Fw: InoculateIT Personal Edition AntiVirus Newsletter from Computer Associates, Version 01.14 May 16, 2001

[Guest guest]

=============================================

E-News: InoculateIT Personal Edition AntiVirus

Newsletter from Computer Associates

Version 01.14 | May 16, 2001

via www: http://esupport.ca.com

=============================================

Table of Contents

- VBS/Hard.A.Worm Outlook Express e-mail worm

- InoculateIT Personal Edition AntiVirus

Update Number 1210 available

==============================================

VBS/Hard.A.Worm Outlook Express e-mail worm

==============================================

VBS/Hard.A.Worm

Hard.A is a worm spreading via the e-mail

system using Microsoft Outlook Express. It

arrives in a message with the Subject line:

" FW: Symantec Anti-Virus Warning "

The entire message body reads:

FW: Symantec Anti-Virus Warning

Hello,

There is a new worm on the Net.

This worm is very fast-spreading and very

dangerous!

Symantec has first noticed it on April 04,

2001.

The attached file is a description of the worm

and how it replicates itself.

With regards,

F.

Symantec senior developer

When the attachment is executed, the worm

copies itself to the file:

" c:\www.symantec.com.vbs " .

It then creates and displays an html page which

is supposed to look like an official worm

warning from Symantec. This file is called:

c:\www.symantec.com.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}

Next, Hard.A creates and executes the batch file:

c:\switch.bat

As the result, the file

" c:\www.symantec.com.{3050F4D8-98B5-11CF-BB82-

00AA00BDCE0B} " is copied to the file:

" c:\www.symantec.com.hta " .

Then the worm creates yet another file:

" c:\www.symantec_send.vbs " ; this program is

responsible for mailing the worm out via

Microsoft Outlook Express.

The last new file created by the worm is

" c:\message.vbs " ; on November 24th, this

program displays a message:

" Don't look surprised!

It is only a warning about your stupidity

Take care! "

Finally, Hard.A modifies the registry making

sure that the worm will be executed at the next

reboot and that the starting page for Internet

Explorer is the local html file created by the

worm earlier (the fake Symantec warning).

=============================================

VIRUS UPDATE 1210

=============================================

The latest AntiVirus Update has been uploaded

to the Computer Associates web site for you

to download.

To download the new signature files for IPE

without going through your Web browser, you can

use the new " Auto Download " feature inside

IPE (Tools, AutoDownload) or the AutoDownload

application to check for updated signatures,

download, and install them.

Alternatively, the update file can be obtained

at the following URL:

http://antivirus.ca.com/cgi-bin/ipe/update.cgi

It is recommended that once you have downloaded

and installed an update that you do a virus

scan of all the files on your system and

create a new reference disk for your system.

We recommend that you keep your anti-virus

protection up-to-date at all times by ensuring

you are running the most up-to-date anti-virus

software (Current IPE version 5.2) and that latest

update kit.

These update kits are cumulative: therefore the

latest update kit includes everything from all

previous update kits as well as the new virus

information.

These update kits are NOT complete versions of

IPE but an update which will allow version 5.2

to detect and clean the latest viruses.

=============================================

Additional information on viruses, worms, and

Trojan can be found at Computer Associates

Virus Information Center:

http://www.ca.com/virusinfo/

Carnegie Mellon Software Engineering Institute

(CERT® Coordination Center):

http://www.cert.org/advisories/

=============================================

To subscribe to this or other newsletters, go

to http://esupport.ca.com/index.html?ENews.

You can unsubscribe from the same E-News page or

by sending an email to mailto:listserv@...

with 'signoff enews_ipe' in the message body.

This newsletter contains practical tech support

information about relevant issues with our

products.

=============================================

Feedback? Comments? Suggestions?

Send mailto:editor_ipe@.... All submissions

become the property of the publisher and may or

may not be reprinted.

NOTE: This address should be used only for

feedback on this newsletter. Requests for

technical support should be submitted through

normal channels.