August 12th, 2003, 11:01 PM
As per my usual Heads up.. only Higher risk Threats are listed here.. ie Symantec's Cat 2 or higher..
Symantec Info Page
Neither MS or the AV companies have come up with a patch to protect our computers from the id10T
This ones entry is due to its damage capability and Distribution Capability.
Summary of Threat
Large scale e-mailing: Emails itself to all the contacts in the Outlook address book.
Causes system instability: Disables the system through registry modifications.
Subject of email: ½ñÍíÄãÀ´Âð£¿
Name of attachment: Win32system.vbs or Winsystem32.vbs
Size of attachment: 3-4k
VBS.DDV.B is a Visual Basic Script (VBS) worm that attempts to spread to all the contacts in the Microsoft Outlook address book.
The worm is similar to VBS.DDV, but makes additional destructive modifications to the registry.
NOTE: Virus definitions dated prior to August 8th may detect this worm as VBS.DDV.
Infection Length: 3-4K
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
I have seen comments regarding the installation of windows into another folder other than "Windows" or "WinNT" to prevent these virii from infecting.. BUT as you can see from this virii and many others they look to the registry for the install folder of the os or the system folder.. So that idea is a crock of shite.. like the dummy address in your address book..
Copies itself as Win32system.vbs or Winsystem32.vbs to the following locations:
%Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
%System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Keep your MS patches uptodate
Keep your antivirus Defs uptodate
Have your firewall block ALL un-needed Ports
Checkout Registry monitoring Software (I am not 100% on some of these yet)
Be Aware of Social Engineering approaches..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
August 12th, 2003, 11:50 PM
Good advice as usual, I particularly liked the comment about the ID10T....................hey what sane person is going to open a e-mail with the subject:
As the saying goes "some of them won't never learn"
It amazes me that these .vbs and other straightforward scripting viruses are still so prevalent. OK it doesn't help that M$ ships its OSes with the default to hide known file extensions (hint: reset to display all extensions, AND hidden files), but people do seem to be their own worst enemies?
I am still in favour of complementary software such as Scrip Trap, and AnaloX's Script Defender......At least thay give you a final warning that you are going to run a script...
I remember about 4 years ago writing a little 4 line .reg file that made VB scripts open in Notepad.............not so long after the "loveletter" virus hit the scene............I was amazed at the number of ID10Ts that rang up and asked what the "funny e-mail" they had just opened was all about [Please don't mess with the Registry unless you are sure of what you are doing............and make a backup]
We have mentioned the claims of modern AVs to intercept hostile scripts, but I still haven't seen hard evidence of their effectiveness.............if they are that good, how come this stuff is still a threat?................they should be as obsolete as floppy disk borne stuff?
Be Safe...Stay Safe