InoculateIT Virus Information Center

If you are looking for information on a specific virus and cannot find it here, try CA's Virus Encyclopedia . Information on many known viruses and their characteristics.

Virus Alert Information On: VBS-Love Letter.A Worm VBS-Love Letter.B Worm (also known as Very Funny) Bat/Firkin.Worm (also known as 911) VBS/Irok.Trojan.Worm W97M/Melissa.AO Win32/PrettyPark.Trojan (aka W32/Pretty.worm.unp) Win32/Funtime.Trojan WM97/Myna.C Win32/Haiku.Worm Win32/Plage2000.Worm Win32/NewApt.73728.Worm.D (aka NewApt.D) Win32/H4.1852 Feliz.Trojan W97M/Armagidon.A (aka W97M/Armagid.A) Wscript.Kak.A (aka Kak.worm) Zelu.Trojan VBS/Lucky.2000 Kill_Inst98.Trojan Win32/Crypto W97M/Marker.BN Win95/LoveSong.998 VBS.Tune.A ExploreZip Trojan (aka Worm.ExploreZip) Get Antivirus Software NOW Get Updated Virus Signature Files NOW

VBS/LoveLetter.A worm

Letter is a Visual Basic Script (VBS) VBS based e-mail worm. It arrives as an attachment of an e-mail with the subject line

ILOVEYOU

The e-mail body reads:

kindly check the attached LOVELETTER coming from me.

And the e-mail has a attachment called

LOVE-LETTER-FOR-YOU.TXT.vbs

Depending on the system configuration the extension .VBS might be displayed or not displayed.

If you receive an e-mail that fits the above description do not open the attachment. Delete the e-mail right away.

The worm spreads itself by generating an e-mail like described above, attaching itself and send that e-mail to all recipients in all Outlook address books. In big organizations the volume of e-mail generated has the potential to overload e-mail servers.

The worm will spread targeting Windows 98, Windows 2000 by default and Windows NT 4.0 and Windows 95 if the Windows Scripting Host (WSH) engine is installed. The worm will copy itself to multiple subdirectories using different names.

In the Windows directory the name is Win32DLL.vbs, in the Windows system directory the names are MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs.

The worm modifies the registry information to make itself run during next boot-up:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL=C:\WINDOWS\Win32DLL.vbs

Also, it sets the default page of Internet Explorer to download a copy of WIN_BUGFIX.exe, which appears to be a backdoor server. The actual location of the files on the Web are currently shut down.

The executable will be renamed and installed to run on start-up as well:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinFAT32=C:\WINDOWS\SYSTEM\WinFAT32

It searches through the all subdirectories and overwrites all files with the extensions JPG, VBS, JS, JSE, CSS, WSH, SCT, HTA, MP3, MP2 with its own copy and adding the extension VBS. A file called Satisfaction.MP3 would become Satisfaction.MP3.VBS. Next time the affected file is clicked or activated the worm will start.

If the Internet Relay Chat (IRC) client is present in the system the worm will generate an HTML file to send itself over the IRC channels.

InoculateIT signature update 11.16 detects all components of the VBS/LoveLetter.A worm. To guarantee protection, ensure that VBS files are included in the list of files to be scanned. To clean an infected system, the scanner should be run with action set to delete "infected" files (all detected files have to be deleted) and the registry keys mentioned above has to be removed.

To remove the registry key automatically, click here. Then, select "Open this file from it's current location" and click OK.

This action will delete registry keys, kill the backdoor program's process if it is running, and delete files dropped by the worm.

It should only be used for automated delete of the registry keys and the process kill if necessary. It should be used after a full system scan with infected files set to delete.

VBS/LoveLetter.B (also known as Very Funny)

VBS/LoveLetter.B is a variant of the VBS/LoveLetter.A worm. The two only differences are the subject of the arriving e-mail and the name of the attachment. The subject used by VBS/LoveLetter.B is

fwd: Joke

Instead of the original "ILOVEYOU" subject line, the name of the attachment is:

Very Funny.vbs

Instead of LOVE-LETTER-FOR-YOU.TXT.vbs., the HTML file sent through IRC is called:

Very Funny.HTM

Bat/Firkin.Worm (also known as 911)

The NIPC (U.S. National Infrastructure Protection Center - formed by the FBI) issued an advisory on the weekend concerning a family of batch worms that can propagate through Windows networks, erase hard drives and dial the 911 emergency line, possibly overloading the emergency response system. The advisory can be found at

http://www.nipc.gov/nipc/advis00-038.htm

The Firkin family consists of several files and there are three family members known right now.

Variants of the worm contain code to wait for the 19th day of a month and then delete the following directories:

"c:\windows\*.*"

"c:\windows\system\*.*"

"c:\windows\command\*.*"

"c:\*.*"

and afterwards displays the messages:

"You Have Been Infected By Chode"

"You may now turn this piece of shit off!"

The worm may change the Autoexec.bat file to call the emergency number 911 on each system start using an attached modem.

Additionally it contains code to ping various servers on a random basis in a loop until an error occurs (.c variant).

The spreading function first searches for a suitable target and tries to map the "c" drive of the attacked computer to the local drive name "j". In order to propagate the worm has to find a writeable C share, that is not protected by a password. Computer Associates recommends not to share any drives or directories without assigning a password. During the complete spreading process, the worm prints information about the current attacked system etc., which are probably just debugging remnants. These messages are kept hidden from the user.

If the attacked system does not have special files or directories (e.g. the .c version is looking for the file "c:\windows\win.com") the worm quits the replication process.

The worm checks for signs of infections from other worms or family members and performs dependent operations.

If all spreading conditions are fulfilled, then the virus copies itself using the ordinary copy operation.

Additionally some variants overwrite with a random chance the "autoexec.bat" (e.g. 1/6 based on a random value for the .c version) file and insert code, which formats besides some other operations, the following hard drives:

C, D, E, F, G, H

InoculateIT signature 10.18 contains detection for the Firkin family worms. To cure an infected system all detected files must be deleted.

VBS/Irok.Trojan.Worm

The worm arrives in an e-mail like this:

The e-mail has an executable file called Irok.exe attached to it, but with no icon displayed.

When the attached file is run, it displays a flying star field simulation. In the background, it copies itself to C:\Windows\System directory. The worm also creates a 862 byte long file called Irokrun.vbs in C:\Windows\Start Menu\Startup and another file called WinRDE.DLL in C:\Windows\System.

The worm tries to delete signature or checksum files of various anti-virus products in effort to stop detection and removal and infects other executable files. The viral component of the worm is a 16bit DOS virus, but it will infect all executable files regardless of their platform corrupting them in many cases and making a cure impossible.

In order to execute, the worm requires Windows Scripting Host (WSH) installed. This means a Windows 98 machine is susceptible to the virus, but Windows 95 users would have to install the WSH. The worm relies on that fact that the operating system has been installed to C:\Windows and therefore will not work under a default Windows 2000 or Windows NT installation.

If WSH is installed, the Irokrun.vbs script will be executed on the next system start. The script will try to send the previously described mail to the first 60 entries of each Outlook address book and delete itself after execution.

The worm also tries to send itself through Internet Relay Chat (IRC).

CA anti-virus researchers are still looking at the viral characteristics of Irok.exe that can strike independent of the presence of Windows Scripting host. According to user reports the worm will display an Armageddon message and corrupt the entire hard drive rendering it unusable.

InoculateIT signature update 10.08 includes detection for VBS/Irok.Trokjan.Worm.

W97M/Melissa.AO

When the infected document is opened, the virus disables four Word options - Tools\Macro command bar, Virus Protection, SaveNormalPrompt and ConfirmConversions. It will also set the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\Level = 1

and disable the menu item called Macros/Security.

Melissa.AO then checks the registry value:

HKEY_LOCAL_MACHINE\Security\ActiveWorm

and if it is not set to "Worm Empire", the virus assumes that the computer has not been infected and executes the infection payload.

The infection payload uses the Microsoft Outlook address book to send a copy of the infected email to the first 50 individuals or groups listed in the address book.

The email will have the subject line:

"Extremely URGENT: To All E-Mail User - " and Date.

The body will contain a copy of the infected document and the message:

"This announcement is for all E-MAIL user.
Please take note that our E-Mail Server will down and we recommended you to read the document which attached with this E-Mail.".

If the recipient opens the document they can be become infected with the Worm and it will attempt to spread to other users if they use Microsoft Outlook. The infected document only contains one macro which is Document_Open in the infected documents, and it will be Document_Close in infected Normal Templates. If these macro already exist the virus will copy the code to a module name Worm_Empire and then overwrite DocumentOpen/Close with its own source code.

During infection the worm will create the registry value

HKEY_LOCAL_MACHINE\Security\ActiveWorm

and set it to "Worm Empire".

The virus payload triggers at 10 AM on the 10th day of any month. The file being worked on can be saved five times in the current directory with the filenames being the current Date & Month & Year & Second and the number from 1 - 5 eg. 103200011(1-5).doc The virus then inserts the following message into each of the documents:

This virus has been seen in the field.

The variant analyzer of InoculateIT signature release 9.20 does detect and cure W97M/Melissa.AO as W97M/MailWorm.Variant. Detection under the correct name will be provided with the next regular signature release.

Win32/PrettyPark.Trojan (aka W32/Pretty.worm.unp)

Win32/Funtime.Trojan

Distributed Denial-of-Service attacks generate traffic from multiple points on the Internet, targeting a specific system and flooding it with an inordinate number of requests, which quickly halt operations. This is achieved by either a group of hackers working together or a single hacker leveraging multiple computers.

Funtime is a very simple distributed denial of service (DDoS) attack tool for Windows 95, 98, 2000 and NT. After being planted on a victim computer it can be configured to start bombarding a specific port on a server at a given point date / time.

In order to install the tool on a victim computer a hacker has to have physical access to the computer or use a backdoor tool to control the computer without the users knowledge.

The tool can be activated in various ways. The common way is that an HTA (HTML application) file called funtime95.hta or funtimeNT.hta) will be dropped and registered in the registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\=%SystemRoot%\System32\funtimeNT.hta

This in turn runs a batch file (Timer98.bat or TimerNT.bat), that will check the time and call the Funtime tool if the preset time is matched. Funtime will then starting sending packets to the configured server and port.

Funtime does not cause immediate damage on the victim PC, but inflicts its damage on the server targeted by the attack. However it is bad security practice to tolerate any hacker tools.

InoculateIT signature update 9.13 detects the Funtime executable. To disinfect a system the identified executable has to be deleted.

Your eBusiness site might become the target of a distributed denial of service attack as well. To protect your eBusiness site from DDoS attacks, check Computer Associates eTrust Intrusion Detection (SessionWall) that uses the InoculateIT AntiVirus technology. For more information on eTrust Intrusion Detection (SessionWall), please visit:

http://www.sessionwall.com/

A free trial version of eTrust Intrusion Detection (SessionWall) is available at:

http://www.sessionwall.com/cgi-bin/downloadreg.pl

WM97/Myna.C

A simple Word 97 and later macro virus with no overtly malicious payload. Myna.C intercepts two of the three default document event handlers in both its normal template and user file forms. The macros for the Document_New and Document_Open events are functionally equivalent, although there are trivial code differences between them.

When run, the macros set some internal variables and Word's 'macro virus protection' option is disabled and this should be re-enabled following disinfection. Next, the virus checks the 'ThisDocument' component of each open document for a line of source code containing the string 'MYNAMEISVIRUS' - the virus' name is derived from the first few characters of this self-check string. Documents whose 'ThisDocument' component does not contain such a line are infected by copying the first 150 lines of code from the 'ThisDocument' object of the currently running project to the target via the VBA 'InsertLines' method. Once each open document has been checked, and infected if found clean, the same infection check is made of the 'ThisDocument' component of the normal template. If the string 'MYNAMEISVIRUS' is not found, the normal template is infected by copying the virus' source from the currently running macro via the 'InsertLines' method.

The 'InsertLines' infection procedure is liable to both hybridization with other viruses and corruption of such a hybrid. Further, the virus will only be able to infect Word documents with VBA components named 'ThisDocument', which is the default name for the the document object class module of documents created under English language versions of Word. Most other language versions of Word have their own localized default names for that object, so few documents in those environments would be susceptible to infection. Note however, that this is not the same as other, perhaps better-known, language version dependencies. In this case, a user of a non-English version of Word who regularly exchanges documents with a user of an English version would infect any open documents that contained VBA components named 'ThisDocument'. In fact, even though their Word environment remained non-infected ('protected' by their normal template not having a 'ThisDocument' component), any documents with such a component that were open when an infected document was opened would also become infected on that machine.

Because the virus makes no attempt to save files it has infected, observant users infected with Myna.C will notice they are being prompted to save changes to files they have not modified. The cautious will also be warned by an alert, when closing Word, that the normal template has changed - this requires the user to have enabled the 'prompt to save normal template' option, which is disabled by default.

Under Word 98 on the Macintosh, Myna.C works as described.

Myna.C has been reported in the field.

Macro names: Document_New and Document_Open
WM97/Myna.C is detected as WM97Myna with InoculateIT signature 8.21. Proper variant detection will be provided with the next signature release.

Win32/Haiku.Worm

This is a new family of worms which has an interesting way of collecting E-mail addresses that it will forward itself to. The payload isn't nasty but it will generate extra network traffic.

The worm will arrive in an email from someone who knows your email address. The subject line will be

"Fw: Compose your own haikus!".

The e-mail will have the file Haiku.exe attached and text of the e-mail will be:

If Haiku.exe is run, it copies itself to C:\WINDOWS\HAIKUG.EXE and edits the WIN.INI file so that the worm will be loaded when Windows is restarted. Haiku then displays a poem that is generated from an internal list of words, the program exits when the . OK. button is selected. These are three examples of the random poem generator:

Haiku .wav file (55 KB)

The next time the computer is restarted, the worm will be loaded automatically. This time, it will not display any messages and does not appear in the tasklist. The worm stays resident, checking for an active dial-up Internet connection. When it finds one, the worm will search through files with the extension .doc, .eml, .htm, .html, .rtf and .txt looking for email addresses. The worm then attempts to send a copy of itself to all of the e-mail addresses that have been found.

Win32/Plage2000.Worm

Plage2000.Worm is a new worm which could threaten computer email systems as well as eBusiness infrastructures. This worm has been reported to be "in the wild" by CA customers.

The worm arrives as a reply e-mail to an e-mail a user wrote before. The original e-mail will be quoted completely in the reply e-mail. The arriving e-mail has the following structure:

<your name> wrote:
====
-
-
-
- <your original e-mail quoted here>
-
-
-
===

P2000 Mail auto-reply:

    ' I'll try to reply as soon as possible.
    Take a look to the attachment and send me your opinion! '

        > Get your FREE P2000 Mail now! <

The 'P2000' domain name might be substituted by other domain names found in the inbox of the computer sending the message.

The worm is attached to the message under one of the following names:

pics.exe, images.exe, joke.exe, PsPGame.exe, news_doc.exe, hamster.exe, tamagotxi.exe, searchURL.exe, SETUP.EXE, Card.EXE, billgt.exe, midsong.exe, s3msong.exe, docs.exe, humor.exe, fun.exe

On execution the worm will present itself as a self-extracting WinZip file:

Pushing one of the buttons in the dialog box will cause one of the following 2 messages to be displayed:

Or

In the background the worm copies itself under the name INETD.EXE to the Windows directory and adds itself to the registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\run = <WindowsDir>\INETD.EXE

It also tries to add a RUN entry into WIN.INI.

When first run the worm will shut down after these actions and not attempt to send itself through e-mail. Only when the system is rebooted and the worm the automatically executed from the Windows directory, will it start up without displaying any user interface elements and go resident.

The worm attempts every 5 minutes to establish a connection to a running Outlook or Exchange client. When new e-mails are received it will reply to the unread e-mails with an e-mail as described above. The original messages remain unread.

If the day of the week is Wednesday the worm will try to display a special message, no deliberately destructive payload has been observed so far.

Although the worm does not have a destructive payload, the e-mail propagation mechanism poses a threat to any Exchange e-mail infrastructure as it can overload and take down mail servers.

InoculateIT signature 7.94 provides detection for the Plage2000 worm. The clean the worm all executable files reported as infected have to be deleted. If the worm is resident and cannot be deleted, remove the registry entry and the WIN.INI entry (if found), reboot and then delete the executable file.

Win32/NewApt.73728.Worm.D (aka NewApt.D)

The original version of the NewApt worm (NewApt.A) was first detected in December 1999. NewApt.D is a variant of the original worm. It uses E-mail and executable attachments to propagate from one computer to the next using different file names for the attachment and having a slightly modified payload than the original worm.

Users will receive one of the messages attached below, which one depends on the features of the user. s E-mail package.

"hey, your lame client can't read HTML, haha. Click attachment to see some stunningly HOT stuff"

or

"http://stuart.messagemates.com/index.html Hypercool Happy New Year 2000 funny programs and animations... We attached our recent animation from this site in our mail ! Check it out !"

The link inside the message actually points to another web site, than the messagemates.com. Note that messagemates.com actually exists, but is not related to this worm.

The message will have a file attached to it. Some of the possible names include:

Amateur.exe, Asians.exe, Babes.exe, Bizarre.exe, Cartoons.exe, Ebony.exe, Fatladies.exe, Fetish.exe, Group.exe, Hidcam.exe, Hidcams.exe, Male.exe, Mature.exe, Miscellan.exe, Mixedbag.exe, Pregnant.exe, Toys.exe, Weird.exe

Note that this list is not complete due to the offensive nature of some of the possible names.

If a user runs the attachment, an error message about the missing file "giface.dll" will be displayed. The worm then searches Netscape, Outlook and Outlook Express settings in order to locate the mail server. Then, it connects directly to the mail server and sends E-mail using the SMTP protocol.

On March 2 NewApt.D also tries to dial out using telephone numbers which are stored in the worm code and to connect to a list of Web servers.

When the worm is run, it creates a set of registry keys which records which actions have already been performed by the worm. If the worm is run at a later date, it checks the registry and will not attempt to perform any of the tasks that have already been successfully completed.

The registry key is: "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows"

Sub keys include: iclude: cat, cd, itn, jk, lms, mda, mde.

Additionally, NewApt.D creates the an entry named "Scandsks " under the key

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

and makes it point to one of the executable names mentioned above.

NewApt.D deactivates itself (removes its registry key) on July 12th.

InoculateIT signature update 7.91 provides detection for NewApt.D. To cure an infected system, the worm executable has to be deleted.

Win32/H4.1852

Computer associates International, Inc. (CA) today warned of a virus with a new distribution mechanism. The virus, named Win32/H4.1852, has been labeled low risk and has not been reported in the wild, but CA is cautioning its clients to continue to take preventive measures.

This is a new PE virus created in Spain. The virus is intended to infected a system through a Web page viewed with Microsoft Internet Explorer on a machine with Windows Scripting Host installed (Windows 98, Windows 2000 or Windows NT 4 with Scripting Host extension installed) and Internet security settings set to low. If security settings are set to medium or higher, Internet Explorer will prompt the user before executing any code.

The virus dropper is created by a VBScript routine that can be embedded in an HTML page. It creates a debug script called C:\H4[H40.DLL, and the following batch files:

C:\Windows\Escritorio\Help.bat,
C:\SEXYNOW!.BAT,
C:\README.BAT

that run DEBUG.EXE in order to create the virus dropper from a script. The attempt to create and execute the dropper (H4[H40.EXE) is very likely to fail.

Additionally the VBS routine creates a shortcut named C:\WINDOWS\Favorites\FreeSex.Hypererotika.URL pointing to the virus writers web page.

The script also infects HTML files in the following directories by appending itself:

C:\My Documents
C:\Windows\Desktop
C:\Windows\Web
C:\Mis Documentos
C:\Windows\Help
C:\Windows\Escritorio
C:\Win2000\Web
C:\Win2000\Help
C:\Program Files\Internet Explorer\Connection Wizard
C:\Program Files\Microsoft Office\Office\Headers
C:\Inetpub\wwwroot

The dropper itself is compressed and contains a direct action executable file infector. The PE virus itself is encrypted by a routine that uses floating point instructions.

The virus infects any *.EXE and *.SCR files in the Windows and System directory and deletes the following anti virus data files:

Anti-vir.Dat
Chklist.Dat
Chklist.Tav
Chklist.MS
Chklist.Cps
Avp.crc
Ivb.Ntz
Smartchk.MS
Smartchk.Cpa
Avp.Set
Scan.Dat
Dec2.DLL
AP.vir
AP.sig
Tbscan.Sig

The VBScript that creates the virus payload can be embedded in any Web page, thus creating a different distribution mechanism. Currently, the virus is weak and ineffective due to bugs in the code, but these problems can be easily fixed in order to activate the distribution mechanism. While there are major problems with the distribution of the dropper, the virus itself is functional and spreading.

InoculateIT signature update 7.85 provides detection and cure for Win32/H4.1852.

Feliz.Trojan

Feliz.Trojan is a Portuguese Happy New Year trojan. When started it will immediately delete the following files:

system.dat
user.dat
c:\command.com
c:\windows\command\command.com
c:\windows\system.ini
c:\windows\win.ini
c:\windows\system.cb
c:\windows\win.com

After deleting these files it will display a bitmap of an ugly looking face entitled

"FELIZ ANO NOVO!!!"

which means "Happy New Year" in English.

When the user presses EXIT, the trojan will display a number of message boxes in Portuguese and exit. The computer may not be able to boot after that.

The Windows installation directory ("C:\windows") is hard coded in the trojan body and the trojan will not cause any harm if Windows is installed in an other directory.

InoculateIT signature 7.73 provides detection for Feliz.Trojan.

W97M/Armagidon.A (Also known as W97M/Armagid.A)

Armagidon is a Word macro virus infecting documents and the normal template (Normal.dot).

Infected documents contain two macros: Document_Open and Document_New stored in the the class module: ThisDocument.
An infected template contains an additional macro module containing another eleven macros: Auto_Exec, Auto_Exit, ToolsOptions, ToolsMacro, FileTemplates, ViewVBCode, Organizer, ToolsRecordMacroStart, ToolsRecordMacroToggle, FileSave and  FilePrint.

When an infected document is opened, the code from the Document_Open macro is executed and the virus infects the normal template. In order to create the macro module Aramgidon, the virus uses a temporary file called armagidon.bas.

Document_New contains a non-destructive payload: On May 8th (Red Cross day), the virus replaces the Windows mouse pointer with the Red Cross sign.

Another, more dangerous payload is triggered during the execution of the FilePrint function (this triggers with 50% probability) the virus replaces all characters 0xF0 with 0xEB (these are hex values representing these non-standard ASCII characters).

InoculateIT signature 7.68 already detects W97M/Armagidon.A as " W97M/WordIns.Variant". The new name will be reflected in the next signature release due to a new undetected virus.

Wscript.Kak.A (Also known as Kak.worm)

This is only the second time this type of virus has been seen in the wild. Basically, it used to be a Anti-Virus golden rule that you were safe to open Email as you could only be infected by opening the attachment. BubbleBoy, and now Wscript.Kak, have changed this as they are able to infect some PCs without the user opening the E-mail attachment.

Wscript.Kak is the second family of viruses to exploit a weakness in Internet Explorer 5.0 when it is installed onto a machine that is running Windows98. Those PCs that have Internet Explorer security settings set to medium or low can be automatically infected when the E-mail message is read.

When the message is opened, Wscript.Kak will store a copy of its worm code in the Windows statup directory in a file called "Kak.HTA". The worm will also write part of the worm code to a file called "Kak.HTM" in the system directory and creates the following registry key to ensure that it will be automatically loaded every time the PC is restarted.

The registry key is: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\cAgOu"]

Once the worm is installed it will search to see if the user has set up different identities that can be used under Outlook Express 5.0. If they are found the worm will begin attaching a copy of itself to ALL the E-mails that are sent out by the user.

Payload: When the worm is activated, it checks the system date and will display the following message at 5 PM on the first of any month.

"Kagou-Anti-Kro$oft says not today !"
The worm then attempts to shut down Windows.
There are no deliberately destructive payloads in this virus.

Zelu.Trojan

This Trojan pretends to be a fix for the Y2K bug. It is arrives as an executable with the name Y2K.EXE. When executed it will display a character mode screen entitled

"ChipTec Y2K - Freeware Version".

The center of the screen is a status display containing these items:

- Timer
- Device Drivers
- File System
- BIOS

At the bottom of the screen the following text is displayed:

Y2K Copyright (C) 1999 - 2002 ChipTec
All Rights Reserved

Instead of looking for potential Y2K problems, it actually walks through all drives listing the files and overwrites ALL files with the following message:

"This file is sick! It was contaminated by the radiation liberated... by the
explosion of the atomic bomb..."

Since the content of the affected files is overwritten they cannot be restored and are lost forever.

InoculateIT signature version 7.66 provides detection for Zelu.Trojan.

VBS/Lucky.2000

Lucky.2000 is a Visual Basic Script (VBS) overwriting virus. It will run on Windows 95, 98, 2000 and Windows NT 4 providing the Visual Basic Scripting Host is installed.

Lucky.2000 infects all files in the current directory regardless of their extension. When infecting, it overwrites entire contents of the file with the virus body, rendering the original file useless and unrecoverable.

The virus does not change the original file names, therefore if an infected
file a VBS file (i.e. does not have the extension .VBS) the infected file will not run until the extension is changed to .VBS .

Every time the virus is run with the probability 1/2 it will display the message

"This is ou end..."

and create a shortcut to a Web server in Russia in Internet Explorer's favorite list.

Once the shortcut is in place, the default Internet browser will be launched to open up the Web page pointed to by the shortcut.

InoculateIT signature version 7.66 provides detection for VBS/Lucky.2000.

Kill_Inst98.Trojan

Distributed through pirated copies of Windows 98, this new Trojan is activated when the computer's date rolls past January 1, 2000.

The trojan uses the name of one of Windows 98 original installation files, Instalar.exe. When the trojan is run from Instalar.exe, it copies itself to c:\keyb.exe and runs WB32OFF.EXE (the original INSTALAR.EXE).

When the trojan is run from KEYB.EXE, it copies KEYB.COM from the \windows\command directory to sort.com. It calls

c:\windows\command\sort sp,,c:\windows\command\keyboard.sys >nul

Which sets the keyboard layout to Spanish.

The trojan saves the current date (month and year) into the file

c:\windows\system32\wb32off.txt.

If the month is January and the year is 2000, the trojan attempts to execute smartdrv and then run

c:\windows\command\deLTrEe /Y C:\*.* > NUL

to delete everything from drive C.

InoculateIT signature version 7.64 provides detection for Kill_Inst98.Trojan.

Win32/Crypto

The Win32/Crypto virus infects Windows-95 ,98, 2000 and Windows NT. Infection will fail on some versions of Windows 95 and in these cases the infected files cause exception errors.

When an infected EXE is run, it creates an infected copy of KERNEL32.DLL in the Windows directory and modifies the WININIT.INI file so that it will replace the KERNEL32.DLL in system directory after the next boot of the computer:

[Rename]
NUL=C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\KERNEL32.DLL=C:\WINDOWS\KERNEL32.DLL

The virus is not encrypted in KERNEL32 and is placed in the last section. The virus body size is 21280 bytes.

The kernel is infected by patching file system API functions but the virus often fails because of bugs in the virus code. The KERNEL32 patch provides directory stealth so file size does not appear to be increased.

Every boot of the computer causes the virus to infect 20 executable files and additionally adds the dropper to compressed archives (.ZIP, .ARJ, .RAR, .ACE, .CAB).

Crypto additionally deletes the following anti virus databases:

AVP.CRC, IVP.NTZ, ANTI-VIR.DAT, CHKLIST.MS, CHKLIST.CPS, SMARTCHK.MS, SMARTCHK.CPS, AGUARD.DAT, AVGQT.DAT and LGUARD.VPS

The virus encrypts a DLL and decrypts it on the fly using Windows API (SR2/NT) functions when it is accessed so if the virus is removed the DLL remains encrypted and is inaccessible. Right now, disinfecting an infected system requires complete installation from scratch. Computer Associates continues to research the possibility of an automatic cure by InoculateIT.

The infected EXE is encrypted by a polymorphic engine with a large number of decryption layers (69 typically). The decryptor doesn't know the key and uses a brute force algorithm to decrypt the DLL. Using such an algorithm means decryption time is very long. The engine seems to be stable and produces viable replicants.

InoculateIT signature version 7.64 provides detection for Win32/Crypto.

W97M/Marker.BN

When an infected document or template is opened the virus will disable the anti-virus protection that is built into Word97. Then the virus attempts to infect Word's global template NORMAL.DOT and once there, checks every Word document on closing for the existence of it's marker "exi".

If the marker was not found the document will be infected. This Marker variant keeps a log file of who it infects prepended to it's code.

Anytime after June 1, 2000 when an infected document is closed, the payload of this variant is activated. It attempts to change the current directory to "C:\WINDOWS" and waste all drive space by saving the current document over and over again using a file name pattern like "AA1AA.DOC", "AA2AA.DOC" etc.

Macro name: ThisDocument

InoculateIT signature 7.62 detects and cures W97/Marker.BN.

Win95/LoveSong.998 (aka LoveSong.998.Kr)

This is a prepending Windows PE (.EXE) file virus.

When an infected file is run, the virus loads itself into memory and will begin infecting all of the Windows PE (.EXE) files that are opened, closed, read, copied or executed from that point on.

During infection LoveSong will copy the first 998 bytes of the file and replace it with the virus code, LoveSong will then append the first 998 bytes to the end of the file and put the appropriate jumps in place to ensure that the file will continue to work normally. When an infected file is run, the virus will be loaded into memory and the normal program will then be run. This avoids suspicion of infection as the file continues to run normally.

Payload: From the first of March 2000 onwards, LoveSong will play a tune as it infects files on the first day of any month. The virus writers intention appears to have been to begin activating on New Years Day 2000, but due to bugs in the virus code this virus will not trigger until the first of March (and the first of every month after that). This virus appears to have been designed to cause confusion with the change over period for Y2K. It is very common for virus writers to release viruses without testing their code, this is another example of a buggy virus failing to do what the virus writer originally intended it to do. This virus contain no deliberately destructive payloads.

InoculateIT signature 7.62 detects and cures Win95/LoveSong.998.

VBS.Tune.A (aka TUNE.VBS) worm

This worm can infect Win98, Win2000 and NT4 if the VBS extension has been loaded (Windows Scripting Host is installed).

The worm arrives as an email file attachment "TUNE.VBS". The message has a subject "Please Read" and the text body indicates

"Hey, you really need to check this attached file I sent you...please check it out as soon as possible."

to attract it's execution. When executed it will copy the VBScript file to the "%Windows%" and "%Windows%\System" folders and register both copies for execution using the Windows registry keys:

HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run\ScanRegistry
HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run\Taskmonitor

Afterwards it will examine all shared drive mappings if they are of type hard drive or network share and attempt to place a copy of itself in the root directory. However it will not try to have the copy executed later.

If Outlook98 or Outlook2000 is installed the worm then generates a new email message (as described above) and adds all names from an MS Outlook address book to the TO field and mails. The worm cannot successfully propagate if you are using any other E-mail client software. The email will only be send one time due to another indication set in the registry.

The worm attempts to modify two popular IRC clients (MIRC, PIRCH) so that it is able to spread when a person starts an IRC session. If also edits confirmation settings of the client to hide the sending event.

InoculateIT signature 7.62 detects the VBS.Tune.A worm.

Virus Alert: ExploreZip Trojan (aka Worm.ExploreZip)
Worm.ExploreZip.Neolite (aka ExploreZip.worm.pak, aka MiniZip)

Inoculan / InoculateIT customers: Signature 4.22 or later detects WIN95.ZippedFiles (Worm.ExploreZip) Virus

Signature 6.15 or later detects Worm.ExploreZip.Neolite Virus

InoculateIT Personal Edition customers: Signature 163 or later detects WIN95.ZippedFiles (Worm.ExploreZip) Virus.

Signature 192 or later detects Worm.ExploreZip.Neolite Virus

For removal instructions click here

INEXCHSV.EXE Update for Exchange AV Agent and Lotus Notes AV Agent for Windows NT
Updates the AV Agent to detect the Win95.ZippedFiles trojan (aka Worm.ExploreZip)

Name
ExploreZip Trojan (aka Worm.ExploreZip)

Symptoms
The worm spreads as an attachment to an e-mail with the following message body:

Hi <Name of Recipient>!,
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
bye

Users receive this as a response to an e-mail they previously sent to a known account. The user. s name is usually in the first line and the subject line is random, but normally the same subject as a previously sent e-mail.

The e-mail contains an attachment called "zipped_files.exe" which is 210,432 bytes in size. The attachment displayed uses a WinZip icon shown above, disguising itself as a self-extracting file.

Description
Running (double-clicking) the attached "zipped_files.exe" file creates files called "Explore.exe" in the windows\system (System32 under Windows 95/98 and/or NT) and _setup.exe in the Windows directory, all unknown to the user and a message box is then displayed claiming the self-extracting ZIP file is corrupt. The exact text of the message is " Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help."

Under Windows 9x the following line is added to the Win.ini file:

run=C:\WINDOWS\SYSTEM\Explore.exe

Under Windows NT the string value

"run"="C:\\WINNT\\System32\\Explore.exe"

and the following line is added to the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

Note the actual path actually depends on your Windows installation. This causes the worm to be executed the next time Windows is started. It will connect through MAPI to an Exchange/Outlook mail client, if installed, and replicate itself by sending e-mails from the users machine to everyone associated to e-mails in your Inbox and by copying itself into the Windows/System directories of other machines that the current PCs has mapped a drive too. This behavior can make the worm to be very persistent because back and forth going (ping-pong) infections might occur.

Payload
The worm will also scan all available drive letters and corrupt all files with one or more of the following extensions: *.c, *.h, *.cpp, *.asm, *.doc, *.xls, *.ppt. File size will be reduced to 0KB and all data is then lost.

Computer Associates further observed, that the worm will scan the Network Neighborhood (which can be a world wide enterprise network) for shares it can connect to. Once it manages to connect to a share, it will not try to infect that computer but delete all files of the types mentioned above. This action will not be detected by running the real-time protection of InoculateIT as the victim computer does not get infected. Computer Associates recommends extreme care in management of share, a careful review of existing shares and to run real-time protection on ALL computers in the network.

Virus Signature Updates

**Inoculan/InoculateIT Signature available for Inoculan Clients**

The latest Signature file version has been released for the Windows 95, DOS, and Windows 3.x Inoculan clients. Version 4.21 or later removes and provides protection from the Win95.ZippedFiles virus. Instructions for removal are detailed below.

Win95.ZippedFiles is a fast replicating worm which uses e-mail as a transmission medium, it is highly destructive since it deletes all of your Microsoft PowerPoint, Word, Excel, source code "C, C++, ASM" files on all drives, including networked drives.

To download the updated InoculateIT signature file that will protect the user from the Win95.ZippedFiles (a.k.a. Worm.ExploreZip) virus click on the link below: http://support.cai.com/Download/virussig.html

Removal Instructions

Updating to the latest virus signature file v4.21f or later. This will help prevent users from becoming infected and minimize the chance of infecting other users via email.

If InoculateIT was set to cure or rename infected files, Explore.exe will be renamed but remain in memory and only be disabled on the next system boot up. Follow the steps shown below and delete the file Explore.AVB.

If InoculateIT was set to delete infected files it may not have been able to delete the infected file: Explore.exe. To ensure that your machine is clean from this virus you should execute the following steps to manually delete the infected file (Explore.exe). Computer Associates developed an automatic removal tool, that will try to remove the worm from memory and from the System directory and clean up the registry and the Win.ini file. If the automatic procedure fails a manual removal can be performed. The manual removal procedure is different for Windows 9x and Windows NT:

Download the RemZiped.exe and run it from Windows Explorer or the the command line. Since RemZiped.exe is a command line utility it is recommended to run it from the command line so the output will remain on the screen.

Download RemZiped.exe

Win 9x:

1. Close all applications including your e-mail program.
2. Open the WIN.INI file in the Windows installation directory and delete the following line: run=C:\WINDOWS\SYSTEM\Explore.exe
3. Save the WIN.INI file and reboot the computer
4. After rebooting, locate Explore.exe in your system directory (e.g. C:\Windows\System) and delete it.
5. Reboot the computer, make certain InoculateIT is activated

*Note that the actual path depends on your Windows installation.

Windows NT:

1. Close all applications including your e-mail program.
2. Start the Windows NT registry editor (Regedit.exe) and locate the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows,
3. Delete the entry: "run"="C:\\WINNT\\System32\\Explore.exe"
4. Save the edit and close Regedit then reboot the computer.
5. After rebooting locate Explore.exe in your System32 directory (e.g. C:\WinNT\System32) and delete it.
6. Reboot the computer, make certain InoculateIT is activated

*Note that the actual path actually depends on your Windows NT installation.

Computer Associates Virus Information Center
/virusinfo/

Carnegie Mellon Software Engineering Institute (CERT� Coordination Center)
http://www.cert.org/advisories/