From: Peter Fredrik (pete@fotem.demon.co.uk)
Date: 11/21/00-05:54:52 AM Z
1232-553-1 wrote:
> Folks!
>
> The win32/navidad.worm virus in around.
>
> The virus uses the 'in box' of your e-mail client to distribute
> itself to other computers.
>
> It will change the system registry - so that all applycations do
> not longer start - your system is blocked.
>
> The virus caused a lot of problems since a couple of days to
> people and companies at least in germany and swizzerland.
>
> Find below detailed information from Computer Associates.
> They offer a free Virus-scanner which detects the virus savely
> and offers free newsletter and updates.
> (download at www.ca.com)
>
> Cheers
> Stefan
>
> ___________________________
> 2s.artificial image
>
> http://www.2s-image.de
> kontakt@2s-image.de
>
> Domain is still under construction!
>
> voice +49(0)69-954508-03 /-06
> fax +49(0)69-954508-04
> cellular phones +49(0)172-6130532 /-6123398
> isdn eurofile +49(0)69-954508-05
> isdn leonardo +49(0)69-954508-07
>
> =============================================
> E-News: InoculateIT Personal Edition AntiVirus
> Newsletter from Computer Associates
> Version 00.69 | November 8, 2000
> via www: http://esupport.ca.com
> =============================================
>
> Table of Contents
>
> - Win32/Navidad.Worm
>
> - InoculateIT Personal Edition AntiVirus
> Update Number 490 available
>
> - Internet Defense Summit
>
> ==============================================
> Win32/Navidad.Worm
> ==============================================
>
> Win32/Navidad.Worm
>
> Win32/Navidad.Worm is an e-mail worm which,
> despite having a major bug, is still able to
> spread successfully.
>
> It will arrive in an e-mail message, the
> subject of which is variable. The worm replies
> to messages so the subject will usually match
> one that the recipient has previously sent.
> The body of the message is empty except for
> an attachment called:
>
> "Navidad.exe".
>
> When run, the worm immediately displays a
> dialog box with the title "Error", the text
> "UI", and an "OK" button.
>
> When the "OK" button is pressed, the worm
> immediately starts to send itself. It does this
> by going through all of the messages in the
> Inbox of the default MAPI mail client and
> replying to each one. The replies have exactly
> the same subject as the original message ("Re:"
> is NOT added) and, in place of the message
> body, the worm is attached. These messages are
> sent using the default MAPI mail client, so
> they may appear in the Outbox of Outlook or
> Outlook Express before being sent, depending on
> the user's settings.
>
> The worm displays an icon (in the form of a
> blue eye) on the system tray of the Windows
> task bar. If the mouse cursor is placed over
> the icon, the ToolTip message will display
>
> "Lo estamos mirando...".
> ("We are watching it...")
>
> If the icon is clicked, a window containing a
> single button will be displayed. The text on
> the button is
>
> "Nunca presionar este boton".
> ("Never push this button")
>
> When the button is clicked, another window with
> the title
>
> "Feliz Navidad"
> ("Merry Christmas")
>
> will appear. This window contains the text
>
> "Lamentablemente cayo en la tentacion y perdio su computadora"
> ("Unfortunately he/she did not resist the temptation and lost his/her
> computer")
>
> and an "OK" button.
>
> The worm also attempts to install itself onto
> the system and this is where the bug lies. The
> worm makes a copy of itself, as "Winsvrc.vxd",
> in the Windows System directory. It then
> creates two registry keys which point to a
> different filename, "Winsvrc.exe":
>
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
> \Run\Win32BaseServiceMOD = "C:\WINDOWS\SYSTEM\Winsvrc.exe"
> HKEY_CLASSES_ROOT\exefile\shell\open\command\(Default) =
> "C:\WINDOWS\SYSTEM\Winsvrc.exe "%1" %"
>
> As the "Winsvrc.exe" file does not exist, the
> first registry change will have no effect. The
> second change, however, will effectively stop
> all .EXE files from being executed. Whenever
> the user tries to execute a program, a message
> will be displayed informing the user that
> Windows cannot find winsvrc.exe and the
> program will not run.
>
> IPE signature release 490 includes
> detection for the Navidad worm.
>
> For a utility to fix the registry, please visit:
>
> http://www.ca.com/virusinfo/encyclopedia/descriptions/navidad.htm
>
> =============================================
> VIRUS UPDATE 490
> =============================================
>
> AntiVirus Update number 490 has been uploaded
> to the Computer Associates web site for you
> to download.
>
> To download the new signature files for IPE
> without going through your Web browser, you can
> use the new "Auto Download" feature inside
> IPE (Tools, AutoDownload) or the AutoDownload
> application to check for updated signatures,
> download, and install them.
>
> It is recommended that once you have downloaded
> and installed an update that you do a virus
> scan of all the files on your system and
> create a new reference disk for your system.
>
> Alternatively, the update file can be obtained
> at the following URL:
> http://antivirus.ca.com/cgi-bin/ipe/update.cgi
>
> We recommend that you keep your anti-virus
> protection up-to-date at all times by ensuring
> you are running the most up-to-date anti-virus
> software (Current IPE version 5.1) and that latest
> update kit.
>
> These update kits are cumulative: therefore the
> latest update kit includes everything from all
> previous update kits as well as the new virus
> information.
>
> These update kits are NOT complete versions of
> IPE but an update which will allow version 5.x
> to detect and clean the latest viruses.
>
> Below is a list of all the viruses that have been
> added to the update kit:
>
> Bablas.AS
> Class.FA
> Confused.D:Tw
> Opey.AL
> Pri.W
> Sevensix.A
> Sugar.F
> Thus.BG
> Thus.BQ
> Ump.C:Kit
> VBS.Bebop
> VBS.Gnut.C trojan
> VBS.Scary.A
> Win32.Ankara trojan
> Win32.BusConquerer trojan
> Win32.Delarm
> Win32.FruitMachine
> Win32.HLLO.Homer
> Win32.Hybris
> Win32.Hybris.A
> Win32.Hybris.B
> Win32.Infinite.1661
> Win32.Kriz.3621
> Win32.Navidad
> Win32.SecretService.20 trojan
> Win32.Sonic.55
> Win32.Sonic.56
> Win32.Sonic.60
> Win32.Sonic.61
> Win32.Sonic.B
>
> =============================================
> Internet Defense Summit
> =============================================
>
> Attend a FREE interactive seminar where you
> can learn how to defend against Electronic
> and Internet crime. Learn how to:
>
> - Protect your eBusiness from today's most
> serious security threat - viruses.
> - Safeguard systems connected to the internet
> from malicious code attacks.
> - Provide authorized users with access to
> your networks while keeping unauthorized
> users out.
> - Defend networks against the deployment and
> execution of Distributed Denial of Service
> attacks.
> - Secure internet communications accessed by
> remote users and secure site to site
> communication over the internet.
> - Learn how these technologies can improve
> your overall business performance.
>
> For locations, dates, and registration
> information, please visit:
> http://www.ca.com/events/security_summit/.
> Seating is limited.
>
> =============================================
>
> Additional information on viruses, worms, and
> Trojan horses can be found at Computer Associates
> Virus Information Center:
> http://www.ca.com/virusinfo/
>
> Carnegie Mellon Software Engineering Institute
> (CERTŪ Coordination Center):
> http://www.cert.org/advisories/
>
> =============================================
>
> To subscribe to this or other newsletters, go to
> http://esupport.ca.com/ and click the E-News
> button on the left panel.
>
> You can unsubscribe from the same E-News page or
> by sending an email to mailto:listserv@listserv.ca.com
> with 'signoff enews_ipe' in the message
> body.
>
> This newsletter contains practical tech
> support information about relevant issues
> with our products.
>
> =============================================
>
> Feedback? Comments? Suggestions?
> Send mailto:editor_ipe@ca.com. All submissions
> become the property of the publisher and may
> or may not be reprinted.
>
> NOTE: This address should be used only for
> feedback on this newsletter. Requests for
> technical support should be submitted
> through normal channels.
This archive was generated by hypermail 2b30 : 12/01/00-11:46:57 AM Z CST