VIRUS - NOT A JOKE
Guest
Posts: n/a
VIRUS - NOT A JOKE
This is serious and not a joke
I've just received another series of emails which are viruses on the lines of ILOVEYOU. They are prolifierating though our company and are headed as follows
Jokes
Life Stages Man / Woman
If you receive any of these - delete immediately. They are similar in nature to the ILOVEYOU virus
I've just received another series of emails which are viruses on the lines of ILOVEYOU. They are prolifierating though our company and are headed as follows
Jokes
Life Stages Man / Woman
If you receive any of these - delete immediately. They are similar in nature to the ILOVEYOU virus
Guest
Posts: n/a
From local IT-News http://www.itweb.co.za/sections/comp...0006191237.asp
------------------
Feline
(I Sit, I Watch, I Smile)
New worm crawls into SA
BY JASON NORWOOD-YOUNG, ITWEB TECHNOLOGY EDITOR
[Johannesburg, 19 June 2000] - Another Love Letter clone has started doing the rounds in SA, but the VBS.Stages worm has a little twist. The attachment looks very similar to a text file, lulling users into a false sense of security.
According to Symantec's anti-virus research centre (SARC), the virus appears as an attachment LIFE_STAGES.TXT.SHS. Running the attachment opens a text file describing the male and female stages of life in Notepad, while in the background the virus infects your machine. The virus spreads itself with Outlook, ICQ, mIRC and PIRCH.
The SHS file format is a Microsoft Scrap Object file, which are executable and can contain a variety of objects. The icon conveniently looks similar to that of a text file. The subject line is polymorphic, and is randomly generated from one of 12 strings. A
“Funny”, “Life stages”, or “Jokes” subject line all can be appended with “text”, while the “FW:” is also variable.
According to a report from SecureData, distributor of anti-virus software Trend Micro, four incidents of the virus had been reported by major US corporations on both the east and west coasts by late Friday afternoon. Over the weekend, additional customer sites in India, Australia and the US reported infections. For this reason, the risk assessment was increased from medium to high on Sunday. The virus has the potential to spread very rapidly via Outlook e-mail and
overwhelm e-mail servers.
If you have been infected, follow these steps to clean it off your machine (care of SARC):
Delete all .txt.shs files from your system. Also delete SCANREG.VBS, VBASET.OLB and MSINFO16.TLB from the \WINDOWS\SYSTEM directory. You will need to restore the registry using regedit. To do this, first open a command prompt and change to the \RECYCLED directory. Using the attrib command, modify the settings of the files
that the worm creates there. The command would be attrib -hsr recycled.vxd and so on for each of these files. Copy RECYCLED.VXD as \WINDOWS\REGEDIT.EXE and then delete the four files you modified.
Using regedit make the following modifications to the registry:
Delete the value HKLM/Software/Microsoft/Windows/RunServices/Scanreg.
Delete the values Enable, Parameters, Path and StartUp in the key HKEY_USERS/.Default/Software/Mirabilis/ICQ/Agent/Apps/ICQ.
Delete the value HHKLM/Software/Microsoft/Windows/CurrentVersion/OSName.
Modify the value for HKCR/regfile/DefaultIcon by replacing C
RECYCLED\RECYCLED.VXD with CWINDOWS\REGEDIT.EXE.
Modify the value for HKCR/regfile/shell/open/command by replacing CRECYCLED\RECYCLED.VXD with CWINDOWS\REGEDIT.EXE.
Modify the value for HKLM/Software/CLASSES/regfile/shell/open/command by replacing CRECYCLED\RECYCLED.VXD with CWINDOWS\REGEDIT.EXE.
Modify the value for HKLM/Software/CLASSES/regfile/DefaultIcon by replacing CRECYCLED\RECYCLED.VXD with CWINDOWS\REGEDIT.EXE. <
BY JASON NORWOOD-YOUNG, ITWEB TECHNOLOGY EDITOR
[Johannesburg, 19 June 2000] - Another Love Letter clone has started doing the rounds in SA, but the VBS.Stages worm has a little twist. The attachment looks very similar to a text file, lulling users into a false sense of security.
According to Symantec's anti-virus research centre (SARC), the virus appears as an attachment LIFE_STAGES.TXT.SHS. Running the attachment opens a text file describing the male and female stages of life in Notepad, while in the background the virus infects your machine. The virus spreads itself with Outlook, ICQ, mIRC and PIRCH.
The SHS file format is a Microsoft Scrap Object file, which are executable and can contain a variety of objects. The icon conveniently looks similar to that of a text file. The subject line is polymorphic, and is randomly generated from one of 12 strings. A
“Funny”, “Life stages”, or “Jokes” subject line all can be appended with “text”, while the “FW:” is also variable.
According to a report from SecureData, distributor of anti-virus software Trend Micro, four incidents of the virus had been reported by major US corporations on both the east and west coasts by late Friday afternoon. Over the weekend, additional customer sites in India, Australia and the US reported infections. For this reason, the risk assessment was increased from medium to high on Sunday. The virus has the potential to spread very rapidly via Outlook e-mail and
overwhelm e-mail servers.
If you have been infected, follow these steps to clean it off your machine (care of SARC):
Delete all .txt.shs files from your system. Also delete SCANREG.VBS, VBASET.OLB and MSINFO16.TLB from the \WINDOWS\SYSTEM directory. You will need to restore the registry using regedit. To do this, first open a command prompt and change to the \RECYCLED directory. Using the attrib command, modify the settings of the files
that the worm creates there. The command would be attrib -hsr recycled.vxd and so on for each of these files. Copy RECYCLED.VXD as \WINDOWS\REGEDIT.EXE and then delete the four files you modified.
Using regedit make the following modifications to the registry:
Delete the value HKLM/Software/Microsoft/Windows/RunServices/Scanreg.
Delete the values Enable, Parameters, Path and StartUp in the key HKEY_USERS/.Default/Software/Mirabilis/ICQ/Agent/Apps/ICQ.
Delete the value HHKLM/Software/Microsoft/Windows/CurrentVersion/OSName.
Modify the value for HKCR/regfile/DefaultIcon by replacing C
RECYCLED\RECYCLED.VXD with CWINDOWS\REGEDIT.EXE. Modify the value for HKCR/regfile/shell/open/command by replacing C
RECYCLED\RECYCLED.VXD with CWINDOWS\REGEDIT.EXE. Modify the value for HKLM/Software/CLASSES/regfile/shell/open/command by replacing C
RECYCLED\RECYCLED.VXD with CWINDOWS\REGEDIT.EXE. Modify the value for HKLM/Software/CLASSES/regfile/DefaultIcon by replacing C
RECYCLED\RECYCLED.VXD with CWINDOWS\REGEDIT.EXE. <
Feline
(I Sit, I Watch, I Smile)
Guest
Posts: n/a
(This is partially to push this thread back up to the top - BA didn't read before he posted!)
There are known weaknesses in MS Outlook & Express which allow viruses to propagate themselves to everyone in the address books. Use of Eudora (or Netscape Communicator?) prevents this happening, but it does not insulate you from the effects of the virus on your own system (I know, I use Eudora but the LoveBug still clobbered me but GOOD!)
------------------
Feline
(I Sit, I Watch, I Smile)
There are known weaknesses in MS Outlook & Express which allow viruses to propagate themselves to everyone in the address books. Use of Eudora (or Netscape Communicator?) prevents this happening, but it does not insulate you from the effects of the virus on your own system (I know, I use Eudora but the LoveBug still clobbered me but GOOD!)
------------------
Feline
(I Sit, I Watch, I Smile)
