Greetings, [EMAIL PROTECTED] I thought you would be interested in knowing about this computer virus... Virus Name: W32/NewApt.worm Virus Characteristics: This worm has been reported to AVERT in several countries during the week of December 13, 1999. The file may be received by email with a size of 69,632 bytes. The worm arrives by email and depending on if the email application supports HTML email body content or not, one of two messages is displayed. If HTML is supported, the message content looks like this: -------------------------------------------------------------- A href="http://stuart.messagemates.com/index.html"></A></P><SPAN class=200122622-17121999><FONT color=#000000 face=Verdana size=2><A href="http://stuart.messagemates.com/index.htmlHypercool Happy New Year 2000 funny programs and animations...We attached our recent animation from this site in our mail ! Check it out "><B><I><U> <P align=center><FONT color=#0000ff face="" size=4>http://stuart.messagemates.com/index.html</U></I></B></FONT></P> <P align=center></P> <P align=center></P><FONT color=#ff0000 size=2> <P align=center>Hypercool Happy New Year 2000 funny programs and animations...</P> <P align=center>We attached our recent animation from this site in our mail ! Check it out </P></FONT></A></FONT></SPAN> -------------------------------------------------------------- If the email client does not support HTML, the email message will have this content: --------------------------------------------------------------- he, your lame client cant read HTML, haha. click attachment to see some stunningly HOT stuff --------------------------------------------------------------- he email contains an attachment of a randomly selected name from the following list: <BR>baby.exe <BR>bboy.exe <BR>boss.exe <BR>casper.exe <BR>chestburst.exe <br>cooler1.exe <BR>cooler3.exe <BR>copier.exe <BR>cupid2.exe <BR>farter.exe <BR>fborfw.exe <BR>goal.exe <BR>goal1.exe <BR>g-zilla.exe <br>irngiant.exe <br>hog.exe <br>monica.exe <br>panther.exe <BR>panthr.exe <BR>party.exe <BR>pirate.exe <BR>s.exe <BR>saddam.exe <BR>theobbq.exe <BR>video.exe Please note that the file is not a "messagemates" game program and is not related to the web site listed in the email message! Messagemates.com has issued a notice about this also on their web site at this location: http://stuart.messagemates.com/notice.htm There is no icon associated with this 32 bit file other than the one associated with command line executables such as COMMAND.COM. If this worm is run, a "dummy" error message is displayed with the text- B>The dinamic link library giface.dll could not be found in the specified path (list of directory names) </b> he list of directory names are taken from they system environment variable "path" which is set in AUTOEXEC.BAT in Windows 9x and also configurable in Windows NT through the control panel. Note the misspelling of the word "dynamic". he machine is then checked for the installation of MS Outlook Express. If found, two files are written in the c:\windows folder ma. - contains a listing of email addresses <BR>mmail. - contains the directory of MS Outlook Express he list of email addresses is captured by checking all folders in Outlook Express for email messages received! file is then saved to the Windows folder and the registry is modified to load the file at the next Windows startup with a command line option of "/x". For example, if the executable "chestburst.exe" is run, the registry entry would look like this on a Windows 95 system: KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tpawen = c:\windows\chestburst.exe /x n the next Windows startup, the file is loaded. When the worm loads into memory, it waits for an unspecified amount of time and then sends an email message to one of the listed entries from the file "mma." with the format mentioned at the beginning of this description. hile the worm is active on Windows 9x system, the following DLLs are implemented: :\WINDOWS\SYSTEM\WSOCK32.DLL <BR>C:\WINDOWS\SYSTEM\WININET.DLL <BR>C:\WINDOWS\SYSTEM\SHLWAPI.DLL <BR>C:\WINDOWS\SYSTEM\USER32.DLL <BR>C:\WINDOWS\SYSTEM\GDI32.DLL <BR>C:\WINDOWS\SYSTEM\ADVAPI32.DLL <BR>C:\WINDOWS\SYSTEM\KERNEL32.DLL hen an email application such as MS Outlook is in use, the additional DLL loaded is TAPI32.DLL. t this time, AVERT is analyzing the distribution method for this worm. Strings within the executable suggest that it uses information stored in the file "prefs.js" which is a reference to Netscape. To check your system for this virus, and to learn how to protect yourself from computer viruses, visit the McAfee PC Clinic at http://clinic.mcafee.com. This email was sent to you by Michael =========================================================================== To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff JAVA3D-INTEREST". For general help, send email to [EMAIL PROTECTED] and include in the body of the message "help".
