W32.Reeezak.A@mm/W32.Zacker.C@mm/W32.Maldal.C@mm

[Matty_Cross]

Taken from TechRepublic
----------------------------------------------------------------------------------

Reeezak is yet another mass-mailing worm spreading through Microsoft Outlook address books and MSN Messenger. Unlike some other recent viruses, which didn’t cause too much damage, this worm poses a major threat. However, the worm can’t cause any damage unless people open the e-mail and the attachment propagated by this virus. But since this is the holiday season, the fake holiday greeting may trick a number of people into opening the attachment. Anyone who does open this worm risks having their computer completely disabled.

Read the rest of the article
here

[UberC0der]

Great post Matty, always nice to have a heads up on those pesky virri.

[Ennis]

Thanks Matty.

[IchNiSan]

not to be redundant, but

Thanks Matty!!

[ThePreacher]

It can never be stressed enough that you should not open e-mail attachments from people you dont know. Sometimes people you do know unwittingly leash a worm on you. The best protection is to virus scan all incoming e-mail attachments. Not to sound bitter, but Microsoft has had this hole in Outlook for a very long time, one would think that this problem would be nonexistent by now, but it remains.

[Ouroboros]

Originally posted by ThePreacher
but Microsoft has had this hole in Outlook for a very long time, one would think that this problem would be nonexistent by now, but it remains.

I've often wondered about this myself...is there something about Outlook that prevents it from being patched, by download or otherwise?...I don't use it, so I'm pretty safe on the 'spreading' end of the virus...but still...i update my VS every week, but have never even SEEN the opportunity to update/upgrade the Outlook program in my Windows OS, ever! Why?

Ouroboros

[[WebCarnage]]

Hmmm, I was watching TechTV the other day. And a section of The Screen Savers came up talking about Microsoft's Outlook Express. Well...there's a patch, to stop yourself at opening attatchments. Well... a rescent servey went out on the Microsoft website...and it was found out, that 1% of ALL Outlook Express users have downloaded the patch. I start laughing immediatly just at the numbers that were comming up, but me not being an Outlook user just flipped the channel after that to a TV Show more reasonable to my likings (can't remember what it was...it was just on the sci-fi channel). So, I'm sorry to announce, I have no URL for the patch. All I know is that it CAN be found on the Microsoft site. Yet try looking at Tech TV for the patch too*. Just search for Outlook Patches.
Hope it helps, and sorry for not listening to the whole story.

* If that URL doesn't work, try this one for the main page of Tech TV

[Shmoo]

http://vil.nai.com/vil/virusSummary.asp?virus_k=99285


W32/Maldal.c@MM Low



Virus Information
Discovery Date: 12/19/2001
Origin: Unknown
Length: 37376 bytes
Type: Virus
SubType: worm
Minimum Dat: 4177
Minimum Engine: 4.0.70
DAT Release Date: 12/19/2001
Description Added: 12/19/2001

Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate this page
Print This Page




Virus Characteristics
W32/Maldal.c@MM was discovered on 19 December 2001, it's the third variant of the W32/Maldal@MM family.

The mass-mailing worm arrives in an e-mail file attachment called "christmas.exe", the filesize is 37376 bytes. It uses the MS-Outlook address book to mass-mail itself. The worm might also be using entries from MS-Messenger.

The worm sends rtf based e-mail messages with the following information:
Subject : Happy New Year
Body: Hii , I can't describe my feelings But all I can say is Happy new year :-) bye

Attachment: Christmas.exe
Sample display of the received e-mail:





Although the icon has a macromedia-flash style icon,the christmas.exe is written in Visual Basic. Running the file may result in multiple processes, multiple titlebars shown, which may be hard to combat as it tries to disable the keyboard functionality.



The worm may change the computer name to "Zacker":
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
ComputerName\Zacker
It might also add a "zacker" entry under:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Zacker

All files in the %system% directory are deleted upon executing of the christmas.exe.

The worm also changes the Internet Explorer startup page to a certain "zacker" htm website. This html page contains Javascript code that drops a VBScript virus and also installs a mIRC script. The HTM page is triggered upon with VBS/Rols.dr with Dat-4156 and above. The dropped VBSscript code may delete anti-virus and security software:

\Program Files\Zone Labs
\Program Files\AntiViral Toolkit Pro\*.*
\Program Files\Command Software\F-PROT95\*.*
\eSafe\Protect\*.*
\PC-Cillin 95\*.*
\PC-Cillin 97\*.*
\Program Files\Quick Heal\*.*
\Program Files\FWIN32\*.*
\Program Files\FindVirus\*.*
\Toolkit\FindVirus\*.*
\f-macro\*.*
\Program Files\McAfee\VirusScan95\*.*
\Program Files\Norton AntiVirus\*.*
\TBAVW95\*.*
\VS95\*.*
\rescue\*.*
\Program Files\Zone Labs\*.*


"Zacker's" MAIN htm page may drop a VBScript file called "outlook.vbs" in the %SYSTEM% directory, so for example c:\windows\system\outlook.vbs. This file attempts to send an e-mail to all the entries in your "contacts" with:
Subject: Very Important !!!
Body : See this page http://.................
So it's encouraging your contacts to click on the (omitted) malicious weblink.

The outlook.vbs code contains a payload routine to delete all files in the %SYSTEM% folder. An messagebox is being displayed with anti-Jewish text followed by a shutdown of the system.




Symptoms
-Mass Mailing, file attachment "christmas.exe"
-Trigger with dropped VBScript virus VBS/Rols
-Deleted anti-virus and security program files
-Disabled keyboard functionality
-Presence of "outlook.vbs" in the %system% folder
-Deletion of files in the %system% folder
-Annoying anti-Jewish and/or government message-boxes
-presence of a file called "zacker.vbs"
-presence of a file called "rol.vbs"
-presence of a file called "dalal.htm"
-presence of a file called "dallah.htm"
-presence of a file called "server.vbs"


Method Of Infection
Initial infection starts when user runs a malicious e-mail file attachment called christmas.exe


Removal Instructions
All Users:
Use current engine and DAT files for detection and removal.
Additional Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.

Disabling the Restore Utility

1. Right click the My Computer icon on the Desktop, and choose Properties.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.


Aliases
Name
W32/Keyluc@MM
W32/Reeezak.A-mm
W32/Zacker@MM

[Euclid]

now that was some detail...Thanxs...