FW: Virus Alert this morning

[Anthony Dodd <An...@synergy-fs.com>]

-----Original Message-----
From: Phil Glover 
Sent: 05 December 2000 09:46
To: Synergy Financial Systems
Subject: Virus Alert this morning


Hi all,

The virus alert this morning looks like there maybe some more side affects.

I'm currently attempting to get hold of the latest versions of the
anti-virus software which will fix the problems.

I will update you further when I have more news.

Phil


-----------------------------------------


Summary  
Virus Name  Risk Assessment  
W32/ProLin@MM  High  
 


Virus Information  
Discovery Date:  11/30/2000  
Origin:  Unknown  
Length:  36,864  
Type:  Internet Worm  
SubType:  MAPI  
Minimum Dat:  4109  
Minimum Engine:  4.0.70  
DAT Release Date:  12/01/2000  
Description Added:  11/30/2000  
 


Virus Characteristics  
Update(2) December 1, 2000:
AVERT raised the risk assessment from Medium to High this afternoon for this
Internet worm based on samples received. This Internet worm is detected by
current DAT and ENGINE as "New BackDoor" when using heuristic scanning
methods. 
Update(1) December 1, 2000:
AVERT raised the risk assessment from Low to Medium this morning for this
Internet worm based on samples received. 

This is an Internet worm coded in Visual Basic 6 and compiled as an
executable named "CREATIVE.EXE". It carries the icon of a Shockwave Media
Player application however it is not. 

This Internet worm may be received via email in this form: 

Subject = A great Shockwave flash movie
Body = 
Check out this new flash movie that I downloaded just now ... It's Great
Bye
Attachment = creative.exe 

When run, this Internet worm will write a copy of itself to the local system
in these folders: 

c:\creative.exe
c:\[WINDOWS folder]\TEMP\creative.exe
c:\[WINDOWS folder]\Start Menu\Programs\StartUp\creative.exe 

It then will send a copy of itself via MAPI email to all users in the
address book. As a final note, it sends a note to presumably the author: 

Author = z14xym432@yahoo.com
Subject = Job complete
Body = Got yet another idiot 

 
 


Symptoms  
Creation of CREATIVE.EXE on the local file system after running the same
file name attached to an email message. Distribution of this file via MAPI
email after running the file CREATIVE.EXE. 
 
 


Method Of Infection  
After running the file CREATIVE.EXE, it will write a copy of itself to the
local system in these folders: 
c:\creative.exe
c:\[WINDOWS folder]\TEMP\creative.exe
c:\[WINDOWS folder]\Start Menu\Programs\StartUp\creative.exe

This worm will then seek files of .JPG and .ZIP on the local machine. These
files are moved to the root of C: and an additional extension is added to
them of "change atleast now to LINUX". 

Example: "c:\Notebook.jpgchange at least now to LINUX" 

A helpful note about this action however, this Internet worm logs the
changes to a file named "c:\messageforu.txt". Within this file is the
following text: 

Hi, guess you have got the message. I have kept a list of files that I have
infected under this. If you are smart enough just reverse back the process.
i could have done far better damage, i could have even completely wiped your
harddisk. Remember this is a warning & get it sound and clear... - The
Penguin 

Following the above paragraph is a listing of files from their original
location. The files are not damaged or "infected", only that they were moved
and the suffix added to the end. 
 
 


Removal Instructions  
Detection/Removal DAT Files
SUPERDAT Installer with EXTRA.DAT only:
98909b.exe

EXTRA.DAT for VirusScan, WebShield, GroupShield, NetShield products with
minimum 4.0.70 Engine:
98909b-4.ZIP

EXTRA.DRV for Dr. Solomon Toolkit 8.0:
98909b-8.zip

Use specified engine and DAT files for detection and removal. Delete any
file which contains this detection.

Using the c:\messageforu.txt file as a reference, restore moved/renamed
files to their original location/filename. 


AVERT Recommended Updates:

* scriptlet.typelib/Eyedog vulnerability patch 

* Malformed E-mail MIME Header vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch
corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ,
visit this link. 
Additionally, Network Administrators can configure this update using an
available tool - visit this link for more information. 

It is very common for macro viruses to disable options within Office
applications for example in Word, the macro protection warning commonly is
disabled. After cleaning macro viruses, ensure that your previously set
options are again enabled.

 
 


Variants  
Name  Type  Sub Type  Differences  
no known variants 
 


Aliases  
Name  
Creative.exe  
I-Worm.Creative  
Prolin-Shockwave  
TROJ_SHOCKWAVE  
W32.Prolin  
 
 More Information  
Virus Information  
Virus Characteristics  
Symptoms  
Method Of Infection  
Removal Instructions  
Variants / Aliases  
Summary