|
|
|
||||||||||||||||
|
XM.Laroux New Virus Hoaxes reported to Symantec |
This issue covers both February and March 2000, we felt it best to combine them due to technical difficulties distributing the February Newsletter. The end of January proved interesting with a couple of new macro viruses appearing that targetted Visio documents, Visio licenced Visual Basic for Applications (VBA) and has since been taken over by Microsoft so we'll see a few more of these in the coming months, there is a short writeup about these viruses. There has been a lot of activity in Taiwan and Korea with VBS.Aps and VBS.Leebill, two new Visual Basic Script trojans arriving in inboxes as html emails plus the White Worm found in Korea. February saw the denial of service attacks on some well known web sites, W32.DoS.Trinoo was believed to have been used to stage these attacks. Trinoo is not a virus, but an attack tool released in late December 1999, used to perform a distributed DoS attack. Finally, in recent weeks we've seen a lot of PrettyPark, the worm that spreads itself via email, it appears that several new variants are doing the rounds. David Banes, Editor, sarc@symantec.com |
||||||||||||||||
|
STOP PRESS - New VBS Trojan, VBS.APS, VBS.Network |
|||||||||||||||||
|
|||||||||||||||||
|
Three new types of macro viruses where recentley discovered, these infect Visio documents using Visio's VBA which was licenced from Microsoft last year. Several versions of Visio now support Visual Basic for Application (VBA) 5. This includes Visio 4.5, Visio 5, and Visio 2000. There are brief descriptions here with more details to follow on the SARC web site. V5M.Unstable is an encrypted and polymorphic macro virus. This macro
virus does not have any malicious payload. This proof of concept virus has never been seen in the wild. V5M.Unstable
is a proof of concept that it is possible to write a polymorphic macro virus in Visio.
V5M.Radiant.A is a very buggy virus written to infect Visio files. This
macro virus does not have any malicious payload. This proof of concept virus has never been seen in the wild.
V5M.Vision.A is another Visio virus similar to V5M.Radiant.A. This macro
virus does not have any malicious payload. This proof of concept virus has never been seen in the wild.
by: Raul K. Elnitiarta |
|||||||||||||||||
|
|||||||||||||||||
| The Korean cyber criminal investigation team of the National Police Agency
(NPA) announced Thursday (Korean Time, 17, February ) that a 15-year-old middle-school student was booked without
detention for writing a worm program which he spread indiscriminately by posting it on a popular computer magazine's Web page, http://www.ilovepc.co.kr, disguised as a free up-dating program. When the attached EXE file is executed, the worm takes control and the infection routine opens the Outlook express database, gets email addresses from the AddressBook and sends infected messages to the addresses found. The worm has a very dangerous payload routine. On the 31st day of every month, it overwrites C:\AUTOEXEC.BAT files with a command that format the C drive. But the worm needs 'VB6KO.DLL' and 'MSVBVM60.DLL' to be started. So it is unlikely that it will spread very far in the wild. The virus writer studied computers at a private institute for a year and after gaining further computer knowledge through the Internet, he developed the virus in 5 days. Writer told the police that he made the worm because he wanted to check how good his skills were. This is the third Korean virus author arrested by police. Unfortunatley at the time some mass media in Korea have publicised them as a hero or genius. (reference: Some texts from Chosun daily newspaper) by Jacky Cha, AVAR (Association anti-Virus Asia Researchers) |
|||||||||||||||||
|
|||||||||||||||||
| VBS.APS is a JScript Trojan that was sent as part of the body of an HTML
email from an account held at a free email provider. It relies on the Windows Scripting Host(WSH) which is part
of Windows 98, Windows 2000 and available as a download for Windows 95. If this Trojan is received by an email client that uses MS Internet Explorer(Outlook Express, Outlook etc.) to display HTML email and the windows client security settings are not set to 'High' then the Trojan's code will be run by the WSH. VBS.APS saves information about your email connection to a file then tries to download a program from the Internet to the your computer using ftp. Repair information. There are no registry keys to remove, just delete the email that the Trojan arrived in and the files that where downloaded, if the download occurred, "Windows\\system\\system\\MSIE.EXE" and EXPLORER.EXE in the same directory. By David Banes SARC, Asia Pacific |
|||||||||||||||||
|
|||||||||||||||||
| I often get asked for trigger dates for viruses, it seems that often people
think this is the thing to focus on, "When does that really nasty virus trigger". Well I've an alternative
view that whilst trigger dates are important to remember for viruses that are in the wild and have a dangerous
payload, viruses can trigger every day of the year and there are much more interesting questions that can be asked,
for example; - What can people do to avoid getting hit by a virus. - What can be done to ensure a good recovery from a virus incident. - How can prevent and stop viruses and worms that spread via email. - How many viruses are 'In the Wild' and which am I likley to see often. - What are the different types of viruses, which are more comon. - How best can I protect myself from Internet based threats. There are lot's more questions like this, the answers are much more interesting than asking the same old question, 'When does the next virus trigger'. So it's time to start thinking outside the square when it comes to publishing articles on computer viruses. David Banes SARC, Asia Pacific |
|||||||||||||||||
|
SARC Glossary, what's the difference between a virus and a worm? |
|||||||||||||||||
| Contacts | |||||||||||||||||
| Correspondence by email to: sarc@symantec.com Send virus samples to: avsubmit@symantec.com Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html |
|||||||||||||||||
| To Subscribe and Unsubscribe | |||||||||||||||||
| To be added or removed from the subscription mailing list, please fill out
the form available on the SARC website at: http://www.symantec.com/help/subscribe.html SARC AntiVirus News Update is published periodically by Symantec Corporation. No reprint without permission in writing, in advance. |
|||||||||||||||||
|
|
|||||||||||||||||
| All information contained in this newsletter is accurate and valid as of the date of issue. |
Copyright © 1996-1999 Symantec Corporation. All rights reserved. |
||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
||||||||