[Date Prev][Date
Next][Thread Prev][Thread Next][Date
Index][Thread Index]
Here we go again :- ( FW: eTrust EZ Virus Alert for
Win32.Vote.A Worm
- To: "UKHA Discussion (E-mail)" <ukha_d@xxxxxxx>
- Subject: Here we go again :- ( FW: eTrust EZ
Virus Alert for Win32.Vote.A Worm
- From: Keith Doxey <ukha@xxxxxxx>
- Date: Tue, 25 Sep 2001 09:12:46 +0100
- Delivered-to: mailing list ukha_d@xxxxxxx
- Mailing-list: list ukha_d@xxxxxxx; contact
ukha_d-owner@xxxxxxx
- Reply-to: ukha_d@xxxxxxx
Looks like there is another one about guys...and gals
Bugger :-(
Keith
-----Original Message-----
From: support@xxxxxxx [mailto:support@xxxxxxx]
Sent: 25 September 2001 03:30
To: keith@xxxxxxx
Subject: eTrust EZ Virus Alert for Win32.Vote.A Worm
=============================================
eTrust EZ Virus Alert for Win32.Vote.A Worm
=============================================
Win32.Vote.A worm (also known as W32.Vote.A@mm)
Win32.Vote.A is worm that erases files in the Windows and other directories
and overwrites HTM and HTML files, spreading via the Internet by email
using
MAPI and Microsoft Outlook.
The worm appears attached to an email with the following subject:
Fwd:Peace BeTweeN AmeriCa And IsLaM !
and body text:
Hi
iS iT A waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!
with the attachment:
WTC.exe
The worm launches two browser windows, one to a download site which
contained the Win32.PSW.Barrio.50 trojan, and one to another site that is
no
longer available. The explorer home page is set to point to the download
site.
The worm drops two trojans in the windows system directory: VBS.VoteMix.A
and VBS.VoteZak.A.
The VBS.VoteMix.A trojan is then executed, which searches local and network
drives for HTM and HTML files, replacing them with the line:
AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn
>>>
ZaCkEr is So Sorry For You .
The worm also creates a registry value:
HKLM\software\microsoft\windows\currentversion\run\Norton.Thar =
<windows
system>\ZaCker.vbs
so that on next reboot, the VBS.VoteZak.A trojan is executed. This first
deletes all files in the windows directory, then attempts to modify
C:\AUTOEXEC.BAT with an instruction to format drive C when the computer
next
reboots. This fails however, and the following message box pops up:
I promiss We WiLL Rule The World Again...By The Way, You Are Captured By
ZaCker!!!
An attempt is then made to force windows to reboot, but this also fails
because the trojan has already deleted RUNDLL32.EXE from the windows
directory.
This worm also appears to make attempts at disabling particular Antivirus
Scanners by deleting files found in the following directories:
C:\Program Files\AntiViral Toolkit Pro\*.*
C:\eSafe\Protect\*.*
C:\Program Files\Command Software\F-PROT95\*.*
C:\PC-Cillin 95\*.*
C:\PC-Cillin 97\*.*
C:\Program Files\Quick Heal\*.*
C:\Program Files\FWIN32\*.*
C:\Program Files\FindVirus\*.*
C:\Toolkit\FindVirus\*.*
C:\f-macro\*.*
C:\Program Files\McAfee\VirusScan95\*.*
C:\Program Files\Norton AntiVirus\*.*
C:\TBAVW95\*.*
C:\VS95\*.*
Users with eTrust EZ Antivirus signature files 1517
and up are protected against this worm.
A few simple rules to remember:
==========================
- Prevent viruses from spreading by updating your antivirus
software on a regular basis.
- Do not open attachments received from somebody
you don’t know.
- Be careful when receiving attachments from your friends. In most
cases they are not aware of infection and will not know if the
virus email was sent from their own PCs.
=============================================
The simplest way to check if you have the most
current signatures, or to update your signatures
in the case that you do not, is to use the following
procedure:
1) Start the eTrust EZ
Antivirus gui
2) From the menu bar,
select Tools
3) From the list that is
displayed, select
Autodownload
4) The product will
automatically guide
you through the
process from this
point forward.
To manually download the updates, go to::
http://www.my-etrust.com/products/subscriptions/AntiVirus/
Virus signature update files are cumulative,
therefore the latest signature file update
includes everything from all previous file updates as well as
new virus information. A list of newly detected viruses since
the last update is available at:
http://my-etrust.com/products/encyclopedia/virusinfo/encyclopedia
=============================================
Additional information on viruses, worms, and
Trojan horses can be found at the Computer
Associates Virus Information Center:
http://www.ca.com/virusinfo/
For more detailed virus information and
specialized removal instructions, visit:
http://www.ca.com/virusinfo/virusalert.htm
Carnegie Mellon Software Engineering Institute
(CERT® Coordination Center):
http://www.cert.org/advisories/
=============================================
You can unsubscribe from this news letter or by going to
http://www.my-etrust.com/maintenance/optin/
=============================================
Feedback? Comments? Suggestions?
Send mailto:webmaster@xxxxxxx. All
submissions
become the property of the publisher and may or may not be
reprinted.
NOTE: This address should be used only for feedback on
this newsletter. Requests for technical support should be
submitted through normal channels.
Home |
Main Index |
Thread Index
|