[wellylug] Virus

Chris Harris chris.harris at actrix.gen.nz
Sat Mar 23 15:25:47 NZST 2002 

It's a new one. only a few days old

http://securityresponse.symantec.com/avcenter/venc/data/w32.caric@mm.html


W32.MyLife.B at mm
Discovered on: March 21, 2002
Last Updated on: March 22, 2002 at 12:40:53 PM PST

Due to increased submissions, Symantec Security Response has upgraded
W32.MyLife.B at mm to a Category 3.
W32.MyLife.B at mm is a mass-mailing worm that uses Microsoft Outlook to spread
to all addresses in the Outlook address book. It copies itself to C:\Windows
\System\Cari.scr and may delete files, depending on the system time.

NOTE: Definitions dated prior to March 22, 2002 will detect this as
W32.Caric at mm.

Also Known As: W32.Caric at mm
Type: Worm
Infection Length: 11,524 bytes

Virus Definitions (Intelligent Updater): March 21, 2002
Virus Definitions (LiveUpdateTM): March 21, 2002

Threat Assessment:


Wild:
Medium  Damage:
Medium  Distribution:
High


Wild:

Number of infections: 50 - 999
Number of sites: 3 - 9
Geographical distribution: Medium
Threat containment: Easy
Removal: Easy
Damage:

Payload Trigger: If the worm is run when the system time is between 8:00
A.M. and 9:00 A.M.
Payload:
Large scale e-mailing: Send itself to all addresses in the Microsoft Outlook
address book
Deletes files: Attempts to delete the files on C:\*.*, *.sys, *.vxd, *.ocx,
*.nls, d:\*.*, e:\*.*, f:\*.*
Distribution:

Subject of email: bill caricature
Name of attachment: Cari.scr
Size of attachment: 11,524 Bytes

Technical description:

If W32.MyLife.B at mm is executed, it does the following:

It uses Microsoft Outlook to spread to all addresses in the Outlook address
book. The email message will have the following characteristics:

Subject: "bill caricature"

Message:
Hiiiii
How are youuuuuuuu?
look to bill caricature it's vvvery verrrry ffffunny :-) :-)
i promise you will love it? ok
buy

========No Viruse Found========
MCAFEE.COM
--------------------------------------------------------

Attachment: Cari.scr

It copies itself to C:\Windows \System\Cari.scr.

It displays the following graphic:





Payload:
The payload of this worm will activate if the worm is run when the system
time is between 8:00 A.M. and 9:00 A.M.

The worm attempts to set itself to run with Windows by adding the value:

win c:\windows\system\cari.scr

to the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

It also attempts to delete the following files:

C:\*.*
*.sys
*.vxd
*.ocx
*.nls
d:\*.*
e:\*.*
f:\*.*

Removal instructions:

Delete all files detected as W32.MyLife.B at mm or W32.Caric at mm and remove the
value that it added to the registry.

NOTE: If the payload has activated and was successful, you may need to
restore the deleted files from a clean backup.


1. Obtain the most recent virus definitions. There are two ways to do this:
Run LiveUpdate. LiveUpdate is the easiest way to obtain virus definitions.
These virus definitions have undergone full quality assurance testing by
Symantec Security Response and are posted to the LiveUpdate servers one time
each week (usually Wednesdays) unless there is a major virus outbreak. To
determine whether definitions for this threat are available by LiveUpdate,
look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
Download the definitions using the Intelligent Updater. Intelligent Updater
virus definitions have undergone full quality assurance testing by Symantec
Security Response. They are posted on U.S. business days (Monday through
Friday). They must be downloaded from the Symantec Security Response Web
site and installed manually. To determine whether definitions for this
threat are available by the Intelligent Updater, look at the Virus
Definitions (Intelligent Updater) line at the top of this write-up.

Intelligent Updater virus definitions are available here. For detailed
instructions on how to download and install the Intelligent Updater virus
definitions from the Symantec Security Response Web site, click here.

2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to
scan all files. For instructions on how to do this, read the document How to
configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.MyLife.B at mm or W32.Caric at mm.

To edit the registry:

CAUTION: We strongly recommend that you back up the registry before you make
any changes to it. Incorrect changes to the registry can result in permanent
data loss or corrupted files. Modify only the keys that are specified. Read
the document How to make a backup of the Windows registry for instructions.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, delete the following value:

win c:\windows\system\cari.scr

5. Click Registry, and click Exit.






Write-up by: Douglas Knowles and Yana Liu



------------------------ Yahoo! Groups Sponsor ---------------------~-->
Tiny Wireless Camera under $80!
Order Now! FREE VCR Commander!
Click Here - Only 1 Day Left!
http://us.click.yahoo.com/nuyOHD/7.PDAA/yigFAA/0XFolB/TM
---------------------------------------------------------------------~->

  .-.   Wellington
  /V\   Linux
 // \\  Users       
/(   )\ Group
 ^^-^^
        http://wlug.paradise.net.nz/

To unsubscribe from this group, send an email to:
wellylug-unsubscribe at egroups.com
  

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

More information about the wellylug mailing list