you might want to notify your well meaning but (DON"T OPEN ATTACHMENTS!) less than (DON"T OPEN ATTACHMENTS!) well informed (DON"T OPEN ATTACHMENTS!) users...




W32.HLLP.Sharpei@mm
Discovered on: February 26, 2002
Last Updated on: February 27, 2002 at 09:57:35 AM PST

W32.HLLP.Sharpei@mm is a virus that targets .exe files under the Microsoft .NET Framework. The replication code of the virus is written in C# and compiled to MSIL. The virus also mass emails itself to all contacts in the Microsoft Outlook address book by using a VBS component. The attachment is MS02-010.exe.

Type: Virus, Worm
Infection Length: 12288
(LiveUpdateTM): February 27, 2002

Threat Assessment:

Wild: Low
Damage: Low
Distribution:
Medium

Payload:
Large scale e-mailing: Yes
Modifies files: Yes
Distribution:

Subject of email: Important: Windows update
Name of attachment: MS02-010.exe
Size of attachment: 12,288

Technical description:


The virus arrives as an email message that has the following characteristics:

Subject : Important: Windows update

Message: Hey, at work we are applying this update because it makes Windows over 50% faster and more secure. I thought I should forward it as you may like it.

Attachment: Ms02-010.exe

When the attachment is executed, the virus does the following:

It makes a copy of itself as C:\Ms02-010.exe.

It drops the file Sharp.vbs, which then performs the mass-mailing routine, sending the previously described message. Sharp.vbs then deletes itself.

Damn outlook,
Why people continue to use OE is way beyond me.
But thanks Zigar for the info on it.
It seams there is a new virus, bug, exploit, etc. arriveing in those inboxes every week. Or is it just me?

It's just you.

oops...forgot the link

http://sarc.com/avcenter/venc/data/w32.hllp.sharpei@mm.html

Thanks zigar, have a newly infected system on my bench today matter of fact.

This particular client is fantastic, I maintain his small network (home and biz under one roof) and after looking at the business computers then moving onto the kids systems I seriously began to wonder if it's easier supporting 500 users in a corp environment or keeping these teenagers up and running. :mad:

Good heads up! :)

Thanks, Zigar.....it brings a tear to my eye seeing virus/worm alerts at AO....Sure beats the stuff that's been showing up here lately....



R_A_.....that conspiracy planet signature was mine I tells ya! Mine!!

I got this from my corporate IT folks today

A new worm -- W32/Gibe@MM -- is circulating via an
e-mail attachment: q216309.exe disguised as a security alert from
Microsoft.

---------------------------------------------------------------------
---------------------------------------------------------------------
Method of infection: Email worm

Attachment name: q216309.exe.

Subject line: Internet Security Update

Message body:

Microsoft Customer,


This is the latest version of security update, the update which eliminates
all known security vulnerabilities affecting Internet Explorer and MS
Outlook/Express as well as six new vulnerabilities, and is discussed in
Microsoft Security Bulletin MS02-005. Install now to protect your computer
from these vulnerabilities, the most serious of which could allow an
attacker to run code on your computer.
----------------------------------------------------------------------
----------------------------------------------------------------------


If you receive this message, DELETE IT IMMEDIATELY! Do NOT
attempt to open it!

Detailed information on the W32/Gibe@mm worm can be found at:

http://www.sophos.com/virusinfo/analyses/w32gibea.html

If you inadvertently opened the message or have difficulties deleting
the e-mail, please immediately contact your local IT support or call
sumdumguy
(oops.. just had to slip one in there :D )

(excerpt from the link above)
If q216309.exe is run it will display the message "This will install Microsoft Security Update. Do you wish to continue ? ". It then copies itself to q216309.exe in the Windows folder and vtnmsccd.dll in the Windows system folder. It also drops and executes bctool.exe, winnetw.exe and gfxacc.exe in the Windows folder and creates the file 02_n803.dat in which it stores information about email recipients.

Bctool.exe and winnetw.exe attempt to send out the emails as described above. Gfxacc.exe runs as a background process and opens port 12387, which could allow an intruder to gain remote access and control over the machine.

The worm sets the following registry keys:

HKLM\Software\AVTech\Settings\Default Address = <default address>
HKLM\Software\AVTech\Settings\DefaultServer = <default server>
HKLM\Software\AVTech\Settings\Installed = ...by Begbie
HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\3dfx Acc = <path to gfxacc.exe>
HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\LoadDBackup = <path to bctool.exe>