[tri-wings] ADMIN: New Nasty

• From: "Karen Schuler" <karens@xxxxxxxxxxxxxxxx>
• To: "Tri-med" <Tri-Med@xxxxxxxxxxxxx>,"Tri-Family" <Tri-Family@xxxxxxxxxxxxx>,"Tri-Wings" <tri-wings@xxxxxxxxxxxxx>,"Tri-Mosaic" <tri-mosaic@xxxxxxxxxxxxx>
• Date: Tue, 29 Jan 2002 06:12:29 +1100

OK its bug season again. I am being inundated with worms and viruses I dont
think its anyone on these lists at this stage but just so you can be aware
here is one of the latest nasties that I am getting e-mails about. "My
Party"

The usual stuff goes without saying. Don't open attachments, even URLS now
apparently, and make sure you have an up to date virus program.
Theoretically you cant actually get anything through the list because I dont
allow attachments, but some mails come with headers that make it "look" like
a list mail when its not.

Anyway here is one of the latest ones

This mass-mailing worm drops a BackDoor trojan (BackDoor-AAF) on
WindowsNT/2K/XP system. The worm itself carries no destructive payloads. It
arrives in an email message containing the following information:

Subject: new photos from my party!
Body: Hello!

My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!

Attachment: www.myparty.yahoo.com (29,696 byte PE file)

The attachment name may trick some users into thinking that if they click on
the file, they will be taken to a Yahoo website. This attachment is an
executable file with a .COM extension, not a URL. Running the attachment
infects the local machine. The virus copies itself to
C:\Recycled\regctrl.exe and executes that file. The users default SMTP
server is retrieved from the registry.
HKEY_CURRENT_USER\Software\Microsoft\Internet Account
Manager\Accounts\00000001
The virus uses this SMTP server to send itself out to all addresses found in
the Windows Address Book and addresses found within .DBX files.

This virus only attempts to massmail itself on January 25, 26, 27, 28 or 29,
2002.

Indications Of Infection:

Presence of C:\RECYCLED\REGCTRL.EXE (visible from a DOS prompt, not from
within Windows)
Presence of C:\REGCTRL.EXE
Presence of %userprofile%\Start Menu\Programs\Startup\msstask.exe

Method Of Infection:

Executing an infected attachment causes the worm to email itself to
addresses found on the system.
On WinNT/2K/XP

If the date is not between January 25-29, 2002, the worm copies itself to
C:\Recycled as F-[random number]-[random number]-[random number] with no
extension
If the date is between January 25-29, 2002, the worm copies itself to
C:\regctrl.exe and drops the file MSSTASK.EXE in the STARTUP folder.
MSSTASK.EXE is a BackDoor trojan. After the initial file is run, it is
deleted. If the executables filename is ACCESS, the user is directed to the
www.disney.com website.

http://vil.mcafee.com/dispVirus.asp?virus_k=99332&;

                  Building ___ooOOoo__ Rainbows
                       www.trisomyonline.org
                  Families Helping Families On-line

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription