** NORTON ANTIVIRUS EMERGENCY NEWS BULLETIN - VIRUS ALERT! ** ============================================================= December 3, 1999 _____________________________ WARNING! New Y2K virus spreads through email! W32.Mypics.Worm is a new, destructive Y2K worm virus. It comes into your system as an email attachment disguised as a picture. The worm propagates automatically on Windows 9x and Windows NT platforms and has a destructive payload that triggers in the year 2000. It also changes the Home page in Internet Explorer to a site containing adult content. *** THIS VIRUS SHOULD BE CONSIDERED DANGEROUS! Do NOT open an email attachment named Pics4You.exe. *** To ensure that your system is protected against this new virus, you must update your detection definitions. *** Monitor the site http://www.symantec.com/techsupp/vURL.cgi/nav23 for notice when the virus definitions have been updated and for full details on this destructive virus. *** W32/MYPICS.WORM Y2K VIRUS DESCRIPTION: * A new, destructive Y2K virus has been discovered that disguises itself as a Y2K problem. W32/Mypics.worm is a computer worm that is received as an email attachment disguised as a picture. * Once it infects the host computer it attempts to send itself using Microsoft Outlook to up to 50 people in the usersâ?? Microsoft Outlook address book. It also changes the Home page in Internet Explorer to a site containing adult content. * Additionally, on Jan.1, 2000, the worm will overwrite the checksum data in the host computerâ??s CMOS memory so when the system is rebooted the user will think that there may be a Y2K related problem with the computerâ??s BIOS. Once the computer is restarted the virus will attempt to format the local hard drives and erase all data. CHARACTERISTICS OF INFECTION: * W32/Mypics.worm arrives in an e-mail, with no subject line. The body of the message reads, "Hereâ??s some pictures for you!" The e- mail message contains a "Pics4You.exe" attachment that is approximately 34,304 bytes in size. * Once the user opens the attachment, the worm loads itself into memory and executes by sending out copies of itself attached to e- mails addressed to up to 50 people in the users address list. * In addition, it modifies the system registry to load its dropped file "cbios.com" on system startup and also changes the userâ??s home page in Internet Explorer to http://www.geocities.com/SiliconValley/Vista/8279/index.html a site that contains some adult content. * On Jan. 1, 2000 or on any day during the year 2000, the worm writes to the computers CMOS memory to invalidate the system integrity or checksum data. The next time the system is rebooted, the user will be warned that the "CMOS checksum is invalid," making the user believe that it is a Y2K problem, not a computer worm. After validating the CMOS data the computer will continue to boot and if the file â??cbios.comâ?? is located in the root directory of the C drive, the virus will silently load itself and then completely reformat the D: and C: local hard drives. VIRUS RATING: Medium/High Risk RECCOMENDATIONS/PROTECTION: * Do not attempt to open the attached document. * Download new definitions set. This will be available late December 3, 1999, through Symantecâ??s LiveUpdate feature or from the Symantec Web site at www.symantec.com/avcenter/download.html. Update virus anti-virus software to ensure protection against both variants. ======================================== Avenir Web's Computers Mailing List List Modes, Subscription, and General Info: Go to http://avenir.dhs.org/mailing.html List Archives: http://avenir.dhs.org/archives/ Administrative Contact: webmaster@xxxxxxxxxxxxxx Get computer help: http://avenir.dhs.org ========================================