[Previous Months][Date Index][Thread Index][Join - Register][Login]
[Message Prev][Message Next][Thread Prev][Thread Next]

[IP] Computer Virus Information from a Friend!



Greetings, email @ redacted

I thought you would be interested in knowing about this computer Virus...

Name: W32/email @ redacted

Characteristics:
This mass mailing worm attempts to send itself using Microsoft Outlook to
all entries found in the Outlook Address book. It tries to delete security
software, can spread via ICQ, and an IRC bot script. It arrives in an
email message containing the following information:
Subject: Hi Body: How are you ? When I saw this screen saver, I
immediately thought about you I am in a harry, I promise you will love it!
Attachment: GONE.SCR
Running this attachment infects the local system.

When run, the worm displays a message box entitled, "About" <IMG
src="http://vil.nai.com/images/99272a.gif">
After a short time, another window entitled "Error" is displayed: <IMG
src="http://vil.nai.com/images/99272b.jpg">
The worm copies itself into the WINDOWS SYSTEM folder and adds the
following registry key to load itself at startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\C:\%WINDIR%\SYSTEM\gone.scr=C:\%WINDIR%\SYSTEM\gone.scr Under Windows
9x/ME, the worm looks for the following processes in memory:
_AVP32.EXE _AVPCC.EXE _AVPM.EXE APLICA32.EXE AVP.EXE AVP32.EXE AVPCC.EXE
AVPM.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET32.EXE ESAFE.EXE FRW.EXE
ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE
LOCKDOWN2000.EXE NAVW32.EXE PCFWallICON.EXE SAFEWEB.EXE TDS2-98.EXE
TDS2-NT.EXE VSHWIN32.EXE ZONEALARM.EXE If present, the process is
terminated and all files in the directory containing that executable are
deleted, as well as all files within any subdirectories. If this action
fails, the worm may create a WININIT.INI file to delete the files upon
restart.
The worm attempts to copy ICQMAPI.DLL to the WINDOWS SYSTEM directory to
send itself to ICQ users. DLL calls are made which send the worm to ICQ
contacts which are on-line.  The worm also creates the file REMOTE32.INI
and modifies the mIRC SCRIPT.INI file to use it.  This causes the mIRC
client to become an IRC bot, accepting instructions to initiate a Denial
of Service attack from remote IRC users who are connected to the same
channel.

To check your system for this Virus, and to learn how to protect yourself
from computer viruses, visit the McAfee.com Clinic at
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2103.

For complete information on this Virus, view McAfee.com's Virus
Information Library listing at
http://vil.mcafee.com/dispVirus.asp?virus_k=99272.

This email was sent to you by Sean Hamblin
----------------------------------------------------------
for HELP or to subscribe/unsubscribe, contact: HELP@insulin-pumpers.org
send a DONATION http://www.Insulin-Pumpers.org/donate.shtml