-
December 24th, 2001, 10:30 AM
#1
W32.Reeezak.A@mm/W32.Zacker.C@mm/W32.Maldal.C@mm
Taken from TechRepublic
----------------------------------------------------------------------------------
Reeezak is yet another mass-mailing worm spreading through Microsoft Outlook address books and MSN Messenger. Unlike some other recent viruses, which didn’t cause too much damage, this worm poses a major threat. However, the worm can’t cause any damage unless people open the e-mail and the attachment propagated by this virus. But since this is the holiday season, the fake holiday greeting may trick a number of people into opening the attachment. Anyone who does open this worm risks having their computer completely disabled.
Read the rest of the article
here
-Matty_Cross
\"Isn\'t sanity just a one trick pony anyway? I mean, all you get is one trick. Rational Thinking.
But when you\'re good and crazy, hehe, the skies the limit!!\"
-
December 24th, 2001, 11:21 AM
#2
Senior Member
Great post Matty, always nice to have a heads up on those pesky virri.
Know this..., you may not by thyself in pride claim the Mantle of Wizardry; that way lies only Bogosity without End.
Rather must you Become, and Become, and Become, until Hackers respect thy Power, and other Wizards hail thee as a Brother or Sister in Wisdom, and you wake up and realize that the Mantle hath lain unknown upon thy Shoulders since you knew not when.
-
December 24th, 2001, 04:14 PM
#3
-
December 24th, 2001, 06:36 PM
#4
not to be redundant, but
Thanks Matty!!
-
December 25th, 2001, 02:57 AM
#5
It can never be stressed enough that you should not open e-mail attachments from people you dont know. Sometimes people you do know unwittingly leash a worm on you. The best protection is to virus scan all incoming e-mail attachments. Not to sound bitter, but Microsoft has had this hole in Outlook for a very long time, one would think that this problem would be nonexistent by now, but it remains.
Wine maketh merry: but money answereth all things.
--Ecclesiastes 10:19
-
December 25th, 2001, 03:13 AM
#6
Originally posted by ThePreacher
but Microsoft has had this hole in Outlook for a very long time, one would think that this problem would be nonexistent by now, but it remains.
I've often wondered about this myself...is there something about Outlook that prevents it from being patched, by download or otherwise?...I don't use it, so I'm pretty safe on the 'spreading' end of the virus...but still...i update my VS every week, but have never even SEEN the opportunity to update/upgrade the Outlook program in my Windows OS, ever! Why?
Ouroboros
"entia non sunt multiplicanda praeter necessitatem"
"entities should not be multiplied beyond necessity."
-Occam's Razor
-
December 26th, 2001, 11:24 PM
#7
-
December 26th, 2001, 11:32 PM
#8
Member
http://vil.nai.com/vil/virusSummary.asp?virus_k=99285
W32/Maldal.c@MM Low
Virus Information
Discovery Date: 12/19/2001
Origin: Unknown
Length: 37376 bytes
Type: Virus
SubType: worm
Minimum Dat: 4177
Minimum Engine: 4.0.70
DAT Release Date: 12/19/2001
Description Added: 12/19/2001
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate this page
Print This Page
Virus Characteristics
W32/Maldal.c@MM was discovered on 19 December 2001, it's the third variant of the W32/Maldal@MM family.
The mass-mailing worm arrives in an e-mail file attachment called "christmas.exe", the filesize is 37376 bytes. It uses the MS-Outlook address book to mass-mail itself. The worm might also be using entries from MS-Messenger.
The worm sends rtf based e-mail messages with the following information:
Subject : Happy New Year
Body: Hii , I can't describe my feelings But all I can say is Happy new year :-) bye
Attachment: Christmas.exe
Sample display of the received e-mail:
Although the icon has a macromedia-flash style icon,the christmas.exe is written in Visual Basic. Running the file may result in multiple processes, multiple titlebars shown, which may be hard to combat as it tries to disable the keyboard functionality.
The worm may change the computer name to "Zacker":
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
ComputerName\Zacker
It might also add a "zacker" entry under:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Zacker
All files in the %system% directory are deleted upon executing of the christmas.exe.
The worm also changes the Internet Explorer startup page to a certain "zacker" htm website. This html page contains Javascript code that drops a VBScript virus and also installs a mIRC script. The HTM page is triggered upon with VBS/Rols.dr with Dat-4156 and above. The dropped VBSscript code may delete anti-virus and security software:
\Program Files\Zone Labs
\Program Files\AntiViral Toolkit Pro\*.*
\Program Files\Command Software\F-PROT95\*.*
\eSafe\Protect\*.*
\PC-Cillin 95\*.*
\PC-Cillin 97\*.*
\Program Files\Quick Heal\*.*
\Program Files\FWIN32\*.*
\Program Files\FindVirus\*.*
\Toolkit\FindVirus\*.*
\f-macro\*.*
\Program Files\McAfee\VirusScan95\*.*
\Program Files\Norton AntiVirus\*.*
\TBAVW95\*.*
\VS95\*.*
\rescue\*.*
\Program Files\Zone Labs\*.*
"Zacker's" MAIN htm page may drop a VBScript file called "outlook.vbs" in the %SYSTEM% directory, so for example c:\windows\system\outlook.vbs. This file attempts to send an e-mail to all the entries in your "contacts" with:
Subject: Very Important !!!
Body : See this page http://.................
So it's encouraging your contacts to click on the (omitted) malicious weblink.
The outlook.vbs code contains a payload routine to delete all files in the %SYSTEM% folder. An messagebox is being displayed with anti-Jewish text followed by a shutdown of the system.
Symptoms
-Mass Mailing, file attachment "christmas.exe"
-Trigger with dropped VBScript virus VBS/Rols
-Deleted anti-virus and security program files
-Disabled keyboard functionality
-Presence of "outlook.vbs" in the %system% folder
-Deletion of files in the %system% folder
-Annoying anti-Jewish and/or government message-boxes
-presence of a file called "zacker.vbs"
-presence of a file called "rol.vbs"
-presence of a file called "dalal.htm"
-presence of a file called "dallah.htm"
-presence of a file called "server.vbs"
Method Of Infection
Initial infection starts when user runs a malicious e-mail file attachment called christmas.exe
Removal Instructions
All Users:
Use current engine and DAT files for detection and removal.
Additional Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the Desktop, and choose Properties.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.
Aliases
Name
W32/Keyluc@MM
W32/Reeezak.A-mm
W32/Zacker@MM
-
December 26th, 2001, 11:46 PM
#9
now that was some detail...Thanxs...
Violence breeds violence
we need a world court
not a republican with his hands covered in oil and military hardware lecturing us on world security!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|