[Previous Months][Date Index][Thread Index][Join - Register][Login]
[Message Prev][Message Next][Thread Prev][Thread Next]

[IP] (Fwd) Computer Virus Alert!

To all IP Members, especially those running Win9? and NT,

A new computer virus/worm has been circulating among some 
members.  Please read the information below or go to the site 
listed at the bottom of this page for information and help.  Please 
help stop viruses, check your system now and run an anti-virus 
update program regularly.

Virus Name: W32/NewApt.worm

Virus Characteristics:
This worm has been reported to AVERT in several countries during the week
of December 13, 1999. The file may be received by email with a size of
69,632 bytes. The worm arrives by email and depending on if the email
application supports HTML email body content or not, one of two messages
is displayed. If HTML is supported, the message content looks like this:


A href="http://stuart.messagemates.com/index.html"></A></P><SPAN
            class=200122622-17121999><FONT color=#000000 face=Verdana
            href="http://stuart.messagemates.com/index.htmlHypercool Happy
New Year 2000 funny programs and animations...We attached our recent
animation from this site in our mail ! Check it out "><B><I><U>
            <P align=center><FONT color=#0000ff face=""

            <P align=center></P>
            <P align=center></P><FONT color=#ff0000 size=2>
            <P align=center>Hypercool Happy New Year 2000 funny programs
            <P align=center>We attached our recent animation from this
site in
            our mail ! Check it out </P></FONT></A></FONT></SPAN>


If the email client does not support HTML, the email message will have
this content:


he, your lame client cant read HTML, haha.
click attachment to see some stunningly HOT stuff

he email contains an attachment of a randomly selected name from the
following list: <BR>baby.exe

Please note that the file is not a "messagemates" game program and is not
related to the web site listed in the email message! Messagemates.com has
issued a notice about this also on their web site at this location:

There is no icon associated with this 32 bit file other than the one
associated with command line executables such as COMMAND.COM. If this worm
is run, a "dummy" error message is displayed with the text-

The dinamic link library giface.dll could not be found in the specified
path (list of directory names) 

The list of directory names are taken from they system 
environment variable "path" which is set in AUTOEXEC.BAT in 
Windows 9x and also configurable in Windows NT through the 
control panel. Note the misspelling of the word "dinamic".  

The machine is then checked for the installation of MS Outlook 
Express. If found, two files are written in the c:\windows folder  

ma.    - contains a listing of email addresses
mmail.  - contains the directory of MS Outlook Express

The list of email addresses is captured by checking all folders in 
Outlook Express for email messages received!  

A file is then saved to the Windows folder and the registry is 
modified to load the file at the next Windows startup with a 
command line option of "/x". For example, if the executable 
"chestburst.exe" is run, the registry entry would look like this on a 
Windows 95 system:  

KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tpawen =
c:\windows\chestburst.exe /x

On the next Windows startup, the file is loaded. When the worm 
loads into memory, it waits for an unspecified amount of time and 
then sends an email message to one of the listed entries from the 
file "mma." with the format mentioned at the beginning of this 

While the worm is active on Windows 9x system, the following 
DLLs are implemented:  


When an email application such as MS Outlook is in use, the 
additional DLL loaded is TAPI32.DLL.  

At this time, AVERT is analyzing the distribution method for this 
worm. Strings within the executable suggest that it uses 
information stored in the file "prefs.js" which is a reference to 

To check your system for this virus, and to learn how to protect yourself
from computer viruses, visit http://vil.mcafee.com/vil/wm10475.asp

Thank you,

George Lovelace
IP Admin
for HELP or to subscribe/unsubscribe, contact: HELP@insulin-pumpers.org
send a DONATION http://www.Insulin-Pumpers.org/donate.shtml