 |
|
 |
| Tuesday, September 07, 2010
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
SullyC |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
53 |
 |
People Online: |
 |
Visitors:
5 |
 |
Members:
0 |
 |
Total:
5 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 05/20/2002 1:52 PM |
|
| We have received multiple alerts concerning a new Internet worm called "W97M/Resume.a@mm" which is a variation of the Melissa worm that caused so much damage last year.
Who Is Affected?
You are at risk if you have one or both of the following installed on your computer:
Microsoft Word 97 or Microsoft Word 2000
Microsoft Outlook (any version)
If you do not have either of these programs, this worm cannot harm your computer or use it without your permission to spread. However, anyone who receives the worm should discard the message and its attachment that contains the worm to avoid accidentally sending it to another person whom it may harm.
This worm affects its targets in two ways:
1) If Microsoft Word 97 or Microsoft Word 2000 is installed, as
soon as you open the infected document, the embedded worm
looks for a copy of Microsoft Outlook. If it finds one, it uses the
address books to send itself to everyone on your contact lists
or to the first 50 people, depending on whether you believe
Symantec or McAfee. Either way, the message goes out without
your permission.
2) When you close the document, it will attempt to delete all files
from the following directories:
C:\*.*
C:\My Documents\*.*
C:\WINDOWS*.*
C:\WINDOWS\SYSTEM*.*
C:\WINNT\*.*
C:\WINNT\SYSTEM32\*.*
A:\*.*
B:\*.*
D:\*.*
E:\*.*
F:\*.*
G:\*.*
H:\*.*
I:\*.*
J:\*.*
K:\*.*
L:\*.*
M:\*.*
N:\*.*
O:\*.*
P:\*.*
Q:\*.*
R:\*.*
S:\*.*
T:\*.*
U:\*.*
V:\*.*
W:\*.*
X:\*.*
Y:\*.*
Z:\*.*
If it succeeds, it will have rendered your machine inoperable
and you will have to re-install Microsoft Windows, restore all of
your hard work that got saved into the My Documents folder, and
anything in the root directory of any other drive that it was able to
delete.
Unlike the last several widespread worms and viruses, this one does not need Active Scripting to do its damage. It needs Microsoft Word with VBA (Word 97 or 2000) to harm your machine, and any version of Outlook to spread further.
What to Do
In general, pay close attention to any message arriving that appears to be a resume and has an attachment. The subject of the message bearing the worm is:
Resume - Janet Simons
The worm is embedded in the attached Microsoft Word document which is called Explorer.doc.
If Janet Simmons is really trying to send you a resume, she should pick a different file name and write a proper cover letter. The name Explorer.doc is not a normal name for a resume.
If you receive such a message, delete it immediately. If your mail program separates your attachments into a separate directory on your hard drive, as does Eudora, carefully discard the attachment and empty your Recycle Bin. To be on the safe side, you may want to empty the Trash folder in your E-Mail program after you delete the message.
The best way to carefully discard anything is as follows:
1) Use the mouse to click into the desired folder, taking care to
select a harmless message or file.
2) Use the up and down arrow keys, located between the main
keys and the numeric key pad, to move the highlight bar up
or down as necessary to highlight the desired file or message.
3) Use the Delete key (the "." on the numeric key pad) to tell the
computer to delete the file or message.
4) If your computer displays a prompt to confirm the deletion, you
may use the mouse to click the button marked "Yes" or you may
press the letter 'Y" to confirm.
By avoiding the use of the mouse during the critical steps in the process, this technique reduces the risk of accidentally opening the dangerous message or attachment.
Note: In future weeks, there may be copycat worms that use different subjects, body text, and attachment names. Use care in opening any Microsoft Word document that claims to be a resume. This was always wise and is doubly so now!
The following paragraphs contain status notes and links to major anti-virus Web sites where you can obtain further information about this worm, patches, when and if available, and other important information.
McAfee VirusScan (Network Associates, Inc.) has a Virus Alert, an EXTRA.DAT file for VirusScan version 4.x and an EXTRA.DRV file for Dr. Solomon's Virus Tookit version 8 at http://vil.nai.com/villib/dispVirus.asp?virus_k=98661.
Norton Anti-Virus (Symantec Corporation) refers to the worm by its alternate name of W97M.Melissa.BG and has a notice with removal instructions and details about what its payload does at http://www.symantec.com/avcenter/venc/data/w97m.melissa.bg.html It's a little hard for me to tell from this advisory whether their current scanner can detect the worm, though the last paragraph states that it can clean up the damaged files. The information they have states that the worm sends itself to all addresses in all Outlook address books. This agrees with the information in the NIPC notice but differs slightly with that in the more recent notice from McAfee.
InocuLAN (Computer Associates) lists the worm in their virus encyclopedia and on their Recently Added list at http://www.cai.com/virusinfo/encyclopedia/. They have a bulletin about the new worm which they identify as "Resume.A" but I was unable to determine whether their latest virus signature files for their InocuLAN products detect it. It is not on the list of "latest" under either name.
F-Prot (Frisk Software) at http://www.complex.is/cgi-bin/home_pager has nothing yet about this worm.
Background
All of the anti-virus company Web sites characterize this worm as a variation of the Melissa worm that caused such a storm late last year.They characterize the payload of this worm as being unusual. The thing that makes it so is that one thing happens when you open the document and another, much more harmful thing, happens when you close it. To date, most of the common worms have done all of their evil deeds when the infected document was opened.
Like Melissa, this worm does not infect the global template (NORMAL.DOT) of Microsoft Word, so there are no long lasting effects from the worm. That's why it is classified as a worm rather than a virus. Like a worm digging in the dirt, it does its work and keeps moving.
The National Infrastructure Protection Center <http://www.nipc.gov/>, an agency of the U. S. Government which is closely connected with the FBI, issued a notice titled "National Infrastructure Protection Center Information System Alert (Alert 00-045); W97m/Resume.a@Mm Virus" at 03:00 GMT 27 May 2000. Their notice reports that several corporate mail systems have already been compromised by this worm. You can read the notice at http://www.nipc.gov/alert00-045.htm.
Their notice and an article that appears on The Wall Street Journal Interactive Eddition Web site (which requires a subscription) states that the FBI is investigating the worm and that several corporate electronic mail systems have already been compromised. The notice on the Symantec Web site also says that some corporate mail systems have been forced to shut down and clean up. The NIPC and Wall Street Journal articles suggest that there may be more problems on Monday and Tuesday of next week as businesses re-open following a regular weekend in Europe and a public holiday on Monday in the US.
I was made aware of this threat by a Virus Alert broadcast that arrived via Enterprise SecureCast, a service for corporate customers of Network Associates, Inc. while I was working on my computer this morning. Their notice, at http://vil.nai.com/villib/dispVirus.asp?virus_k=98661 differs in some details from that posted by NIPC but the essentials are the same. The NIPC notice gives the same information as that found on the Symantec Web site, which posted their announcement about four hours before NIPC posted theirs. The notice from McAfee is dated today and it is possible that they simply had more time to study the way the worm works.
This concludes this VirusWarn notice. It was based on publicly available information which is duplicated in all major details on the Web sites of three vendors of anti-virus software and the Web site operated by the National Infrastructure Protection Center, an agency operated by the government of the United States of America. To the best of my knowledge, the information is current and accurate as of this writing, at 20:30 GMT on 27 May 2000.
Lee Drake, Moderator |
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|