Jump to content
RemedySpot.com

InoculateIT Personal Edition AntiVirus Newsletter from Computer Associates, Version 01.08 March 19, 2001

Rate this topic

Guest guest

By Guest guest
in Health, Medicine and Natural Healing 01

 Share

Recommended Posts

Guest guest

Guest guest

Posted
Posted

=============================================

E-News: InoculateIT Personal Edition AntiVirus

Newsletter from Computer Associates

Version 01.08 | March 19, 2001

via www: http://esupport.ca.com

=============================================

Table of Contents

- VBS/Postcard.Worm

- InoculateIT Personal Edition AntiVirus

Update Number 1164 available

=============================================

VBS/Postcard.Worm

=============================================

VBS/Postcard is a new virus/worm. Computer

Associates did not receive client reports of

this virus, but is issuing a signature release

due to client inquiries.

VBS/Postcard exists in three parts. The main

script is an embedded script inside a HTML

page. Its worm part which exists as a WSF

file and its payload portion as a VBE file are

dropped onto the local system. The virus

infects certain web files in the Windows,

Windows\Temp, and Windows system directories.

It will also spread through mapped network

drives.

Certain configurations may not have Windows

Scripting Host associated with WSF and VBE

files, thereby limiting its propagation.

Depending on settings, Internet Explorer, upon

startup, will prompt a user to run ActiveX

objects. If rejected, the virus will issue a

warning that ActiveX needs to be activated in

order to see its postcard and reload its code

until accepted or Internet Explorer is forcibly

shut down.

If accepted, this HTML is displayed after the

virus' code has executed:

Happy new Millenium

Happy new year (2001).

Best wishes from:

your dear ...

The virus will first modify the registry

allowing scripts marked as unsafe to be

run from the local machine without being

prompted and sets the Internet Explorer

home page to the infected HTML file:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\Zones\0\1201=0

HKLM\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\Zones\0\1201=0

HKCU\Software\Microsoft\Internet Explorer\Main\Start

Page=C:\WINDOWS\TEMP\millenium.{3050F3D9-98B5-11CF-BB82-0AA00BDCE0B}

Next, the virus will drop itself (html) to:

C:\WINDOWS\SYSTEM\postcard.tif.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}

And copy this file to:

C:\WINDOWS\2001.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}

C:\WINDOWS\SYSTEM\dragonball.GT(dan kokoro

hikareteku).{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}

C:\WINDOWS\TEMP\millenium.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}

The virus will also copy its code to:

C:\WINDOWS\TEMP\

post-card.tif.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}

Next, the virus will drop its worm portion

into:

C:\WINDOWS\SYSTEM\[db.GT].wsf

The worm will propagate through Microsoft's

Outlook by sending one email per address book

to every address contained within that address

book with subject chosen at random using the

current system time from the following:

Happy new Millenium (read the postcard (attached file))

Postcard for you is waiting (in attachment)

Happy 2001 (for more action check attached file)

Stroke of luck? in 2001? (happy 2001 -read attachment)

Goodies

You have got a postcard (attached file)

Someone sent you a postcard (in attachment)

with attachment:

" C:\WINDOWS\TEMP\

post-card.tif.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B} "

The following registry modifications are then

made:

HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner\Lord YuP -

[C]apsule [C]orp

HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization\Dragon

Ball GT

Next, the virus will set out to infect all HTML,

SHTML, HTM, and ASP files in the Windows, temp,

and system directories by appending its code

to the end of the files.

The virus will enumerate all network drives and

copy itself from:

C:\WINDOWS\TEMP\millenium.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}

to:

networkdrive:\\docs.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}

The virus will drop a payload file onto the

local system:

C:\WINDOWS\SYSTEM\payl0ad.vbe

Finally, both the worm portion and the payload

files are executed. The payload code is meant

to disable the mouse and the keyboard.

It will then open up WordPad and display:

DB FaMiLy sTrIkEz oNe MoRe Time wiTh: DB.GT

today we infected you but tommorow we will

infect rest of the ANIME WORLD. YuP

[C]apsule[C]orp

If it is Monday 4am or 4pm at 32, 37, 38

minutes, this payload will execute. If it is

Thursday 2pm or 4am, the virus will loop

indefinitely until the minute strikes 40, 42,

43, or 45.

IPE signature update 1164 provides detection

for VBS/PostCard.

=============================================

VIRUS UPDATE - 1164

=============================================

The latest AntiVirus Update has been uploaded

to the Computer Associates web site for you

to download.

To download the new signature files for IPE

without going through your Web browser, you can

use the new " Auto Download " feature inside

IPE (Tools, AutoDownload) or the AutoDownload

application to check for updated signatures,

download, and install them.

Alternatively, the update file can be obtained

at the following URL:

http://antivirus.ca.com/cgi-bin/ipe/update.cgi

It is recommended that once you have downloaded

and installed an update that you do a virus

scan of all the files on your system and

create a new reference disk for your system.

We recommend that you keep your anti-virus

protection up-to-date at all times by ensuring

you are running the most up-to-date anti-virus

software (Current IPE version 5.2) and that latest

update kit.

These update kits are cumulative: therefore the

latest update kit includes everything from all

previous update kits as well as the new virus

information.

These update kits are NOT complete versions of

IPE but an update which will allow version 5.2

to detect and clean the latest viruses.

=============================================

Additional information on viruses, worms, and

Trojan can be found at Computer Associates

Virus Information Center:

http://www.ca.com/virusinfo/

Carnegie Mellon Software Engineering Institute

(CERT® Coordination Center):

http://www.cert.org/advisories/

=============================================

To subscribe to this or other newsletters, go

to http://esupport.ca.com/index.html?ENews.

You can unsubscribe from the same E-News page or

by sending an email to mailto:listserv@...

with 'signoff enews_ipe' in the message body.

This newsletter contains practical tech support

information about relevant issues with our

products.

=============================================

Feedback? Comments? Suggestions?

Send mailto:editor_ipe@.... All submissions

become the property of the publisher and may or

may not be reprinted.

NOTE: This address should be used only for

feedback on this newsletter. Requests for

technical support should be submitted through

normal channels.

Link to comment
Share on other sites

Join the conversation

You are posting as a guest. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...