December 24th, 2001, 09:30 AM
Taken from TechRepublic
Reeezak is yet another mass-mailing worm spreading through Microsoft Outlook address books and MSN Messenger. Unlike some other recent viruses, which didnít cause too much damage, this worm poses a major threat. However, the worm canít cause any damage unless people open the e-mail and the attachment propagated by this virus. But since this is the holiday season, the fake holiday greeting may trick a number of people into opening the attachment. Anyone who does open this worm risks having their computer completely disabled.
Read the rest of the article
\"Isn\'t sanity just a one trick pony anyway? I mean, all you get is one trick. Rational Thinking.
But when you\'re good and crazy, hehe, the skies the limit!!\"
December 24th, 2001, 10:21 AM
Great post Matty, always nice to have a heads up on those pesky virri.
Know this..., you may not by thyself in pride claim the Mantle of Wizardry; that way lies only Bogosity without End.
Rather must you Become, and Become, and Become, until Hackers respect thy Power, and other Wizards hail thee as a Brother or Sister in Wisdom, and you wake up and realize that the Mantle hath lain unknown upon thy Shoulders since you knew not when.
December 24th, 2001, 03:14 PM
December 24th, 2001, 05:36 PM
not to be redundant, but
December 25th, 2001, 01:57 AM
It can never be stressed enough that you should not open e-mail attachments from people you dont know. Sometimes people you do know unwittingly leash a worm on you. The best protection is to virus scan all incoming e-mail attachments. Not to sound bitter, but Microsoft has had this hole in Outlook for a very long time, one would think that this problem would be nonexistent by now, but it remains.
Wine maketh merry: but money answereth all things.
December 25th, 2001, 02:13 AM
I've often wondered about this myself...is there something about Outlook that prevents it from being patched, by download or otherwise?...I don't use it, so I'm pretty safe on the 'spreading' end of the virus...but still...i update my VS every week, but have never even SEEN the opportunity to update/upgrade the Outlook program in my Windows OS, ever! Why?
Originally posted by ThePreacher
but Microsoft has had this hole in Outlook for a very long time, one would think that this problem would be nonexistent by now, but it remains.
"entia non sunt multiplicanda praeter necessitatem"
"entities should not be multiplied beyond necessity."
December 26th, 2001, 10:24 PM
December 26th, 2001, 10:32 PM
Discovery Date: 12/19/2001
Length: 37376 bytes
Minimum Dat: 4177
Minimum Engine: 4.0.70
DAT Release Date: 12/19/2001
Description Added: 12/19/2001
Method Of Infection
Variants / Aliases
Rate this page
Print This Page
W32/Maldal.c@MM was discovered on 19 December 2001, it's the third variant of the W32/Maldal@MM family.
The mass-mailing worm arrives in an e-mail file attachment called "christmas.exe", the filesize is 37376 bytes. It uses the MS-Outlook address book to mass-mail itself. The worm might also be using entries from MS-Messenger.
The worm sends rtf based e-mail messages with the following information:
Subject : Happy New Year
Body: Hii , I can't describe my feelings But all I can say is Happy new year :-) bye
Sample display of the received e-mail:
Although the icon has a macromedia-flash style icon,the christmas.exe is written in Visual Basic. Running the file may result in multiple processes, multiple titlebars shown, which may be hard to combat as it tries to disable the keyboard functionality.
The worm may change the computer name to "Zacker":
It might also add a "zacker" entry under:
All files in the %system% directory are deleted upon executing of the christmas.exe.
\Program Files\Zone Labs
\Program Files\AntiViral Toolkit Pro\*.*
\Program Files\Command Software\F-PROT95\*.*
\Program Files\Quick Heal\*.*
\Program Files\Norton AntiVirus\*.*
\Program Files\Zone Labs\*.*
"Zacker's" MAIN htm page may drop a VBScript file called "outlook.vbs" in the %SYSTEM% directory, so for example c:\windows\system\outlook.vbs. This file attempts to send an e-mail to all the entries in your "contacts" with:
Subject: Very Important !!!
Body : See this page http://.................
So it's encouraging your contacts to click on the (omitted) malicious weblink.
The outlook.vbs code contains a payload routine to delete all files in the %SYSTEM% folder. An messagebox is being displayed with anti-Jewish text followed by a shutdown of the system.
-Mass Mailing, file attachment "christmas.exe"
-Trigger with dropped VBScript virus VBS/Rols
-Deleted anti-virus and security program files
-Disabled keyboard functionality
-Presence of "outlook.vbs" in the %system% folder
-Deletion of files in the %system% folder
-Annoying anti-Jewish and/or government message-boxes
-presence of a file called "zacker.vbs"
-presence of a file called "rol.vbs"
-presence of a file called "dalal.htm"
-presence of a file called "dallah.htm"
-presence of a file called "server.vbs"
Method Of Infection
Initial infection starts when user runs a malicious e-mail file attachment called christmas.exe
Use current engine and DAT files for detection and removal.
Additional Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the Desktop, and choose Properties.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.
December 26th, 2001, 10:46 PM
now that was some detail...Thanxs...
Violence breeds violence
we need a world court
not a republican with his hands covered in oil and military hardware lecturing us on world security!