Virus warning

Date view Thread view Subject view Author view

From: 1232-553-1 (1232-553@onlinehome.de)
Date: 11/12/00-10:57:12 AM Z


Folks!

The win32/navidad.worm virus in around.

The virus uses the 'in box' of your e-mail client to distribute
itself to other computers.

It will change the system registry - so that all applycations do
not longer start - your system is blocked.

The virus caused a lot of problems since a couple of days to
people and companies at least in germany and swizzerland.

Find below detailed information from Computer Associates.
They offer a free Virus-scanner which detects the virus savely
and offers free newsletter and updates.
(download at www.ca.com)

Cheers
Stefan

___________________________
2s.artificial image

http://www.2s-image.de
kontakt@2s-image.de

Domain is still under construction!

voice +49(0)69-954508-03 /-06
fax +49(0)69-954508-04
cellular phones +49(0)172-6130532 /-6123398
isdn eurofile +49(0)69-954508-05
isdn leonardo +49(0)69-954508-07

=============================================
E-News: InoculateIT Personal Edition AntiVirus
Newsletter from Computer Associates
Version 00.69 | November 8, 2000
via www: http://esupport.ca.com
=============================================

Table of Contents

- Win32/Navidad.Worm

- InoculateIT Personal Edition AntiVirus
  Update Number 490 available

- Internet Defense Summit

==============================================
Win32/Navidad.Worm
==============================================

Win32/Navidad.Worm

Win32/Navidad.Worm is an e-mail worm which,
despite having a major bug, is still able to
spread successfully.

It will arrive in an e-mail message, the
subject of which is variable. The worm replies
to messages so the subject will usually match
one that the recipient has previously sent.
The body of the message is empty except for
an attachment called:

"Navidad.exe".

When run, the worm immediately displays a
dialog box with the title "Error", the text
"UI", and an "OK" button.

When the "OK" button is pressed, the worm
immediately starts to send itself. It does this
by going through all of the messages in the
Inbox of the default MAPI mail client and
replying to each one. The replies have exactly
the same subject as the original message ("Re:"
is NOT added) and, in place of the message
body, the worm is attached. These messages are
sent using the default MAPI mail client, so
they may appear in the Outbox of Outlook or
Outlook Express before being sent, depending on
the user's settings.

The worm displays an icon (in the form of a
blue eye) on the system tray of the Windows
task bar. If the mouse cursor is placed over
the icon, the ToolTip message will display

"Lo estamos mirando...".
("We are watching it...")

If the icon is clicked, a window containing a
single button will be displayed. The text on
the button is

"Nunca presionar este boton".
("Never push this button")

When the button is clicked, another window with
the title

"Feliz Navidad"
("Merry Christmas")

will appear. This window contains the text

"Lamentablemente cayo en la tentacion y perdio su computadora"
("Unfortunately he/she did not resist the temptation and lost his/her
computer")

and an "OK" button.

The worm also attempts to install itself onto
the system and this is where the bug lies. The
worm makes a copy of itself, as "Winsvrc.vxd",
in the Windows System directory. It then
creates two registry keys which point to a
different filename, "Winsvrc.exe":

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
   \Run\Win32BaseServiceMOD = "C:\WINDOWS\SYSTEM\Winsvrc.exe"
HKEY_CLASSES_ROOT\exefile\shell\open\command\(Default) =
   "C:\WINDOWS\SYSTEM\Winsvrc.exe "%1" %"

As the "Winsvrc.exe" file does not exist, the
first registry change will have no effect. The
second change, however, will effectively stop
all .EXE files from being executed. Whenever
the user tries to execute a program, a message
will be displayed informing the user that
Windows cannot find winsvrc.exe and the
program will not run.

IPE signature release 490 includes
detection for the Navidad worm.

For a utility to fix the registry, please visit:

http://www.ca.com/virusinfo/encyclopedia/descriptions/navidad.htm

=============================================
VIRUS UPDATE 490
=============================================

AntiVirus Update number 490 has been uploaded
to the Computer Associates web site for you
to download.

To download the new signature files for IPE
without going through your Web browser, you can
use the new "Auto Download" feature inside
IPE (Tools, AutoDownload) or the AutoDownload
application to check for updated signatures,
download, and install them.

It is recommended that once you have downloaded
and installed an update that you do a virus
scan of all the files on your system and
create a new reference disk for your system.

Alternatively, the update file can be obtained
at the following URL:
http://antivirus.ca.com/cgi-bin/ipe/update.cgi

We recommend that you keep your anti-virus
protection up-to-date at all times by ensuring
you are running the most up-to-date anti-virus
software (Current IPE version 5.1) and that latest
update kit.

These update kits are cumulative: therefore the
latest update kit includes everything from all
previous update kits as well as the new virus
information.

These update kits are NOT complete versions of
IPE but an update which will allow version 5.x
to detect and clean the latest viruses.

Below is a list of all the viruses that have been
added to the update kit:

Bablas.AS
Class.FA
Confused.D:Tw
Opey.AL
Pri.W
Sevensix.A
Sugar.F
Thus.BG
Thus.BQ
Ump.C:Kit
VBS.Bebop
VBS.Gnut.C trojan
VBS.Scary.A
Win32.Ankara trojan
Win32.BusConquerer trojan
Win32.Delarm
Win32.FruitMachine
Win32.HLLO.Homer
Win32.Hybris
Win32.Hybris.A
Win32.Hybris.B
Win32.Infinite.1661
Win32.Kriz.3621
Win32.Navidad
Win32.SecretService.20 trojan
Win32.Sonic.55
Win32.Sonic.56
Win32.Sonic.60
Win32.Sonic.61
Win32.Sonic.B

=============================================
Internet Defense Summit
=============================================

Attend a FREE interactive seminar where you
can learn how to defend against Electronic
and Internet crime. Learn how to:

- Protect your eBusiness from today's most
  serious security threat - viruses.
- Safeguard systems connected to the internet
  from malicious code attacks.
- Provide authorized users with access to
  your networks while keeping unauthorized
  users out.
- Defend networks against the deployment and
  execution of Distributed Denial of Service
  attacks.
- Secure internet communications accessed by
  remote users and secure site to site
  communication over the internet.
- Learn how these technologies can improve
  your overall business performance.

For locations, dates, and registration
information, please visit:
http://www.ca.com/events/security_summit/.
Seating is limited.

=============================================

Additional information on viruses, worms, and
Trojan horses can be found at Computer Associates
Virus Information Center:
http://www.ca.com/virusinfo/

Carnegie Mellon Software Engineering Institute
(CERTŪ Coordination Center):
http://www.cert.org/advisories/

=============================================

To subscribe to this or other newsletters, go to
http://esupport.ca.com/ and click the E-News
button on the left panel.

You can unsubscribe from the same E-News page or
by sending an email to mailto:listserv@listserv.ca.com
with 'signoff enews_ipe' in the message
body.

This newsletter contains practical tech
support information about relevant issues
with our products.

=============================================

Feedback? Comments? Suggestions?
Send mailto:editor_ipe@ca.com. All submissions
become the property of the publisher and may
or may not be reprinted.

NOTE: This address should be used only for
feedback on this newsletter. Requests for
technical support should be submitted
through normal channels.


Date view Thread view Subject view Author view

This archive was generated by hypermail 2b30 : 12/01/00-11:46:57 AM Z CST