Hi all, This message is going out to all the lists I manage. If you receive this multiple times, please keep one and read it. Use your delete key on the rest... EFFECTIVE IMMEDIATELY... GIVE ME ADVANCE NOTICE and RECEIVE MY RESPONSE TO IT ***BEFORE*** you send me any material by way of attachment. Any data arriving before a notice will be deleted. ~@~@~@~@~@~@~@~@~@~@~@~@ NEWBIES AND COMPUTER NOVICES, PLEASE BE SURE TO READ **ALL** OF THIS MESSAGE... print this out if you have to, but understand that you need this information so you can protect your own computer, hence protect the rest of us... A new and dangerous version of the Tanatos Virus has hit cyberspace that all the major anti-virus houses have elevated to "red" on their scales and consider it "extremely dangerous." We are talking about one virus with TWO versions. ** Panda Anti-Virus Software has determined that this virus has already affected 23% of the computers globally. ** In just a few hours, this virus has already infected more computers than the Klez.I virus ~ the #1 virus since April 2002. I personally have already received 32 messages containing attachments with this virus. It is IMPERATIVE that you know about this one! The first thing I want to let you know is that YOU CAN NOT be infected by any messages coming from any of Rootsweb's lists. The threat to your computer DOES NOT come from the list itself. It comes OFF THE LIST from those friends, family members, acquaintances who have your email address in their computer's address books. They MAY OR may not belong to the same Rootsweb list(s) as you. That being said the following is important to remember when you read the information after the seven points I'll list below... 1. Rootsweb allows ONLY text messages through their filters. Attachments to messages are NOT allowed, nor can they get through those filters. 2. If you receive a message with an attachment that LOOKS like it came from the list, it's probably a virus-laden message (reread #1, above). DO NOT click on the attachment. Instead, either delete the message or email back to the person you received the message from and see if they sent you something by way of email. Just DON'T click on the attachment, particularly if it has a double extension (see #5). 3. Next, if you don't already have one, get yourself an anti-virus program IMMEDIATELY. A good, free one that I know of is AVG by Grisoft <http://www.grisoft.com>. Once you have it in your computer, be sure to update FREQUENTLY. 4. If you already have an AV program installed, update IMMEDIATELY. Norton AV has issued two AV updates in as many days. AVG has also issued updates and so has McAfee. 5. ANY file with a double extension (filename.pif.exe OR filename.gif.scr) is an excellent clue that you're sitting on an attachment with a virus in it. DO NOT OPEN IT!! Delete it immediately. 6. If your email program automatically opens attachments, go to your program options and find out how to stop that. You want to have to manually open them, especially now. 7. Quitting the Rootsweb lists you belong to isn't going to make your computer safe, nor will this virus "go away" tomorrow or even next week. Remember, it's whoever has you in their address books that you need to be concerned about. It IS wise at this point though, to be wary of any email list (for example, those at yahoogroups) that does allow attachments. Let's get started learning about this new virus... The new version of this malicious program, called Tanatos.b, has dangerously destructive capabilities for infecting computer files. Tanatos.a, also known as BugBear.a is a worm virus spreading via the Internet as an attachment to infected emails. The worm also copies itself over local networks to segments open for full access and runs backdoor and PSW trojan routines. Tanatos is a complex worm that contains many different elements: 1. Mass-mailer 2. Network Share Propagator 3. Keylogger 4. Remote Access Trojan 5. Polymorphic Parasitic File Infector 6. Security Software Terminator The Tanatos (BugBear) worm itself is a Windows PE EXE file about 50KB in length (it is compressed by the UPX utility), and written in Microsoft Visual C++. Aliases for the Tanatos virus are: Bugbear.B (F-Secure), PE_BUGBEAR.B (Trend), W32.Bugbear.B@mm (Symantec), W32.Kijmo, W32.Shamur, W32/Bugbear.b.dam, Win32.Bugbear.B (CA) ***HOT*** THE INFECTED MESSAGES HAVE DIFFERENT SUBJECTS, BODIES, AND ATTACHED FILE NAMES... The worm sends messages of two types (which it randomly selects). In first case, in order to run from the infected message the worm exploits the IFrame security breach (as a result the worm activates when a message is being opened or previewed in vulnerable (victim) systems). In the second case the worm does not use "breach tricks" and the attached worm copy activates from infected email only in case a user clicks on the attached file. The Tanatos worm got its name from the text string appearing in its code: Project Tanatos Installing While installing the worm copies itself to the Windows system directory under a random name and registers itself in the system registry auto-run key: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce The worm's EXE filename depends on the C: volume name, for example: FYOM.EXE YOK.EXE The worm also places a DLL file in the Windows system directory under a random name and uses this file to 'spy' on and record all keyboard input. The virus contains a long list of domain names (related to banking institutions). Strings within the virus suggest that if it determines the victim machine to belong to such a domain, the following Registry key is set: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings "EmableAutodial" = 00 00 00 01 For a list of the domains carried in the worm, go to the bottom of the page here: <http://vil.mcafee.com/dispVirus.asp?virus_k=100358> Mass-mailing ~ ***IMPORTANT!!!*** This worm emails itself to addresses found on the local system (in files and email messages). This goes for both the TO and FROM fields. Thus the SENDER ADDRESS IS SPOOFED, OR FORGED, AND NOT A DIRECT INDICATION OF AN INFECTED USER. It extracts addresses from file names containing these strings: * .DBX * .EML * INBOX * .MBX * .MMF * .NCH * .ODS * .TBB Spreading: Emails To send infected messages Tanatos uses a direct connection to the default email server. Victim email addresses are gotten from the following file types: *.ODS, *.MMF, *.NCH, *.MBX, *.EML, *.TBB, *.DBX, *INBOX* This virus spreads over the network (via network shares) and by mailing itself (using it's own SMTP engine). The Tanatos worm searches for these files in the system and extracts email-like strings from them. The Subject field is selected from the following variants: Greets! Get 8 FREE issues - no risk! Hi! Your News Alert $150 FREE Bonus! Re: Your Gift New bonus in your cash account Tools For Your Online Business Daily Email Reminder News free shipping! its easy Warning! SCAM alert!!! Sponsors needed new reading CALL FOR INFORMATION! 25 merchants and rising Cows My eBay ads empty account Market Update Report click on this! fantastic wow! bad news Lost & Found New Contests Today Only Get a FREE gift! Membership Confirmation Report Please Help... Stats I need help about script!!! Interesting... Introduction various Announcement history screen Correction of errors Just a reminder Payment notices hmm.. update Hello! Additionally, the message Subject can be randomly selected by "Tanatos" from a randomly selected disk file. Filenames may also be taken from files found in the infected computer's personal folder. The message Body is randomly selected by Tanatos varies and may contain fragments of files found on the victim's system (including old email messsages). The attached file name is also randomly selected and it may have a double extension, for example: filename.XLS.SCR Spreading: Network Tanatos enumerates network resources shared for writing, looks for the startup folder and copies its file to this folder (if found). This routine has a bug and the worm also sends copies of itself to shared network printers. Backdoor - HOW TANATOS WORKS... Tanatos is a remote access trojan, which means if your computer is infected, the worm open a port on your computer where it then listens for "master" commands (from the person or people who are controlling it). The backdoor routine grants control over infected machines, giving those who control Tanatos the ability to send/receive/copy/execute files, terminate processes, send out user info. etc. Tanatos also opens the HTTP server on infected machines, doing this offers a WEB interface with which to manipulate infected machines. PSW Trojan The worm also has a trojan routine that sends user info and cached passwords to several email addresses that are encrypted in the worm body. Other Among many others, Tanatos looks for the following applications and tries to terminate them: zonealarm.exe blackd.exe lockdown2000.exe avwin95.exe avgctrl.exe anti-trojan.exe safeweb.exe navwnt.exe navlu32.exe navapw32.exe Recognize that these files are execution files to anti-virus software programs. A full list of the applications Tanatos tries to attack can be found at <http://www.viruslist.com/eng/viruslist.html?id=52245>. Yes, there is a way to remove the virus from your computer if you find that it's been infected. Depending on the AV program you use, you'll need to visit their web site to get the repair. Scan your computer OFTEN. Update to the MAX. Be alert and be cautious. I've emphasized heavily about Rootsweb in this "head's up" because so many messages come to us offlist that do, in fact, have viruses attached. I get them every day. They appear to come FROM the list, when they actually DON'T. So, don't worry about receiving list mail. It's those messages offlist you need to be concerned about ~ which leads me to reiterate... The Tanatos (Bugbear) virus sends 3rd party emails where the FROM: address is spoofed. Third party viruses have 2 victims, the receiving and the spoofed sender. Rarely does a person today receive a virus directly from the purported sender. The Tanatos virus spoofs email addresses. So, if you receive an infected message from your mom (for example), realize that it WILL NOT have come from her computer but from someone (could even be someone she barely knows) who has her email address it it. BE VIGILANT with regard to the attachment itself. This information isn't meant to scare half the computer life out of you. However, it IS meant to make you aware of this malicious virus that can cost you money to get your computer repaired, cause you to lose your files, AND make a lot of people cranky! It's vital that you protect your computer so you can protect OUR computers. Colleen Pustola List Manager Permission is given to pass this message along.