Jump to content
RemedySpot.com

NEW VIRUS INFO

Rate this topic


Guest guest

Recommended Posts

Guest guest

> ... sent me a note today,

> with information on yet another new LEVEL 4 virus

> that appears to be very similar to the one everyone

> has been worrying about for the past week.

>

> This one is particularly deceptive as it arrives as

> an email with the subject line:

>

> FW: Symantec Anti-Virus Warning

>

> And it contains an attachment that claims to contain

> all the information about a new virus and how to get

> rid of it. The attachment is called:

>

> www.symantec.com.vbs

>

> IF YOU RECEIVE THE EMAIL WITH THAT SUBJECT LINE AND

> ATTACHMENT, DELETE IT IMMEDIATELY AND DO NOT OPEN

> THE ATTACHMENT.

>

> Further information about this new virus is below,

> taken from the www.symantec.com website, where I get

> all of my virus information. The virus is called

> VBS.Hard.A@mm, and has several other (and similar)

> names. Please read through the info below and pass

> on to any of your friends and associates who might

> be affected and/or interested. Full info is

> available at www.symantec.com

> INFO FROM SYMANTEC.COM WEBSITE

>

> VBS.Hard.A@mm

> Discovered on: May 12, 2001

> Last Updated on: May 14, 2001 at 10:15:31 AM PDT

>

>

> VBS.Hard.A@mm is a Visual Basic Script (VBS) worm

> that uses Microsoft Outlook Express. It arrives with

> an attachment named " www.symantec.com.vbs " and a

> subject line of " FW: Symantec Anti-Virus Warning " .

> This email was not distributed by Symantec. If you

> receive this email, delete it immediately.

>

> Also Known As: VBS/Hard-A, VBS/Hard@mm

>

> Category: Worm

>

> Infection Length: 23,268

>

> Virus Definitions: May 12, 2001

>

> Threat Assessment:

>

>

> Wild:

> Low Damage:

> Low Distribution:

> High

>

>

> Wild:

>

> Number of infections: 0 - 49

> Number of sites: 0 - 2

> Geographical distribution: Low

> Threat containment: Easy

> Removal: Easy

> Distribution:

>

> Subject of email: FW: Symantec Anti-Virus Warning

> Name of attachment: www.symantec.com.vbs

> Size of attachment: 23,268

>

> Technical description:

>

>

> VBS.Hard.A@mm tries to disguises itself as a virus

> warning from Symantec. It arrives as:

>

> Subject: FW: Symantec Anti-Virus Warning.

>

> Attachment: www.symantec.com.vbs

>

> Message:

>

> FW: Symantec Anti-Virus Warning

>

>

> Hello,

>

> There is a new worm on the Net.

> This worm is very fast-spreading and very dangerous!

>

> Symantec has first noticed it on April 04, 2001.

>

> The attached file is a description of the worm and

> how it replicates itself.

>

>

> With regards,

> F.

> Symantec senior developer

>

> When www.symantec.com.vbs is executed,

> VBS.Hard.A@mmworm does the following:

>

>

>

> 1. It copies itself as the C:\www.symantec.com.vbs

> file.

> 2. Then it tries to create a fake Symantec virus

> information page for a non-existent threat,

> VBS.AmericanHistoryX_IImm (DOT) This fake web page is

> created as C:\www.symantec.com.hta. In creating this

> fake web page, it uses the helper files:

> C:\Switch.bat

>

C:\www.symantec.com.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}

>

> The latter will be created if the .hta file type is

> not registered as the hex-ID shown above. In this

> case, the worm runs the C:\Switch.bat to rename the

> second file to C:\www.symantec.com.hta.

>

> 3. Then, the worm creates the

> C:\www.symantec_send.vbs file, which contains the

> instruction to use Microsoft Outlook Express to send

> the file C:\www.symantec.com.vbs to everyone in your

> Microsoft Outlook Express address book. This script

> also creates a marking key in the Windows registry

>

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WAB\OE Done

>

> that is set to the value

>

> Hardhead_SatanikChild.

>

> 4. Next, VBS.Hard.A@mm creates the C:\Message.vbs

> file, which contains a message-displaying payload.

> The payload is triggered every November 24th. It

> displays the message:

>

>

>

> 5. The worm then sets or creates several registry

> keys:

> To the registry key

>

> HKEY_CURRENT_USER\SOFTWARE\Microsoft\

> Windows\CurrentVersion\Run

>

> it adds the following three values:

>

> Outlook C:\www.symantec_send.vbs

>

> This launches the VBS file that sends out the email

> message.

>

> Symantec C:\infected with Virus.vbs

>

> Since there is no such file being dropped, this

> registry key modification does not affect the

> system.

>

> Message C:\message.vbs

>

> This launches the message-displaying script, which

> will only display the message on November 24th.

>

> In the registry key

>

> HKEY_CURRENT_USER\Software\Microsoft\Internet

> Explorer\Main

>

> it changes the value data of

>

> Start Page

>

> to

>

>

C:\www.symantec.com.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}

>

> This sets the start page of Internet Explorer to the

> fake virus information web page.

> Removal instructions:

>

>

> To remove this worm, delete files detected as

> VBS.Hard.A@mm, undo the changes that it made to the

> registry, and reset the Internet Explorer Start Page

>

>

> To remove the worm files:

>

> 1. Run LiveUpdate to make sure that you have the

> most recent virus definitions.

> 2. Start Norton AntiVirus (NAV), and run a full

> system scan, making sure that NAV is set to scan all

> files.

> 3. Delete any files detected as VBS.Hard.A@mm

>

>

> To edit the registry:

>

> CAUTION: We strongly recommend that you back up the

> system registry before making any changes. Incorrect

> changes to the registry could result in permanent

> data loss or corrupted files. Please make sure you

> modify only the keys specified. Please see the

> document How to back up the Windows registry before

> proceeding. This document is available from the

> Symantec Fax-on-Demand system. In the U.S. and

> Canada, call , select option 2, and

> then request document 927002.

>

>

> 1. Click Start, and click Run. The Run dialog box

> appears.

> 2. Type regedit and then click OK. The Registry

> Editor opens.

> 3. In the left pane, navigate to the following key:

>

> HKEY_CURRENT_USER\SOFTWARE\Microsoft\

> Windows\CurrentVersion\Run

>

> 4. In the right pane, delete the following values:

>

> Outlook

> Symantec

> Message

>

> 5. Click Registry, and then click Exit.

> NOTE: It is not necessary to remove the marking key

> that was added by the worm.

>

>

> To reset the Start Page:

>

> 1. Start Microsoft Internet Explorer.

> 2. Connect to the Internet and go to the page that

> you want to set as your start page.

> 3. Click Tools and then click Internet Options.

> 4. On the General tab, click Use Current, and then

> click OK.

>

>

>

> Additional information:

>

> There are some additional precautions that you can

> take to prevent this type of threat:

>

> If you are using Norton AntiVirus 2001, a free

> program update that includes Script Blocking is

> available.Please run LiveUpdate to obtain this.

> For other versions of Norton AntiVirus, SARC offers

> a tool to disable the Windows Scripting Host.

>

>

>

>

>

> Write-up by: Elnitiarta

> Tell a Friend about this Write-Up

>

>

>

=====

Rhonda Dominguez

http://www.geocities.com/iloverecess/RockbridgeRoadrunners.html

__________________________________________________

Link to comment
Share on other sites

Join the conversation

You are posting as a guest. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...