[windows2000] VIRUS ALERT: Winvar Worm
- From: Jim Kenzig <jimkenz@xxxxxxxxxxxxxx>
- To: thin@xxxxxxxxxxxxx, windows2000@xxxxxxxxxxxxx
- Date: Wed, 27 Nov 2002 08:51:23 -0500
Trend has elevated this one to Medium Risk. It is VERY destructive and
deletes every file on the users drive. Watch out. Turn OFF the preview pane
in outlook and outlook express and delete all suspicious messages that have
attachments. This could be a nasty one as it has it's own smtp engine.
Regards,
Jim Kenzig
http://thethin.net
WORM_WINEVAR.A
Overview Technical Details Statistics
QUICK LINKS: Solution
Virus type: Worm
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WINEVAR
.A
Destructive: Yes
Aliases: Win32/Winevar.A, I-Worm.Winevar, W32/Korvar, W32/Winevar@mm,
W32.HLLW.Winevar
Pattern file needed: 397
Scan engine needed: 5.200
Overall risk rating: Medium
Reported Infections: Medium
Damage Potential: High
Distribution Potential: High
Description:
This destructive Internet worm runs on all Windows platforms. This worm
propagates using its own SMTP or Simple Mail Transfer Protocol engine and
sends email to addresses it gathers from HTML files on the infected system.
It sends email with the following details:
Subject: N`4_<Registered Organization>
Message Body: <Registered Owner> - <Registered Organization>
Attachments:
WIN<random numeric value>.GIF (120 bytes) MUSIC_2.CEO
WIN<random numeric value>.TXT (12.6 KB) MUSIC_1.HTM
*<Registered Owner> is the registered owner of the machine and <Registered
Organization> is the organization of the owner.
This worm sends email using a known exploit that causes the attachment to
automatically execute when the message is viewed or previewed on Internet
Explorer-based email clients, such as Microsoft Outlook and Outlook Express.
This exploit is known as Automatic Execution of Embedded MIME type.
It is capable of terminating certain monitoring programs and antivirus
products from memory.
Upon restart, this worm deletes all files from local drives, except files
that are currently running on the system.
Solution:
AUTOMATIC REMOVAL INSTRUCTIONS
For Users of Trend Micro Products
Download the Trend Micro System Cleaner Patch to effectively remove this
malware from your system using your Trend Micro product.
You must replace the file TSC.EXE in your product folder with the same file
contained in this download.
For OfficeScan 5.02 users, the default folder is
C:\OfficeScanNT.
For PC-cillin 2002 users, the default folder is
C:\Program Files\Trend Micro\PC-cillin 2002.
For Non-users of Trend Micro Products
Download and run the Trend Micro System Cleaner Package. If you have an MD5
signature checker, you may check the MD5 hash value of this tool.
Trend Micro advises users to consult the readme file, readme_sysclean.txt,
which contains the description and features of this package.
NOTE: Non-users of Trend Micro products must download and use the latest
pattern file for the TSC package to be effective.
MANUAL REMOVAL INSTRUCTIONS WARNING: If you suspect that your computer is
infected with WORM_WINEVAR.A, do not restart your system before completing
the removal procedure.
Identifying the Malware Program
Before proceeding to remove this malware, first identify the malware
program.
Scan your system with Trend Micro antivirus and NOTE all files detected as
WORM_WINEVAR.A. To do this, Trend Micro customers must download the latest
pattern file and scan their system. Other Internet users can use HouseCall,
Trend Micro's free online virus scanner.
Removing Autostart Entries from the Registry
Removing autostart entries from registry prevents the malware from executing
during startup. You will need the name(s) of the file(s) detected earlier.
Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press
Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries whose data value
(in the rightmost column) is the malware file(s) detected earlier.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry or entries whose data value
(in the rightmost column) is the malware file(s) detected earlier.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries whose data value
(the rightmost column) is the malware file(s) detected earlier.
Close Registry Editor.
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as
WORM_WINEVAR.A. To do this, Trend Micro customers must download the latest
pattern file and scan their system. Other Internet users can use HouseCall,
Trend Micro's free online virus scanner.
Applying Patches
This malware exploits a known vulnerability in Internet Explorer 5.01 and
5.5. Download and install the security update from Microsoft. Refrain from
using this product until the appropriate patch has been installed.
Trend Micro offers best-of-breed antivirus and content-security solutions
for your corporate network or home PC.
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
- » [windows2000] VIRUS ALERT: Winvar Worm
