24, 2001 Threat Assessment: Wild: Low Damage: High Distribution: High Wild: Number of infections: 0 - 49 Number of sites: 3 - 9 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate Damage: Payload: Large scale e-mailing: Emails everyone in the Microsoft Outlook addressbook Deletes files: After reboot, the worm attempts to delete all files in the Windows folder Modifies files: All files with the extension "htm" or "html" will be overwritten. Compromises security settings: If the Backdoor.Trojan was successfully downloaded and installed, anyone could gain full access to the computer. Distribution: Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Technical description: W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic language. It requires the file Msvbvm50.dll to execute. When executed, the worm will attempt to email itself to all contacts in the Microsoft Outlook address book. The email will appear as follows. Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM! Message: Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's Vote To Live in Peace! Attachment: WTC.EXE Next, the worm will insert two .vbs files on the system: \\ZaCker.vbs \\MixDaLaL.vbs In addition, the worm will attempt to download and execute a file. This file is detected as Backdoor.Trojan by Norton Antivirus. Finally, the worm will attempt to delete all files from several folders. These folders appear to be the default installation folders for several antivirus products. For Norton AntiVirus, this worm will only attempt to delete the files if Norton Antivirus is located in C:\Program Files\Norton AntiVirus. What the dropped files do MixDaLaL.vbs MixDaLaL.vbs is a Visual Basic Script file that is inserted in the \Windows\System folder. This file is executed by the worm. As the file is executed, it will look through all folders on all fixed drives and network drives for files with the extensions .htm or .html. If such a files are found, they are overwritten with the message: AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You ZaCker.VBS This file is inserted in the \Windows\System folder. It is not executed by the worm. Instead, the value Norton.Thar \Windows\System\ZaCker.vbs is added to the registry key HKEY_LOCAL_MACHINE\Microsoft\ Windows\CurrentVersion\Run so that the file is executed when you start Windows. When executed at the next restart, this file will attempt to delete all files in the \Windows folder. Next, the worm will create or overwrite the file C:\Autoexec.bat. Inside the file there will be a command that formats the C drive. The Autoexec.bat file is executed on Windows 95/98/Me and DOS systems when you start the computer. Finally, the worm will displays the message The worm does attempt to shut down Windows after the message has been displayed. However, because the files required for this event to occur have been deleted from the \Windows folder, the computer probably will not shut down. Removal instructions: 1. Run LiveUpdate to make sure that you have the most recent virus definitions. 2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files. 3. Run a full system scan. 4. Delete all files that are
RE: Another F(*&^ virus!
Title: Message Trend has a def file for it. 945 It isn't available via automatic DL yet, but you can DL the ZIP file and manually put it in. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 1:37 PMTo: NT System Admin IssuesSubject: Another F(*&^ virus! Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Symantec Security Response http://securityresponse.symantec.com W32.Vote.A@mm Discovered on: September 24, 2001 Last Updated on: September 24, 2001 at 09:56:27 AM PDT W32.Vote.A@mm is a mass-mailing worm that is written in Visual Basic. When executed, it will email itself out to all email addresses in the Microsoft Outlook address book. The worm will insert two .vbs files on the system, and it will also attempt to delete files from several antivirus products. Type: Worm Infection Length: 55,808 Bytes Virus Definitions: September 24, 2001 Threat Assessment: Wild: Low Damage: High Distribution: High Wild: Number of infections: 0 - 49 Number of sites: 3 - 9 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate Damage: Payload: Large scale e-mailing: Emails everyone in the Microsoft Outlook addressbook Deletes files: After reboot, the worm attempts to delete all files in the Windows folder Modifies files: All files with the extension "htm" or "html" will be overwritten. Compromises security settings: If the Backdoor.Trojan was successfully downloaded and installed, anyone could gain full access to the computer. Distribution: Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Technical description: W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic language. It requires the file Msvbvm50.dll to execute. When executed, the worm will attempt to email itself to all contacts in the Microsoft Outlook address book. The email will appear as follows. Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM! Message: Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's Vote To Live in Peace! Attachment: WTC.EXE Next, the worm will insert two .vbs files on the system: \\ZaCker.vbs \\MixDaLaL.vbs In addition, the worm will attempt to download and execute a file. This file is detected as Backdoor.Trojan by Norton Antivirus. Finally, the worm will attempt to delete all files from several folders. These folders appear to be the default installation folders for several antivirus products. For Norton AntiVirus, this worm will only attempt to delete the files if Norton Antivirus is located in C:\Program Files\Norton AntiVirus. What the dropped files do MixDaLaL.vbs MixDaLaL.vbs is a Visual Basic Script file that is inserted in the \Windows\System folder. This file is executed by the worm. As the file is executed, it will look through all folders on all fixed drives and network drives for files with the extensions .htm or .html. If such a files are found, they are overwritten with the message: AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You ZaCker.VBS This file is inserted in the \Windows\System folder. It is not executed by the worm. Instead, the value Norton.Thar \Windows\System\ZaCker.vbs is added to the registry key HKEY_LOCAL_MACHINE\Microsoft\ Windows\CurrentVersion\Run so that the file is executed when you start Windows. When executed at the next restart, this file will attempt to delete all files in the \Windows folder. Next, the worm will create or overwrite the file C:\Autoexec.bat. Inside the file there will be a command that formats the C drive. The Autoexec.bat file is executed on Windows 95/98/Me and DOS systems when you start the computer. Finally, the worm will displays the message The worm does attempt to shut down Windows after the message has been displayed. However, because the files required for this event to occur have been deleted from the \Windows folder, the computer probably will not shut down. Removal instructions: 1. Run LiveUpdate to make sure that you have the most recent virus definitions. 2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files. 3. Run a full system scan. 4. Delete all files that are detected as W32.Vote.A@mm. If the worm has run and Norton AntiVirus is installed in C:\Program Files\Norton AntiVirus, you should reinstall Norton Antivirus. 5. If the computer has been rebooted after the infection, or if the computer seems very unstable, it is recommended that you reinstall the operating system. Addi
RE: Another F(*&^ virus!
Title: Another F(*&^ virus! According to SARC, updating your definitions will detect this worm. Although, the latest update I get is dated Sep. 20. What's the scoop? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: Monday, September 24, 2001 4:37 PMTo: NT System Admin IssuesSubject: Another F(*&^ virus! Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Symantec Security Response http://securityresponse.symantec.com W32.Vote.A@mm Discovered on: September 24, 2001 Last Updated on: September 24, 2001 at 09:56:27 AM PDT W32.Vote.A@mm is a mass-mailing worm that is written in Visual Basic. When executed, it will email itself out to all email addresses in the Microsoft Outlook address book. The worm will insert two .vbs files on the system, and it will also attempt to delete files from several antivirus products. Type: Worm Infection Length: 55,808 Bytes Virus Definitions: September 24, 2001 Threat Assessment: Wild: Low Damage: High Distribution: High Wild: Number of infections: 0 - 49 Number of sites: 3 - 9 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate Damage: Payload: Large scale e-mailing: Emails everyone in the Microsoft Outlook addressbook Deletes files: After reboot, the worm attempts to delete all files in the Windows folder Modifies files: All files with the extension "htm" or "html" will be overwritten. Compromises security settings: If the Backdoor.Trojan was successfully downloaded and installed, anyone could gain full access to the computer. Distribution: Subject of email: Fwd:Peace BeTweeN AmeriCa and IsLaM! Name of attachment: WTC.exe Size of attachment: 55808 Bytes Technical description: W32.Vote.A@mm is a mass-mailing worm written in the Visual Basic language. It requires the file Msvbvm50.dll to execute. When executed, the worm will attempt to email itself to all contacts in the Microsoft Outlook address book. The email will appear as follows. Subject: Fwd:Peace BeTweeN AmeriCa and IsLaM! Message: Hi iS iT A waR Against AmeriCa Or IsLaM !? Let's Vote To Live in Peace! Attachment: WTC.EXE Next, the worm will insert two .vbs files on the system: \\ZaCker.vbs \\MixDaLaL.vbs In addition, the worm will attempt to download and execute a file. This file is detected as Backdoor.Trojan by Norton Antivirus. Finally, the worm will attempt to delete all files from several folders. These folders appear to be the default installation folders for several antivirus products. For Norton AntiVirus, this worm will only attempt to delete the files if Norton Antivirus is located in C:\Program Files\Norton AntiVirus. What the dropped files do MixDaLaL.vbs MixDaLaL.vbs is a Visual Basic Script file that is inserted in the \Windows\System folder. This file is executed by the worm. As the file is executed, it will look through all folders on all fixed drives and network drives for files with the extensions .htm or .html. If such a files are found, they are overwritten with the message: AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is So Sorry For You ZaCker.VBS This file is inserted in the \Windows\System folder. It is not executed by the worm. Instead, the value Norton.Thar \Windows\System\ZaCker.vbs is added to the registry key HKEY_LOCAL_MACHINE\Microsoft\ Windows\CurrentVersion\Run so that the file is executed when you start Windows. When executed at the next restart, this file will attempt to delete all files in the \Windows folder. Next, the worm will create or overwrite the file C:\Autoexec.bat. Inside the file there will be a command that formats the C drive. The Autoexec.bat file is executed on Windows 95/98/Me and DOS systems when you start the computer. Finally, the worm will displays the message The worm does attempt to shut down Windows after the message has been displayed. However, because the files required for this event to occur have been deleted from the \Windows folder, the computer probably will not shut down. Removal instructions: 1. Run LiveUpdate to make sure that you have the most recent virus definitions. 2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files. 3. Run a full system scan. 4. Delete all files that are detected as W32.Vote.A@mm. If the worm has run and Norton AntiVirus is installed in C:\Program Files\Norton AntiVirus, you should reinstall Norton Antivirus. 5. If the computer has been rebooted after the infection, or if the computer seems very unstable, it is recommended that you reinstall the oper