scotter
02-02-2001, 11:49 PM
this thing is nasty
Indications Of Infection
Mail recipients claiming they received an attachment from you when one was never sent. Depending on plugins installed, spiral graphic on the screen, inability to access antivirus sites.
Method Of Infection
The format of the newsgroup-posted message is as follows:
anon.lcs.mit.edu!nym.alias.net!mail2news
Message-ID: 20001113080521.28781.qmail@nym.alias.net
From: [USE-AUTHOR-ADDRESS-HEADER@[127.1]]
Author-Address: anonymous [AT]anon [DOT]lcs [DOT]mit [DOT] edu
Subject: http [code containing upper- and lower-case letters]
Mail-To-News-Contact: postmaster@nym.alias.net
Organization: mail2news@nym.alias.net
Newsgroups: alt.comp.virus
Lines: 46
KUWJGJWCVICGIWIWCZIWHCFXCHB [continues]....
[more coded lines]
[terminated by four asterisks]
****
The plugins are saved to the WINDOWS\SYSTEM directory with a random name consisting of a name consisting of eight random letters and an extension consisting of three random letters. The plugins are signed using public-key cryptography. That means that all the copies of the worm carry a public key which will only accept plugins digitally signed by the private key. Only the virus author has the private key so only plugins that he approves will be accepted by the virus. Some of the current plugins are:
@@@@ or SPIRALE - This creates a file which displays a graphic of a "spiral" that cannot be closed or stopped. The file has a name consisting of eight random letters, and is loaded using the run= line of the [windows] section of win.ini. This spiral graphic is launched by this Internet worm on September 24th, or when the number of minutes are equal to 59 in the year 2001.
I_RZ - Adds a copy of the worm to ZIP and RAR archives containing EXE files. The original EXE file is renamed to an EX$ extension, and a copy of the virus takes the place of the original EXE file.
AVIP or AVINET.DAT - Blocks the infected computer from visiting certain antivirus websites by IP address, similiar to the W95/MTX virus.
SUB7 - Searches for computers infected with the BackDoor-G trojan, and copies and executes itself on infected machines.
ENCR or POLY - Encrypts the virus with a polymorphic routine. Note that in spite of the polymorphic routine, VirusScan detects all of the permutations of the virus when using updated engine and DAT files.
TEXT or PR0N - This creates the message that the virus is sent with, depending on the language installed on the infected system:
English:
From: Hahaha [hahaha@sexyfun.net]
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs
always where very educated and polite with Snowhite.
When they go out work at mornign, they promissed a
*huge* surprise. Snowhite was anxious. Suddlently, the
door open, and the Seven Dwarfs enter...
Attachment: sexy virgin.scr or joke.exe or midgets.scr
or dwarf4you.exe
and thats just part of what this thing does http://sysopt.earthweb.com/forum/frown.gif looks like it's time to run wipe and do a reinstall again http://sysopt.earthweb.com/forum/frown.gif
Indications Of Infection
Mail recipients claiming they received an attachment from you when one was never sent. Depending on plugins installed, spiral graphic on the screen, inability to access antivirus sites.
Method Of Infection
The format of the newsgroup-posted message is as follows:
anon.lcs.mit.edu!nym.alias.net!mail2news
Message-ID: 20001113080521.28781.qmail@nym.alias.net
From: [USE-AUTHOR-ADDRESS-HEADER@[127.1]]
Author-Address: anonymous [AT]anon [DOT]lcs [DOT]mit [DOT] edu
Subject: http [code containing upper- and lower-case letters]
Mail-To-News-Contact: postmaster@nym.alias.net
Organization: mail2news@nym.alias.net
Newsgroups: alt.comp.virus
Lines: 46
KUWJGJWCVICGIWIWCZIWHCFXCHB [continues]....
[more coded lines]
[terminated by four asterisks]
****
The plugins are saved to the WINDOWS\SYSTEM directory with a random name consisting of a name consisting of eight random letters and an extension consisting of three random letters. The plugins are signed using public-key cryptography. That means that all the copies of the worm carry a public key which will only accept plugins digitally signed by the private key. Only the virus author has the private key so only plugins that he approves will be accepted by the virus. Some of the current plugins are:
@@@@ or SPIRALE - This creates a file which displays a graphic of a "spiral" that cannot be closed or stopped. The file has a name consisting of eight random letters, and is loaded using the run= line of the [windows] section of win.ini. This spiral graphic is launched by this Internet worm on September 24th, or when the number of minutes are equal to 59 in the year 2001.
I_RZ - Adds a copy of the worm to ZIP and RAR archives containing EXE files. The original EXE file is renamed to an EX$ extension, and a copy of the virus takes the place of the original EXE file.
AVIP or AVINET.DAT - Blocks the infected computer from visiting certain antivirus websites by IP address, similiar to the W95/MTX virus.
SUB7 - Searches for computers infected with the BackDoor-G trojan, and copies and executes itself on infected machines.
ENCR or POLY - Encrypts the virus with a polymorphic routine. Note that in spite of the polymorphic routine, VirusScan detects all of the permutations of the virus when using updated engine and DAT files.
TEXT or PR0N - This creates the message that the virus is sent with, depending on the language installed on the infected system:
English:
From: Hahaha [hahaha@sexyfun.net]
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs
always where very educated and polite with Snowhite.
When they go out work at mornign, they promissed a
*huge* surprise. Snowhite was anxious. Suddlently, the
door open, and the Seven Dwarfs enter...
Attachment: sexy virgin.scr or joke.exe or midgets.scr
or dwarf4you.exe
and thats just part of what this thing does http://sysopt.earthweb.com/forum/frown.gif looks like it's time to run wipe and do a reinstall again http://sysopt.earthweb.com/forum/frown.gif