Please excuse duplication.-L. -----Original Message----- From: eleanor lisney [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 5:18 PM To: [EMAIL PROTECTED] Subject: Fwd: Alert: very nasty new virus Do not open attachments called WTC.exe. Delete, without opening: An email message that appears to be a call for peace between America and Islam is actually a malicious and destructive Internet mass mailing worm. It was inevitable that a hacker would try to take advantage of the emotional climate following the horror of September 11. The worm carries the Subject line "Peace between America and Islam!" and the message body "Hi. Is it a war against America or Islam!? Let's vote to live in peace!" Users who open the attachment entitled "WTC.exe" will receive a rude surprise. The worm first mails copies of itself to everyone in the Outlook address book. It then replaces all .HTML and .HTM files with the message "America...few days will show you what we can do!!! It's our turn Zaker is so sorry for you." It attempts to delete files in the Windows directory and even attempts to format the C: drive. If opened, WTC.exe will render the computer inoperable. While W32/Vote@MM is destructive, it is, at present, not widely distributed. IMPORTANT: Do not open any attachment that you are not expecting, even from an email correspondent you know. -- Platform -- Windows -- Detection -- ** Email message with the subject "Peace between America and Islam!" ** Attachment entitled "WTC.exe" ** Overwritten .HTM and .HTML files -- Damage -- ** Files missing from Windows directory and subdirectories ** Erased C: drive ** Overwritten .HTM and .HTML files ** Deletes specific anti-virus application directories Deleted and overwritten files must be reinstalled or restored from backup. -- Information -- When the email attachment is run, it drops two Visual Basic 5 Script files. MixDaLaL.vbs is saved to the Windows directory and run immediately. It overwrites all .HTM and .HTML files on local drives and mapped network drives. ZaCker.vbs is saved to the Windows System directory and a registry key is created to run it at startup. This second VBScript file attempts to delete all files in the Windows directory, creates or replaces the Autoexec.bat file with 'echo Y | format C', and displays a message box with the text "I promiss We WiLL Rule The World Again...By The Way,You Are Captured By ZaCker !!!" ZaCker.vbs then tries to exit Windows. This last is not likely to be successful because of the Windows files deleted earlier. WTC.exe (55,808 bytes) attempts to delete certain anti-virus software directories and to download a backdoor trojan from a web site that is now blocked. The trojan, if it is installed, gives hackers an entry into the computer which they can use to control the computer. If the backdoor trojan was successfully installed on the computer, it is possible for unauthorized users to access the computer over the network. The backdoor makes it possible for an intruder to perform a number of severely compromising actions: ** steal passwords ** delete or modify files including log files ** modify access privileges on files or user accounts ** install keystroke-logging programs ** modify security and anti-virus settings ** steal sensitive and confidential information such as banking and credit card information ** install other backdoor or rootkit programs ** set up hidden file stores or other online services ** use the computer to launch distributed denial of service or other illegal activities The only way to restore security to your computer once it has been compromised by a backdoor or rootkit is to reformat the hard drive, reinstall applications from original media, and restore documents from backup. -- Removal -- 1. Run Regedit.exe and delete the registry subkey "Norton.Thar" from the path HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2. Remove the instruction 'echo Y | format C' from the Autoexec.bat file using Notepad.exe, Sysedit.exe or any text editor. 3. Find all *.htm and *.html files of 100 bytes and replace with backup copies. 4. Delete WTC.exe, MixDaLaL.vbs and ZaCker.vbs, which may have the system or hidden attributes set. -- For More Information -- Network Associates (McAfee): < http://vil.nai.com/vil/virusSummary.asp?virus_k=99212 <http://vil.nai.com/vil/virusSummary.asp?virus_k=99212> > Symantec Antivirus Research Center: < http:[EMAIL PROTECTED] <http:[EMAIL PROTECTED]> > Trend Micro: < http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_VOTE.A <http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_VOTE.A> > ZDNet: < http://www.zdnet.com/zdnn/stories/news/0,4586,5097375,00.html?chkpt=zdhpnew <http://www.zdnet.com/zdnn/stories/news/0,4586,5097375,00.html?chkpt=zdhpnew s01> s01> CNet: < http://news.cnet.com/news/0-1003-200-7285953.html?tag=lh <http://news.cnet.com/news/0-1003-200-7285953.html?tag=lh> > -jrl -- Information Technology Services mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Phone: (512) 475-9400 Fax: (512) 475-9302 Request On-Site Technical Support: < http://sos.cc.utexas.edu/ <http://sos.cc.utexas.edu/> > ~~~ --------------------------------------------- To unsubscribe, send to [EMAIL PROTECTED] Include in body: unsubscribe ctls-l For information on CTLS-L please visit: http://www.ctls.net/document/ctls-l.htm
