You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@xalan.apache.org by Anthony Dodd <An...@synergy-fs.com> on 2000/12/05 10:53:36 UTC
FW: Virus Alert this morning
-----Original Message-----
From: Phil Glover
Sent: 05 December 2000 09:46
To: Synergy Financial Systems
Subject: Virus Alert this morning
Hi all,
The virus alert this morning looks like there maybe some more side affects.
I'm currently attempting to get hold of the latest versions of the
anti-virus software which will fix the problems.
I will update you further when I have more news.
Phil
-----------------------------------------
Summary
Virus Name Risk Assessment
W32/ProLin@MM High
Virus Information
Discovery Date: 11/30/2000
Origin: Unknown
Length: 36,864
Type: Internet Worm
SubType: MAPI
Minimum Dat: 4109
Minimum Engine: 4.0.70
DAT Release Date: 12/01/2000
Description Added: 11/30/2000
Virus Characteristics
Update(2) December 1, 2000:
AVERT raised the risk assessment from Medium to High this afternoon for this
Internet worm based on samples received. This Internet worm is detected by
current DAT and ENGINE as "New BackDoor" when using heuristic scanning
methods.
Update(1) December 1, 2000:
AVERT raised the risk assessment from Low to Medium this morning for this
Internet worm based on samples received.
This is an Internet worm coded in Visual Basic 6 and compiled as an
executable named "CREATIVE.EXE". It carries the icon of a Shockwave Media
Player application however it is not.
This Internet worm may be received via email in this form:
Subject = A great Shockwave flash movie
Body =
Check out this new flash movie that I downloaded just now ... It's Great
Bye
Attachment = creative.exe
When run, this Internet worm will write a copy of itself to the local system
in these folders:
c:\creative.exe
c:\[WINDOWS folder]\TEMP\creative.exe
c:\[WINDOWS folder]\Start Menu\Programs\StartUp\creative.exe
It then will send a copy of itself via MAPI email to all users in the
address book. As a final note, it sends a note to presumably the author:
Author = z14xym432@yahoo.com
Subject = Job complete
Body = Got yet another idiot
Symptoms
Creation of CREATIVE.EXE on the local file system after running the same
file name attached to an email message. Distribution of this file via MAPI
email after running the file CREATIVE.EXE.
Method Of Infection
After running the file CREATIVE.EXE, it will write a copy of itself to the
local system in these folders:
c:\creative.exe
c:\[WINDOWS folder]\TEMP\creative.exe
c:\[WINDOWS folder]\Start Menu\Programs\StartUp\creative.exe
This worm will then seek files of .JPG and .ZIP on the local machine. These
files are moved to the root of C: and an additional extension is added to
them of "change atleast now to LINUX".
Example: "c:\Notebook.jpgchange at least now to LINUX"
A helpful note about this action however, this Internet worm logs the
changes to a file named "c:\messageforu.txt". Within this file is the
following text:
Hi, guess you have got the message. I have kept a list of files that I have
infected under this. If you are smart enough just reverse back the process.
i could have done far better damage, i could have even completely wiped your
harddisk. Remember this is a warning & get it sound and clear... - The
Penguin
Following the above paragraph is a listing of files from their original
location. The files are not damaged or "infected", only that they were moved
and the suffix added to the end.
Removal Instructions
Detection/Removal DAT Files
SUPERDAT Installer with EXTRA.DAT only:
98909b.exe
EXTRA.DAT for VirusScan, WebShield, GroupShield, NetShield products with
minimum 4.0.70 Engine:
98909b-4.ZIP
EXTRA.DRV for Dr. Solomon Toolkit 8.0:
98909b-8.zip
Use specified engine and DAT files for detection and removal. Delete any
file which contains this detection.
Using the c:\messageforu.txt file as a reference, restore moved/renamed
files to their original location/filename.
AVERT Recommended Updates:
* scriptlet.typelib/Eyedog vulnerability patch
* Malformed E-mail MIME Header vulnerability patch
* Outlook as an email attachment security update
* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch
corrects detection issues with GroupShield
For a list of attachments blocked by the Outlook patch and a general FAQ,
visit this link.
Additionally, Network Administrators can configure this update using an
available tool - visit this link for more information.
It is very common for macro viruses to disable options within Office
applications for example in Word, the macro protection warning commonly is
disabled. After cleaning macro viruses, ensure that your previously set
options are again enabled.
Variants
Name Type Sub Type Differences
no known variants
Aliases
Name
Creative.exe
I-Worm.Creative
Prolin-Shockwave
TROJ_SHOCKWAVE
W32.Prolin
More Information
Virus Information
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Summary