|
 |
|
 |
| Tuesday, February 07, 2012
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
kevin |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
56 |
 |
People Online: |
 |
Visitors:
5 |
 |
Members:
0 |
 |
Total:
5 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 05/20/2002 1:27 PM |
|
| Within the last few days there have been numerous reports of the " Win 32 VOTE virus" This is an Internet worm that spreads using the Outlook address book. Unlike many of the recent worms, this one arrives as an executable file called WTC.EXE
Here are the references from SARC and McAfee:
http://www.sarc.com/avcenter/venc/data/w32.vote.a@mm.html
http://www.mcafee.com/anti-virus/viruses/vote/default.asp?cid=2464
This virus is a fairly simple virus - it relies on the fact that you've probably been sent a fair number of emails lately with non-virus attachments showing sympathy for the WTC disaster in some way or another. If you click on the attachment it first uses outlook to send itself to other addresses. It then SEVERLY damages your computer by:
1) Overwriting all .HTM and .HTML files on your computer and on attached computers with the message:
AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn >>> ZaCkEr is so sorry for you.
2) Setting the hidden attribute on all .HTM and .HTML files so they aren't visible unless you have "Show hidden files" turned on.
3) Delete all your windows files - forcing a complete reinstall!!!
4) It attempts to delete anti-virus software from specific directories and to download a trojan from a YAHOO users site.
5) Displaying a message box that reads:
"I promiss We WiLL Rule The World Again... By The Way, You Are Captured By ZaCker !!!"
(If you seen this message - it's already too late - the above damage has been done).
6) A reboot of the computer attempts to FORMAT the hard drive.
In other words, this one carries a nasty payload that messes up your computer beyond the point where the average person can repair it. Updated Norton or McAfee signatures should catch and detain this virus.
Protecting Yourself
As always, the easiest way to protect yourself is to avoid opening strange looking or unexpected attachments, even if they arrive from someone that you know. Since most of the recent worms spread themselves using the sender's address book, they will almost always arrive from someone you know or someone else at your own company.
Virus Scanners, Your Second Line of Defense
Your second line of defense is your ant-virus software.
McAfee
Quoting from the report posted by Network Associatss, Inc. at http://www.mcafee.com/anti-virus/viruses/vote/default.asp?cid=2464:
In plain English, this means that:
If you have a reasonably recent installation or engine and data file update the worm will be detected.
If you have email scanning activated the worm should be detected prior to downloading your email.
If you have the 4164 data files which were released Monday , the worm will be detected whether or not you have enabled heuristic scanning.
Since heuristic scanning is disabled by default, you will need to either enable it or update your data files. Updating your data files regularly ( DAILY ) is a generally good idea.
Norton
At http://www.sarc.com/avcenter/venc/data/w32.vote.a@mm.html, Symantec, the company that makes the Norton Anti-Virus, indicates that this worm is narrowly distributed - but highly dangerous .
All modern versions of Norton should be configured to scan your email on download - at which point this will be detected. They recommend simply choosing DELETE to remove the virus.
You should update to signatures dated AFTER TUESDAY September 24th, 2001 to detect this worm.
Mitigating Factors
You must click the attachment to have the worm activate.
The attachment is clearly an EXE file - it doesn't attempt to hide itself - but it DOES do a LOT of damage immediately if you click it.
The body of the message has a lot of RaNDoM cAps in it - which should alert you that something's wrong.
This concludes this VirusWarn notice.
Lee Drake, Moderator |
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|