-----Original Message----- From: Phil Glover Sent: 05 December 2000 09:46 To: Synergy Financial Systems Subject: Virus Alert this morning
Hi all, The virus alert this morning looks like there maybe some more side affects. I'm currently attempting to get hold of the latest versions of the anti-virus software which will fix the problems. I will update you further when I have more news. Phil ----------------------------------------- Summary Virus Name Risk Assessment W32/[EMAIL PROTECTED] High Virus Information Discovery Date: 11/30/2000 Origin: Unknown Length: 36,864 Type: Internet Worm SubType: MAPI Minimum Dat: 4109 Minimum Engine: 4.0.70 DAT Release Date: 12/01/2000 Description Added: 11/30/2000 Virus Characteristics Update(2) December 1, 2000: AVERT raised the risk assessment from Medium to High this afternoon for this Internet worm based on samples received. This Internet worm is detected by current DAT and ENGINE as "New BackDoor" when using heuristic scanning methods. Update(1) December 1, 2000: AVERT raised the risk assessment from Low to Medium this morning for this Internet worm based on samples received. This is an Internet worm coded in Visual Basic 6 and compiled as an executable named "CREATIVE.EXE". It carries the icon of a Shockwave Media Player application however it is not. This Internet worm may be received via email in this form: Subject = A great Shockwave flash movie Body = Check out this new flash movie that I downloaded just now ... It's Great Bye Attachment = creative.exe When run, this Internet worm will write a copy of itself to the local system in these folders: c:\creative.exe c:\[WINDOWS folder]\TEMP\creative.exe c:\[WINDOWS folder]\Start Menu\Programs\StartUp\creative.exe It then will send a copy of itself via MAPI email to all users in the address book. As a final note, it sends a note to presumably the author: Author = [EMAIL PROTECTED] Subject = Job complete Body = Got yet another idiot Symptoms Creation of CREATIVE.EXE on the local file system after running the same file name attached to an email message. Distribution of this file via MAPI email after running the file CREATIVE.EXE. Method Of Infection After running the file CREATIVE.EXE, it will write a copy of itself to the local system in these folders: c:\creative.exe c:\[WINDOWS folder]\TEMP\creative.exe c:\[WINDOWS folder]\Start Menu\Programs\StartUp\creative.exe This worm will then seek files of .JPG and .ZIP on the local machine. These files are moved to the root of C: and an additional extension is added to them of "change atleast now to LINUX". Example: "c:\Notebook.jpgchange at least now to LINUX" A helpful note about this action however, this Internet worm logs the changes to a file named "c:\messageforu.txt". Within this file is the following text: Hi, guess you have got the message. I have kept a list of files that I have infected under this. If you are smart enough just reverse back the process. i could have done far better damage, i could have even completely wiped your harddisk. Remember this is a warning & get it sound and clear... - The Penguin Following the above paragraph is a listing of files from their original location. The files are not damaged or "infected", only that they were moved and the suffix added to the end. Removal Instructions Detection/Removal DAT Files SUPERDAT Installer with EXTRA.DAT only: 98909b.exe EXTRA.DAT for VirusScan, WebShield, GroupShield, NetShield products with minimum 4.0.70 Engine: 98909b-4.ZIP EXTRA.DRV for Dr. Solomon Toolkit 8.0: 98909b-8.zip Use specified engine and DAT files for detection and removal. Delete any file which contains this detection. Using the c:\messageforu.txt file as a reference, restore moved/renamed files to their original location/filename. AVERT Recommended Updates: * scriptlet.typelib/Eyedog vulnerability patch * Malformed E-mail MIME Header vulnerability patch * Outlook as an email attachment security update * Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link. Additionally, Network Administrators can configure this update using an available tool - visit this link for more information. It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled. Variants Name Type Sub Type Differences no known variants Aliases Name Creative.exe I-Worm.Creative Prolin-Shockwave TROJ_SHOCKWAVE W32.Prolin More Information Virus Information Virus Characteristics Symptoms Method Of Infection Removal Instructions Variants / Aliases Summary
