Guest guest Posted May 15, 2001 Report Share Posted May 15, 2001 > ... sent me a note today, > with information on yet another new LEVEL 4 virus > that appears to be very similar to the one everyone > has been worrying about for the past week. > > This one is particularly deceptive as it arrives as > an email with the subject line: > > FW: Symantec Anti-Virus Warning > > And it contains an attachment that claims to contain > all the information about a new virus and how to get > rid of it. The attachment is called: > > www.symantec.com.vbs > > IF YOU RECEIVE THE EMAIL WITH THAT SUBJECT LINE AND > ATTACHMENT, DELETE IT IMMEDIATELY AND DO NOT OPEN > THE ATTACHMENT. > > Further information about this new virus is below, > taken from the www.symantec.com website, where I get > all of my virus information. The virus is called > VBS.Hard.A@mm, and has several other (and similar) > names. Please read through the info below and pass > on to any of your friends and associates who might > be affected and/or interested. Full info is > available at www.symantec.com > INFO FROM SYMANTEC.COM WEBSITE > > VBS.Hard.A@mm > Discovered on: May 12, 2001 > Last Updated on: May 14, 2001 at 10:15:31 AM PDT > > > VBS.Hard.A@mm is a Visual Basic Script (VBS) worm > that uses Microsoft Outlook Express. It arrives with > an attachment named " www.symantec.com.vbs " and a > subject line of " FW: Symantec Anti-Virus Warning " . > This email was not distributed by Symantec. If you > receive this email, delete it immediately. > > Also Known As: VBS/Hard-A, VBS/Hard@mm > > Category: Worm > > Infection Length: 23,268 > > Virus Definitions: May 12, 2001 > > Threat Assessment: > > > Wild: > Low Damage: > Low Distribution: > High > > > Wild: > > Number of infections: 0 - 49 > Number of sites: 0 - 2 > Geographical distribution: Low > Threat containment: Easy > Removal: Easy > Distribution: > > Subject of email: FW: Symantec Anti-Virus Warning > Name of attachment: www.symantec.com.vbs > Size of attachment: 23,268 > > Technical description: > > > VBS.Hard.A@mm tries to disguises itself as a virus > warning from Symantec. It arrives as: > > Subject: FW: Symantec Anti-Virus Warning. > > Attachment: www.symantec.com.vbs > > Message: > > FW: Symantec Anti-Virus Warning > > > Hello, > > There is a new worm on the Net. > This worm is very fast-spreading and very dangerous! > > Symantec has first noticed it on April 04, 2001. > > The attached file is a description of the worm and > how it replicates itself. > > > With regards, > F. > Symantec senior developer > > When www.symantec.com.vbs is executed, > VBS.Hard.A@mmworm does the following: > > > > 1. It copies itself as the C:\www.symantec.com.vbs > file. > 2. Then it tries to create a fake Symantec virus > information page for a non-existent threat, > VBS.AmericanHistoryX_IImm (DOT) This fake web page is > created as C:\www.symantec.com.hta. In creating this > fake web page, it uses the helper files: > C:\Switch.bat > C:\www.symantec.com.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B} > > The latter will be created if the .hta file type is > not registered as the hex-ID shown above. In this > case, the worm runs the C:\Switch.bat to rename the > second file to C:\www.symantec.com.hta. > > 3. Then, the worm creates the > C:\www.symantec_send.vbs file, which contains the > instruction to use Microsoft Outlook Express to send > the file C:\www.symantec.com.vbs to everyone in your > Microsoft Outlook Express address book. This script > also creates a marking key in the Windows registry > > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WAB\OE Done > > that is set to the value > > Hardhead_SatanikChild. > > 4. Next, VBS.Hard.A@mm creates the C:\Message.vbs > file, which contains a message-displaying payload. > The payload is triggered every November 24th. It > displays the message: > > > > 5. The worm then sets or creates several registry > keys: > To the registry key > > HKEY_CURRENT_USER\SOFTWARE\Microsoft\ > Windows\CurrentVersion\Run > > it adds the following three values: > > Outlook C:\www.symantec_send.vbs > > This launches the VBS file that sends out the email > message. > > Symantec C:\infected with Virus.vbs > > Since there is no such file being dropped, this > registry key modification does not affect the > system. > > Message C:\message.vbs > > This launches the message-displaying script, which > will only display the message on November 24th. > > In the registry key > > HKEY_CURRENT_USER\Software\Microsoft\Internet > Explorer\Main > > it changes the value data of > > Start Page > > to > > C:\www.symantec.com.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B} > > This sets the start page of Internet Explorer to the > fake virus information web page. > Removal instructions: > > > To remove this worm, delete files detected as > VBS.Hard.A@mm, undo the changes that it made to the > registry, and reset the Internet Explorer Start Page > > > To remove the worm files: > > 1. Run LiveUpdate to make sure that you have the > most recent virus definitions. > 2. Start Norton AntiVirus (NAV), and run a full > system scan, making sure that NAV is set to scan all > files. > 3. Delete any files detected as VBS.Hard.A@mm > > > To edit the registry: > > CAUTION: We strongly recommend that you back up the > system registry before making any changes. Incorrect > changes to the registry could result in permanent > data loss or corrupted files. Please make sure you > modify only the keys specified. Please see the > document How to back up the Windows registry before > proceeding. This document is available from the > Symantec Fax-on-Demand system. In the U.S. and > Canada, call , select option 2, and > then request document 927002. > > > 1. Click Start, and click Run. The Run dialog box > appears. > 2. Type regedit and then click OK. The Registry > Editor opens. > 3. In the left pane, navigate to the following key: > > HKEY_CURRENT_USER\SOFTWARE\Microsoft\ > Windows\CurrentVersion\Run > > 4. In the right pane, delete the following values: > > Outlook > Symantec > Message > > 5. Click Registry, and then click Exit. > NOTE: It is not necessary to remove the marking key > that was added by the worm. > > > To reset the Start Page: > > 1. Start Microsoft Internet Explorer. > 2. Connect to the Internet and go to the page that > you want to set as your start page. > 3. Click Tools and then click Internet Options. > 4. On the General tab, click Use Current, and then > click OK. > > > > Additional information: > > There are some additional precautions that you can > take to prevent this type of threat: > > If you are using Norton AntiVirus 2001, a free > program update that includes Script Blocking is > available.Please run LiveUpdate to obtain this. > For other versions of Norton AntiVirus, SARC offers > a tool to disable the Windows Scripting Host. > > > > > > Write-up by: Elnitiarta > Tell a Friend about this Write-Up > > > ===== Rhonda Dominguez http://www.geocities.com/iloverecess/RockbridgeRoadrunners.html __________________________________________________ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You are posting as a guest. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.