Hi All,
For all of you who use insecure Windows machines/Outlook/Mirabilis ICQ
Mirabilis IRC... This is what I've been able to work out from the
VB scripts of the virus.
Infected programs:
* MS Outlook
* Mirabilis IRC (MIRC32.EXE)
* Mirabilis ICQ
* (PIRCH98.EXE)
* REGEDIT.EXE
Spreads by:
* Email
* IRC
* ICQ (not sure)
* Via files on network drives
Email version:
--------------
The email which transmits the virus may have one of several subject lines:
1. Fw: Life Stages
2. Fw: Funny
3. Fw: Jokes
4. Fw: Life stages text
5. Fw: Funny text
6. Fw: Jokes text
There will be an attachment called "LIFE_STAGES.TXT.SHS" - this is the
actual virus program itself.
Do not run the file!
It appears to be similar to the ILUVYOU virus - in that it:
1. scans your address book and forward itself onto each recipient
contained within.
2. Fiddles around with the registry (the file that tells the computer
about the hardware/software installed in your machine)
List of files/directories which may be touched by this virus:
LIFE_STAGES.TXT
MSINFO16.TLB
RECYCLED
MSRCYCLD.DAT
SCANREG.VBS
RCYCLDBN.DAT
DBINDEX.VBS
VBASET.OLB
WSCRIPT.EXE
REGEDIT.EXE
RECYCLED.VXD
\MyDocuments
\Programs
\MIRC
\MIRC32
\PIRCH
\PIRCH98
*** Note: The existance of any of the above is not proof of infection.
*** Some of the above are valid system files which may be modified by this
*** virus to disguise its presence.
It also appears to create a file in \MyDocuments and \Programs which
may be called one of:
IMPORTANT-xxx.TXT.SHS
IMPORTANT_xxx.TXT.SHS
IMPORTANT.TXT.SHS
INFO-xxx.TXT.SHS
INFO_xxx.TXT.SHS
INFO.TXT.SHS
REPORT-xxx.TXT.SHS
REPORT_xxx.TXT.SHS
REPORT.TXT.SHS
SECRET-xxx.TXT.SHS
SECRET_xxx.TXT.SHS
SECRET.TXT.SHS
UNKNOWN-xxx.TXT.SHS
UNKNOWN_xxx.TXT.SHS
UNKNOWN.TXT.SHS
If you have one of the above files, DO NOT RUN IT - it could be copy
of the virus. Note that 'xxx' appears to be a 1 to 3 digit random number.
The best advice is to delete the email as soon as you see it.
In general, it is a good idea to turn off the "preview" option in Outlook -
go to the "View" menu, and turn off "AutoPreview". This will prevent the
possibility of infection of a good many viruses while you are browsing
your Inbox.
IRC version
-----------
The virus is able to spread over the IRC network. Exactly how it is
received is unclear. Once the infected machine connects, to the
IRC network, then it appears to pick up on various messages
containing user nick names, and sends messages similar to:
"Hi. Check out this file, ok."
In addition, when other people join the same channel that an affected
machine is also connected to, you may receive "DCC send requests"
from the affected machine. Do not download the file!
The virus also replaces the following user commands with aliases
designed to immitate the true action of the command on screen, but
not actually carry out the function.
quiet
unload
remote
events
If you have been infected by this virus, then get a good virus scanner
and use it to disinfect your machine.
_____
|_____| ------------------------------------------------- ---+---+-
| | Russell King [EMAIL PROTECTED] --- ---
| | | | http://www.arm.linux.org.uk/ / / |
| +-+-+ --- -+-
/ | THE developer of ARM Linux |+| /|\
/ | | | --- |
+-+-+ ------------------------------------------------- /\\\ |
unsubscribe: body of `unsubscribe linux-arm' to [EMAIL PROTECTED]
++ Please use [EMAIL PROTECTED] for ++
++ kernel-related discussions. ++
