*** Forwarded from another list *** ----- Original Message ----- From: "John A Hansen" Sent: Tuesday, March 12, 2002 1:51 AM Subject: Virus Alert from List Admin ( Update your AV software Now) ( march 11-2002) : : Dear All: : : Here is the latest alert issued today. : It's a Level Three Alert. : : Note that this worm looks like it's coming : from Microsoft with instructions to install. : : One of the Security houses also found that : a version of this could be executed without : activating the attachment. : : So download your AV patches ASAP. If the : virus can activate without execution of the : attachment then the thought that you are : protected by not executing attachments is : false. : : Note that these virus are not being : transmitted through Rootsweb but are : coming from people that you know and have : your address in their email program. : : : Best Regards : John A Hansen : List Admin : : : : [email protected] : Discovered on: March 4, 2002 : Last Updated on: March 11, 2002 at 07:17:27 AM PST : : : Due to an increased rate of submissions Symantec Security : Response has upgraded the threat rating of [email protected] : from Category 2 to Category 3 as of March 11, 2002. : : [email protected] is a worm that uses Microsoft Outlook and its : own SMTP engine to spread. This worm arrives in an email : message--which is disguised as a Microsoft Internet : Security Update--as the attachment Q216309.exe. : : : Also Known As: W32/[email protected], WORM_GIBE.A, W32/Gibe-A : Type: Trojan Horse, Worm : Infection Length: 122,880 bytes : : Virus Definitions (Intelligent Updater): March 5, 2002 : Virus Definitions (LiveUpdateTM): March 6, 2002 : : Threat Assessment: : : Damage: : : Payload: : Large scale e-mailing: Sends to addresses found : in Microsoft Outlook Address book and by searching : of .htm, .html, .asp, and .php files. : Compromises security settings: Installs a Backdoor : Trojan which allows remote access to the infected system : Distribution: : : Subject of email: Internet Security Update : Name of attachment: Q216309.exe : Size of attachment: 122,880 bytes : Ports: 12378 : : Technical description: : : The fake message, which is not from Microsoft, has : the following characteristics: : : From: Microsoft Corporation Security Center : Subject: Internet Security Update : Message: : Microsoft Customer, : this is the latest version of security update, : the update which eliminates all known security : vulnerabilities affecting Internet Explorer and : MS Outlook/Express as well as six new vulnerabilities : . : . : . : How to install : Run attached file q216309.exe : How to use : You don't need to do anything after installing this item. : . : . : . : Attachment: Q216309.exe : : The attached file, Q216309.exe, is written in Visual Basic; : it contains other worm components inside itself. When the : attached file is executed, it does the following: : : It creates the following files: : : \Windows\Q216309.exe (122,880 bytes). This is the whole package : containing the worm. : \Windows\Vtnmsccd.dll (122,880 bytes). This file is the same : as Q216309.exe. : \Windows\BcTool.exe (32,768 bytes). This is the worm component : that spreads using Microsoft Outlook and SMTP. : \Windows\GfxAcc.exe (20,480 bytes). This is the Backdoor : Trojan component of the worm that opens port 12378. : \Windows\02_N803.dat (size varies). This is the data file : that the worm creates to store email addresses that it finds. : \Windows\WinNetw.exe (20,480 bytes). This is the component : that searches for email addresses and writes them to 02_N803.dat. : : NOTE: Norton AntiVirus detects all of these files as [email protected] : except the 02_N803.dat. file, which contains only data. : : : Finally, BcTool.exe attempts to send the : \Windows\Q216309.exe file to email addresses : in the Microsoft Outlook address book, and to : addresses that it found in .htm, .html, .asp, : and .php files and wrote to the 02_N803.dat file. : : : ============================== : To join Ancestry.com and access our 1.2 billion online genealogy records, go to: : http://www.ancestry.com/rd/redir.asp?targetid=571&sourceid=1237 :