Colext/Macondo
Cantina virtual de los COLombianos en el EXTerior
--------------------------------------------------
- W32/Nimda@MM -
Dear Peter:
McAfee.com has seen a large and growing number of systems infected with the
W32/Nimda@MM. This is a HIGH RISK virus that is spread via email.
W32/Nimda@MM also spreads via open shares, the Microsoft Web Folder
Transversal vulnerability (also used by W32/CodeBlue), and a Microsoft
content-type spoofing vulnerability.
The email attachment name VARIES and may use the icon for an Internet
Explorer HTML document.
It will also attempt to spread itself as follows:
The email messages created by the worm include content that allows the worm
to execute the attachment even if the user does not open it.
It modifies HTML documents, so that when this infected window is accessed
(locally or remotely), the machine viewing the page is then infected.
Once infected, your system is used to seek out others to infect over the
Web.
AVERT is currently analyzing this threat and will post more details online
shortly.
====================================================
W32/Nimda@MM Help Center
Description - What virus is this?
This threat can infect all unprotected users of Win9x/NT/2000/ME.
This is a HIGH RISK virus that is spread via email. The infected email can
come from addresses that you recognize.W32/Nimda@MM also spreads via open
shares, the Microsoft Web Folder Transversal vulnerability (also used by
W32/CodeBlue), and a Microsoft content-type spoofing vulnerability. The
email attachment name varies and may use the icon for an Internet Explorer
HTML document.
Customizing the program file extension list using VirusScan 4.5 (and higher)
may result in a lack of protection against this Trojan. As always, AVERT
recommends that users configure VirusScan to scan all files. If this is not
an option in your environment, the default extension list should be used.
Payload - What can this virus do?
It attempts to create a share (c:), and checks for the presence of the
Trojan dropped by the W32/CodeRed.c worm. It will attempt to spread itself
as follows:
The email messages created by the worm specify a content-type of audio/x-wav
with an executable attachment type. Thus when a message is accessed, the
attachment can be executed even if the user does not open it and without the
user's knowledge.
It adds JavaScript code to HTML documents, which opens a new browser window
containing the infectious email message itself (taken from the dropped file
README.EML). When this infected window is accessed (locally or remotely),
the machine viewing the page is then infected.
Once infected, your system is used to seek out others to infect over the
web. As this creates a lot of port scanning, this can cause a network
traffic jam.
It creates a SYSTEM.INI entry to load the worm at startup:
Shell=explorer.exe load.exe -dontrunold
A MIME encoded version of the work is created in each folder on the drive
(often as README.EML, can also be .NWS files)
Certain execuatble files are selected by the worm and altered.
The virus contains the string : Concept Virus (CV) V.5, Copyright (C) 2001
R.P.China
==========================================================
--------------------------------------------------------------
To unsubscribe send an email to: [EMAIL PROTECTED]
with UNSUBSCRIBE COLEXT as the BODY of the message.
Un archivo de colext puede encontrarse en:
http://www.mail-archive.com/[email protected]/
cortesia de Anibal Monsalve Salazar
