W32.HLLW.Lovgate.C@mm Discovered

Discovered on: February 24, 2003
Last Updated on: February 24, 2003 08:14:02 PM

W32.HLLW.Lovgate.C@mm is a variant of W32.HLLW.Lovgate@mm. This worm contains mass-mailing and backdoor functionalities.

To spread itself, the worm attempts to reply to incoming messages when they arrive in the mailbox of certain MAPI-compliant email clients, which include Microsoft Outlook. W32.HLLW.Lovgate.C@mm does this in an effort to emulate the auto-reply function of the email client, as well as to lure those who sent the original messages to the infected computer into opening the returned messages.

There are no major functionality differences between this variant and W32.HLLW.Lovgate@mm. This particular variant appears to have been recompiled with a different compiler, and then packed with the same run-time compression utility as W32.HLLW.Lovgate@mm.

Also Known As: WORM_LOVGATE.C [Trend], Win32/Lovgate.C@mm [RAV], W32/Lovgate.c@M [McAfee], I-Worm.Supnot.c [KAV], W32/Lovgate-B [Sophos], Win32.Lovgate.C [CA]

Variants: W32.HLLW.Lovgate@mm, W32.HLLW.Lovgate.B@mm
Type: Worm
Infection Length: 78,848 Bytes

Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

Source: http://www.sarc.com/avcenter/venc/data/w32.hllw.lovgate.c@mm.html

Removal using the W32.HLLW.Lovgate Removal Tool
This is the easiest way to remove this threat. Symantec Security Response has created a W32.HLLW.Lovgate Removal Tool. Click here to obtain the tool.
 

More KLEZ.H Spoofing...

Devious distribution of the W32.Klez.H@mm virus continue. We found this one particularly "lame" and yet interesting, as it appears to be sent internally (from sysop to sysop@emergency.com) until one analyzes the headers. Then it becomes apparent that this is another case of spoofing of the sending address. The file "set-up.exe" was included, along with "search_2.htm." Please be aware of this continued activity. See log:

Received: from [209.20.130.75] by emergency.com id 4e510.wrk; Fri, 7 Jun 2002 09:50:36 CST
Received: from Kcz ([208.187.159.37])
by smtp001.nwlink.com (8.12.2/8.12.2) with SMTP id g57Ed5OK000779
for <sysop@emergency.com>; Fri, 7 Jun 2002 07:39:09 -0700
Date: Fri, 7 Jun 2002 07:39:05 -0700
Message-Id: <200206071439.g57Ed5OK000779@smtp001.nwlink.com>
From: sysop <sysop@emergency.com>
To: sysop@emergency.com
Subject: A very nice game
X-Mail-From: camgroup@nwlink.com
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="zzzz7e9e09af2cc74ebcemergency.cozzzz"

Fraudulent E-Mail Addresses Used to Spread W32.Klez.H@mm virus

CHICAGO, IL: ERRI Managing editor Steve Macko today warned that fraudulent e-mail addresses are being used to spread the Klez virus on the internet. Macko (firenet@emergency.com) said that an investigation of an e-mail that appears to come from his professional address actually comes from another unknown party and from/through several servers at AOL.com (see actual log below). Macko said that analysis indicates that the Klez.H virus was contained in a file attachment entitled: "Pwmaq.exe," and contained what appear to be a webpage,  "Index_1_htm" and that the e-mail is titled "Owners. All rights reserved." Macko said that any number of official e-mail addresses are also being spoofed in this manner urged caution about opening such e-mails, and said that it would be useful for internet providers to block such traffic. Macko also recommended that computer users keep their anti-virus scanners updated.

Received: from [205.188.156.51] by emergency.com id 69510.wrk; Thu, 6 Jun 2002 13:10:34 CST
Received: from logs-mtc-tc.proxy.aol.com (logs-mtc-tc.proxy.aol.com [64.12.105.135]) by rly-ip06.mx.aol.com (v83.35) with ESMTP id RELAYIN2-0606135641; Thu, 06 Jun 2002 13:56:41 -0400
Received: from Dgptjccq (ACA92542.ipt.aol.com [172.169.37.66])
by logs-mtc-tc.proxy.aol.com (8.10.0/8.10.0) with SMTP id g56Hrns28607
for <webmaster@emergency.com>; Thu, 6 Jun 2002 13:53:49 -0400 (EDT)
Date: Thu, 6 Jun 2002 13:53:49 -0400 (EDT)
Message-Id: <200206061753.g56Hrns28607@logs-mtc-tc.proxy.aol.com>
From: firenet <firenet@emergency.com>
To: webmaster@emergency.com
Subject: Owners. All rights reserved.
X-Apparently-From: Cav669@aol.com
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="zzzz7e9e051b2cc66970emergency.cozzzz"

27 Apr 2002

COMPUTER VIRUS ADVISORY: The Klez computer virus, in various varieties, continues to propagate. If the infected e-mail received by EmergencyNet News is any indication, the W32/KLEZ.H, W32.Klez.gen@mm virus, and W32.Klez.E@mm virus seem most active in proliferation. In the copies we received, the viruses appear to be sent from Europe and Asia. They are deviously accompanied by what appear to be tools to eradicate or fix viruses, with names like: "Worm Klez.E immunity," "A Good Tool," and "A WinXP patch." Another example attempts to appear to contain pornographic images, with the name, "Free Porn."  All are bogus and contain virus payloads. The TrendLabs Global Antivirus and Research Center, in their April 26, 2002 report, says that various variations of the Klez virus hold the top two or three spaces in their list of most frequent infections. ERRI/EmergencyNet News readers are cautioned to ensure that their anti-virus scanners are maintained, on-line, and up to date.    
 

19:30CST - 12 Mar 2002

Virus Alert

Within the past hour, EmergencyNews has received two copies of what appears to be a "Microsoft Security Update." It is not, and in fact, is a rapidly spreading virus named W32.Gibe@mm. Due to an increased rate of transmission Symantec Security Response has upgraded the threat rating of W32.Gibe@mm from Category 2 to Category 3 as of March 11, 2002.

W32.Gibe@mm is a worm that uses Microsoft Outlook and its own SMTP engine to spread. It also installs a Backdoor Trojan which allows remote access to the infected system. This worm arrives in an email message--which is disguised as a Microsoft Internet Security Update--as the attachment Q216309.exe. Do not open this attachment...delete it. Also, it is strongly recommended that you keep your anti-virus scanner up-to-date.
 

21 Dec 2001

Computer Security/Infrastructure Protection

XP System Needs Patch; Download Urged

WASHINGTON: Microsoft is urging customers to quickly install a patch to repair serious flaws in the newest version of Windows, which was marketed as the most secure ever. The problems allow hackers to steal or destroy a user's data files across the Internet or implant rogue computer software. A Microsoft official acknowledged that the risk to consumers was unprecedented because the glitches allow hackers to seize control of all Windows XP operating system software without requiring a computer user to do anything except connect to the Internet. Patches are available at www.microsoft.com
 

Virus Name: CODERED.C

Risk Type: Medium Risk Virus Alert

CODERED.C is a new worm that uses the same exploit as the previous two CODERED worms. This worm makes use of a vulnerability in Internet Information Servers (IIS). It drops a backdoor Trojan on an infected Web server, giving an attacker full access to this Web server, thereby compromising network security.

This worm only affects computers running IIS that have not been patched with the Microsoft patch, and poses no risk to Windows 95, 98, and ME users. Windows NT and 2000 users who do not have IIS installed are also at no risk. However, if you are not sure if IIS is installed on your machine, please run the free tool provided by Trend Micro that detects whether the Microsoft patch has been installed. This tool is now available at: http://www.antivirus.com/vinfo/security/detect_codered.exe  (Note...this is an executable file)

18:00CDT - 05 August 2001

Code Red II Now Spreading

The Emergency Response & Research Institute (ERRI) computer security team has received information about the proliferation of a second version of the Code Red worm. Reportedly, this second worm is not simply a variation of the original Code Red, but has a more potent payload and other "improved" capabilities. It still affects only the Microsoft Corp.'s Windows NT or 2000 operating systems and its IIS Web server software...and should not affect individual user computers. Watch this space for additional information as it becomes available...

***** 

12:30CDT - 01 August 2001

Code Red Activity Detected; Increasing

"Based on preliminary analysis, we expect a level of worm activity comparable to the July 19 Code Red infection, which resulted in infection of over 250,000 systems,'' according to a joint statement from the FBI, White House and other agencies. "It should achieve that level of activity by this afternoon." Preliminary estimates from both government and private computer security sources say that as many as 80,000 servers have been newly infected as of the time of this report. Home computers running Windows 95, 98 and ME are not vulnerable to the worm.  EmergencyNet News is watching developments of this situation very closely and will provide additional updates as more information becomes available.

Reference and most current NIPC assessment:

http://www.nipc.gov/pressroom/pressrel/cred2.htm

Additional information and repair references concerning the "Code Red" worm can be accessed on the ERRI Computer/Technical Operations Page...click here.
 

For Immediate Release

August 1, 2001

Contacts: Tinabeth Burton, 703-284-5305, tburton@itaa.org - PCIS & ITAA
Deborah Weierman, 202-324-3691, dwierman@fbi.gov - NIPC
Keith Nahigian, 703-622-4494, keithnahigian@yahoo.com - CIAO

CODE RED UPDATE - THE WORM HAS GONE ACTIVE

Washington, DC - Government and industry officials continue to monitor activity of the Code Red Worm estimated to have started its journey through the Internet last night at 8pm EDT. Those who have not installed the free Microsoft patches to their systems are still urged to do so quickly. Applying the patch will still protect users from infection.

Data analysis this morning confirms that previous predictions were correct that the Code Red Worm has in fact gone active. Early reports of activity spanning the entire globe, including the United States, indicate that the worm has gone active and is presently spreading throughout the Internet. As it was the case in July with its early progression, the worm's potential is still unknown at this time. Further updates will be given throughout the day. We are hopeful that the many precautions taken by the public, the government and private industry will have some effect on its ability to propagate.

We appreciate the participation of all who have cooperated so far to address this significant threat to the Internet. We especially want to thank the media for their quick response and vigilant coverage. Microsoft, thus far, reports that over a million people have avoided the Code Red Worm by downloading and applying the free patch available from Microsoft's website. In the meantime, both government and industry Watch Centers are on full alert to follow progress of the worm throughout the day, and we will report any significant developments.

Source: http://www.nipc.gov/pressroom/pressrel/cdred080101.htm

23:00CDT - 31 July 2001

Code Red Update

Chicago, IL (EmergencyNet News) -- There appears to be "no discernable difference" in current internet traffic after the most recent anticipated activation of the "Code Red" worm, according to several computer security sources. ERRI security analysts said that internet traffic appears to be traveling at a "normal" rate and all of the popular websites that we surveyed appeared to be operating in an appropriate manner. Some sporadic reports of new intrusions/infections are coming in from Switzerland, with approximately ten servers affected. 

Additional assessments will be necessary in the next few days to ascertain what, if any, damage has actually been caused by "Code Red" and/or what effect new infections will have on future network operations. EmergencyNet News continues to monitor events concerning the "Code Red" worm and will provide updates as the circumstances warrant...  
 

INSTANT - 00:00CDT - 31 July 2001

Given Historic Perspective, Expect Slow-Down on Web Tuesday

ERRI computer security analysts are now reporting that the internet, in general, may suffer "slow-downs" in overall performance tomorrow as the result of the "Code Red" worm. The danger could continue until system administrators properly patch their IIS Web server software and Window's NT or 2000 operating systems.

This degradation would be worsened as the result of additional modifications to the "Code Red" virus, although all of the possible ramifications are currently not known. A study of internet latency, during the period that the "Code Red" worm was last active, would indicate a degraded state of web and e-mail performance. ERRI analysts are monitoring events surrounding the 31 July activation and will provide additional updates as circumstances warrant...   

NIPC ALERT 01-016: "Code Red Worm"

7/30/2001

http://www.nipc.gov/warnings/alerts/2001/01-016.htm

For Immediate Release: 3:00 PM (EDT) July 29, 2001

A Very Real and Present Threat to the Internet: July 31 Deadline For Action

Summary:
The Code Red Worm and mutations of the worm pose a continued and serious threat to Internet users. Immediate action is required to combat this threat. Users who have deployed software that is vulnerable to the worm (Microsoft IIS Versions 4.0 and 5.0) must install, if they have not done so already, a vital security patch.

How Big Is The Problem?
On July 19, the Code Red worm infected more than 250,000 systems in just 9 hours. The worm scans the Internet, identifies vulnerable systems, and infects these systems by installing itself. Each newly installed worm joins all the others causing the rate of scanning to grow rapidly. This uncontrolled growth in scanning directly decreases the speed of the Internet and can cause sporadic but widespread outages among all types of systems. Code Red is likely to start spreading again on July 31st, 2001 8:00 PM EDT and has mutated so that it may be even more dangerous. This spread has the potential to disrupt business and personal use of the Internet for applications such as electronic commerce, email and entertainment.

Who Must Act?
Every organization or person who has Windows NT or Windows 2000 systems AND the IIS web server software may be vulnerable. IIS is installed automatically for many applications. If you are not certain, follow the instructions attached to determine whether you are running IIS 4.0 or 5.0. If you are using Windows 95, Windows 98, or Windows Me, there is no action that you need to take in response to this alert.

What To Do If You Are Vulnerable?
a. To rid your machine of the current worm, reboot your computer.
b. To protect your system from re-infection: Install Microsoft's patch for theCode Red vulnerability problem:

- Windows NT version 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833

- Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800

Step-by-step instructions for these actions are posted at: www.digitalisland.net/codered

Microsoft's description of the patch and its installation, and the vulnerability it addresses is posted at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/
security/bulletin/MS01-033.asp

Because of the importance of this threat, this alert is being made jointly by:

Microsoft Corporation
National Infrastructure Protection Center (NIPC)
Federal Computer Incident Response Center (FedCIRC)
Information Technology Association of America (ITAA)
CERT Coordination Center (CERT/CC)
SANS Institute Internet Security Systems (ISS)
Internet Security Alliance (ISA)

Recipients of this alert are encouraged to report computer intrusions to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate authorities. Incidents may be reported online at http://www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov.
 

NIPC ADVISORY 01-015

"Ida Code Red Worm "

07/19/2001

Internet backbone providers have notified the NIPC they are witnessing large-scale victimized web servers scanning for Microsoft Internet Information Server (IIS) vulnerabilities. The activity of Ida Code Red worm has the potential to degrade services running on the Internet. Any web server running the Microsoft IIS versions 4.0 or 5.0 that is not patched is susceptible to a "Buffer Overflow". The NIPC is strongly urging consumers running these versions of IIS 4.0/5.0 to check their systems and install the patch.

The NIPC has determined that the time for the DOS execution of the Ida Code Red Worm is at 0:00 hours, Greenwich Mean Time (GMT ) on July 20, 2001. This is 8:00 pm Eastern Daylight Time (EDT).

Recommendation:

The Microsoft bulletin describing this vulnerability and its patch to fix the problem may be found at: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp Microsoft strongly recommends that all web server administrators mitigate this vulnerability immediately by applying the patch.

Additional information and recommendations:

http://www.nipc.gov/warnings/advisories/2001/01-015.htm
 

30 May 2001 

Jennifer Lopez Bug...

Do not open any file with the following subject line. It is recommended that you delete it immediately. It is a "Loveletter" variant with a new subject-line and modified payload. 

"Subject: Where are you? 
Body: This is my pic in the beach! 
Attachment: JENNIFERLOPEZ_NAKED.JPG.vbs"

This can be a quite damaging virus and it is reported to be "in the wild" and spreading. It will reportedly overwrite your graphics and sound files and damage your Windows operating system. Caution is urged.

May 29 2001

Index of Computer Hoaxes

"Please ignore any messages received regarding the supposed "viruses" or "promotional gimmicks" listed below. They all contain bogus information, and are intended only to frighten or confuse users. The list below is a reproduction of the messages. Please refer to the list (linked below) whenever you receive what appears to be a bogus message regarding a new virus, promotion, or the like."

Source: http://www.symantec.com/avcenter/hoax.html
 

WORLDWIDE:

22:00CST - 06 Mar 2001

New Destructive Computer Virus Reported

It was being reported on Wednesday that a new destructive computer virus that deletes almost all of a computer's vital system files has struck at least 30 organizations. The destructive program is being called the "naked wife" virus. It also sends itself to everyone in the computer's address book. The virus' capacity to spread so quickly by using address books is similar to earlier viruses.

The virus is being called the "naked wife" virus because it appears with the subject line: "FW: Naked Wife". Just like an earlier virus that used the name of tennis star Anna Kournikova, the inviting subject line encourages recipients to open the e-mail. But those that click on to an attached file called "Naked Wife.exe" will only encounter a short cartoon followed by a vulgar message, signed by "BGK (Bill Gates Killer)."

Like most viruses, the recipient's computer is only infected if the receiver opens the attachment. Computer security experts say that the virus has already hit at least 30 organizations and more than one federal agency. According to Steve Trilling, director of research at the Symantec Antivirus Research Center, about 20 of its clients in Canada, the US and Europe had been hit. Trilling said: "It essentially destroys your Windows operating system..."
 

01 Mar 2001

AUSTRALIA:

TELECOMMUNICATIONS GIANT DENIES VIRUS CLAIMS

By Jeremy Zakis, ERRI Analyst

SYDNEY, AUSTRALIA - Australia's biggest telecommunications company Telstra went on the defense Thursday (01 Mar2001) after claims that more than 70,000 customers had been left stranded following a debilitating computer virus. Telstra claims that two outages experienced by customers were due to software faults and not a virus. 

The trouble began when e-mail accounts beginning with I,L and M disappeared from three servers in their network last Friday. An Australian newspaper then reported that the company had been struck by a virus and that affected customers would be able to claim up to $40-a-day if there were delays fixing the fault. This allegation is strongly denied by Telstra.

A prepared statement by Telstra said: "Contrary to claims made that people have been impacted for a week, Telstra's email system was subject to two outages that lasted for a period of four hours each, one on Friday 23 February and on Monday 26 February. A software fault and not a virus caused the outages."

"The claim in the article that compensation is automatically payable in these circumstances is incorrect," the spokesperson added. Services at the telecommunication giant were reportedly back to normal on Thursday.
 

18:00CST - 12 Feb 2001

Beware the Anna Kournikova.jpg1.vbs Virus

(EmergencyNet News) -- Reports continue to come into the EmergencyNet News Watchdesk concerning the rapid spread of an old virus that has been repackaged and is titled "Here you have, ;o)" or it refers to Anna Kournikova, a well-known tennis player. It is also known as "Onthefly" and "SST,"and appears to be very similar to the "Love Letter-Visual Basic Script (VBS) worm," that spread rapidly last year.

The worm propagates itself by execution via e-mail and sending itself to all of the addresses found on a user's Microsoft Outlook  (TM) address book.  In it's current form the Kournikova worm does not appear to do particular damage to the users computer system, but can clog e-mail servers as it continues to spread and repeatedly replicate itself.  ERRI/EmergencyNet News has received at least four examples of the virus today and it is believed to be circulating among both government and military computer systems. 

Consistent with safe computing practices, ERRI computer security analysts suggest that you update your anti-virus software frequently, do NOT open e-mail from unknown sources, and consult with Microsoft (TM) concerning patches and fixes that can be applied to your e-mail program to prevent e-mail worms such as this from using your Outlook (TM) program to propagate the virus. EmergencyNet News continues to monitor this virus spread closely and will provide additional updates as the circumstances warrant...

Carnegie Mellon University, CERT Coordination Center, Mitigation Resources:

ASSESSMENT 00-059

"W32 Navidad@M Worm" Issued at 5:00 p.m. EST, November 16, 2000

The NIPC has been tracking the Navidad Internet worm (W32Navidad@M) and currently assesses that it represents a low threat in the United States. Although there have been media reports of outbreaks of this worm in South Korea and Australia, NIPC's international counterparts have reported no significant outbreaks. Although Navidad does not contain a dangerous payload, it does modify the Windows registry file. The modification makes it impossible to execute most programs with an .exe attachment unless they were already running at the time of infection.

The Navidad worm is propagated through Messaging Application Program Interface (MAPI) based email clients (i.e. Microsoft Outlook/Outlook Express). When executed, it searches through the user's inbox for all messages that contain attachments. For every message found with an attachment, it constructs a separate email message using the identical subject line and body of the message and then forwards the Navidad.exe binary to all the recipients (To and CC) of the found messages. In doing so, it swaps the Navidad.exe binary for the original attachment emailed to the user. 

Additional technical information for this worm will be made available in Cybernotes 23 posted on the NIPC's website on November 23, 2000, at: http://www.nipc.gov/cybernotes/cybernotes.htm.

Full descriptions and removal instructions are available at various anti-virus software firms' web sites, including the following: http://www.symantec.com http://www.nai.com http://www.trend.com http://fsecure http://www.sophos

As always, users are advised to keep their anti-virus software current by checking their vendors' web sites frequently for new updates, and to stay apprised of warnings from NIPC, CERT, and other cognizant organizations.

Please report any illegal or malicious activities to your local FBI office or the NIPC, and to your military or civilian computer incident response group, as appropriate.
 

PHILIPPINES: Philippine investigators filed criminal charges on Thursday against a computer programming student suspected of having released the "ILOVEYOU" computer virus which crippled e-mail systems worldwide. The filing of charges against Onel de Guzman, 23, had been delayed while lawyers for the National Bureau of Investigation studied evidence and applicable laws. De Guzman, a student at the Philippines' AMA Computer College, has acknowledged that he may have released the virus by accident. He refused to say whether he authored it. The virus, unleashed on 4 May, rapidly replicated itself via e-mail, overloading corporate e-mail systems in many countries and causing damage estimated at up to US$10 billion.
 

UNITED STATES:

New .SHS Virus Reported; Spreading Slowly

A new computer virus struck several companies this week, but it is said to be spreading relatively slowly compared to similar worms such as "ILOVEYOU" and "Melissa." The new virus is spread, like the previous ones, via an e-mail attachment. The e-mail is usually titled: "funny," "life stages" or "jokes" and carries an attachment labeled "life_stages.txt" or "life_stages.txt.shs." 

The attachment carries a ".shs" suffix, but many computers automatically hide the suffix, thus making it appear that the attachment is a harmless .txt file. It opens a joke in Microsoft Notepad while activating the virus, replicating and sending itself out to all listings in the user's Microsoft Outlook address book. Although not as damaging as some recent viruses, this latest worm does modify the user's registry and could overload corporate mail servers. It can also spread via IRC and America Online's Instant Messenger. 

National Infrastructure Protection Center

Information System Assessment (Assessment 00-48) (VBS.STAGES.A) as of 2330 (EDT) 19 June 2000

The Anti-Virus community has been tracking the propagation of a worm entitled VBS_STAGES since 26 May 2000. This is a multi-application Internet worm which has been crafted to distribute using one of four spreading mechanisms: PIRCH, Outlook, mIRC, and ICQ. Like other known VBS worms, this may arrive via e-mail with a shell scrap (SHS) file attachment (LIFE_STAGES.TXT.SHS). 

The worm deletes the registry edit program, sends it to the recycle bin, and creates 10 random files throughout the system. Anti-virus vendors are currently examining these files. While it does not damage files, it could clog e-mail systems. The size of the attachment of an infected message is always 39936 bytes. The worm uses one of the following texts as a subject of the message: "Life Stages" "Funny" or "Jokes" and it might add either "Fw:" to the beginning or "text" to the end of the subject.

A feature of SHS files is that the extension remains hidden, even though the operating system may be set to show file extensions. This shell scrap file can fool the user into believing it is a text file because the SHS extension is not shown and the file may display the icon of a text file. When the file is executed, it displays in notepad a text file containing a joke about the stages of life, while the worm installs in the background.

The NIPC/FBI has opened an investigation into this activity.

The anti-virus software industry has obtained copies of the worm and created a software solution to stop the spread. They rate the worm as a very low to moderate threat in the United States. Full descriptions and removal instructions can be found at various anti-virus software vendor websites, including the following:

http://www.symantec.com
http://www.nai.com
http://www.trend.com
http://www.fsecure.com
http://www.sophos.com
 

PHILIPPINES/LOVE BUG:

Philippine Dropout to Be Charged for "Love Bug"

Officials said on Wednesday that the Philippine National Bureau of Investigation (NBI) will file criminal charges this week against a man suspected to have spread the crippling "Love Bug" computer virus. But they plan to charge the man under provisions which govern credit card fraud because the country did not have laws for cybercrime. A new E-commerce law which came into effect Wednesday cannot be used retroactively. 04 May to 13 May, 2000 -- Click here for EmergencyNet News reports concerning the "Love Bug" Virus that has spread world-wide, causing millions of dollars in damage to computer systems.  
 

National Infrastructure Protection Center Information System Advisory 00-044 "mstream" Distributed Denial of Service Tool (As of 2200 EDT, 24 May 2000)

The potential represented by the "mstream" Distributed Denial of Service (DDoS) exploit is a serious and continuing threat. This advisory provides an update to a previously delivered NIPC DDoS detection tool that now allows users to identify the presence of mstream on host systems. This updated tool can be found at www.nipc.gov/mstream.htm. The NIPC recommends that all computer network owners and organizations examine their systems for evidence of DDoS tools, including mstream.

The mstream DDoS exploit enables intruders to use multiple, internet-connected systems to launch packet flooding denial of service attacks against one or more target systems. It was first discovered in late April 2000 on a compromised Linux system...

Instant 09:00CDT - 20 May 2000

"NewLove" Computer Virus Has Less Impact Than "LoveBug"

A computer virus discovered on Thursday could have made the recent international "LoveBug" attack seem like child's play. But the new virus, which destroys all the data stored on a computer, failed to infect millions of machines around the world, as the previous virus did. For this, the "Love Bug" itself gets part of the credit, because it prompted many e-mail users to take precautions. That virus forced the shutdown of electronic mail systems at government agencies and major corporations two weeks ago. But, anti-virus experts say the "Love Bug" also spurred companies and individuals to adopt new security precautions that screened out the new, more destructive attacker.

08:30CDT - 19 May 2000

New More Deadly "Love" Virus Variant Discovered in the Wild

From ERRI/EmergencyNet News Watch Desk

According to Sophos Anti-Virus personnel, the VBS/NewLove-A virus is a polymorphic Visual Basic Script (VBS) worm that mutates its appearance in an attempt to avoid detection. The virus randomly chooses a filename in your Windows\Recent folder and attempts to forward a mutated version of itself to everybody in your Microsoft Outlook address book. 

The name of the file it forwards remains the same but the virus appends a further extension, ".vbs" (for instance, EXPENSES.XLS becomes EXPENSES.XLS.Vbs, etc). The message has the subject line: "FW: <filename>" where filename is the name of the file it is forwarding. It is recommended that you DO NOT open any file attachment with a .vbs extension. 

This variant is said to be even more damaging than the original "Love" virus for both your PC and/or any network to which your computer may be attached. EmergencyNet News continues to monitor this virus event and will provide additional updates as circumstances warrant...

Trend Micro: http://www.antivirus.com

Symantec: http://www.symantec.com

Microsoft Office Update: http://officeupdate.microsoft.com

CERT Coordination Center, a government-chartered computer security team: http://www.cert.org

National Infrastructure Protection Center at http://www.nipc.gov

04 Apr 2000

NATIONWIDE:

Severity of 9-1-1/W95/Firkin.worm Questioned by Some Anti-Virus Personnel

According to an article yesterday (04/03/00) by Internetnews.com, Vesselin Bontchev, a researcher with Frisk Software, accuses the National Infrastructure Protection Center (NIPC) of using "alarmist language" in their advisory of 01 April 2000. The SANS Institute, on the other hand disagreed, and said yesterday that the so-called 9-1-1 worm could be potentially dangerous.

Although it does not appear that the worm is presently spread via commonly used methods such a macro-virus attachments or via e-mail (it is using network "File and Print Sharing" connections), experts tell EmergencyNet News that there are four separate versions of the worm and that it may be under constant modification. Future iterations may implement wider or more insidious dissemination methods. 

Further, ERRI analysts say that the dangers associated with potential "distributed denial of service attacks" on emergency (9-1-1) communications systems could have disastrous consequences on public heath and safety -- if the worm were to be widely spread. Additionally, the worm, in present form, reportedly destroys hard drives when it is run. Therefore, ERRI analysts say they support the NIPC's advisory.

01 Apr 2000

WASHINGTON, DC:

SUBJECT: NATIONAL INFRASTRUCTURE PROTECTION CENTER INFORMATION SYSTEM ADVISORY (NIPC ADVISORY 00-038); SELF-PROPAGATING 911 SCRIPT

1. A RECENT AND BREAKING FBI CASE HAS REVEALED THE CREATION AND DISSEMINATION OF A SELF-PROPAGATING SCRIPT THAT CAN ERASE HARD DRIVES AND DIAL-UP 911 EMERGENCY SYSTEMS. WHILE INVESTIGATION AND TECHNICAL ANALYSIS CONTINUE, THE SCRIPT APPEARS TO INCLUDE THE FOLLOWING CHARACTERISTICS:

A. ACTIVELY SEARCH THE INTERNET FOR COMPUTER SYSTEMS SET UP FOR FILE AND PRINT SHARING AND COPY ITSELF ON TO THESE SYSTEMS.

B. OVERWRITE VICTIM HARD DRIVES.

C. CAUSE VICTIM SYSTEMS TO DIAL 911 (POSSIBLY CAUSING EMERGENCY AUTHORITIES TO CHECK
OUT SUBSTANTIAL NUMBERS OF "FALSE POSITIVE" CALLS).

2. TO THIS POINT CASE INFORMATION AND KNOWN VICTIMS SUGGEST A RELATIVELY LIMITED DISSEMINATION OF THIS SCRIPT IN THE HOUSTON, TEXAS AREA, THROUGH SOURCE COMPUTERS THAT SCANNED SEVERAL THOUSAND COMPUTERS THROUGH FOUR INTERNET SERVICE PROVIDERS (AMERICA ON-LINE, AT&T, MCI, AND NETZERO). DISSEMINATED SCRIPT MAY BE PLACED IN HIDDEN DIRECTORIES NAMED "CHODE," "FORESKIN" OR "DICKHAIR," (ERRI apologizes for the inappropriate language-but those are the real directory names).   FURTHER SCRIPT ANALYSIS BY THE FBI/NIPC CONTINUES.

3. FBI/NIPC REQUESTS RECIPIENTS IMMEDIATELY REPORT INFORMATION RELATING TO USE OF THIS SCRIPT TO THE LOCAL FBI OR FBI/NIPC WATCH AT 202-323-3204/3205/ 3206. AS MORE TECHNICAL OR OPERATIONAL INFORMATION ABOUT THIS SCRIPT DEVELOPS, NIPC WILL DISSEMINATE THIS INFORMATION THROUGH THE CARNEGIE MELLON CERT, ANTIVIRUS VENDORS OR ITS OWN WEB SITE (www.nipc.gov), AS APPROPRIATE. 
Reference: http://www.nipc.gov/nipc/advis00-038.htm

PrettyPark Worm, Virus Profile: W32/Pretty.Worm/FILES32.VXD - Virus information from McAfee Anti-Virus

Internet Hoax Patrol - Provided by CIAC, U.S. Dept. of Energy - Look it up before you believe it!!

24 Dec 99 - From http://www.emergency.com/ennday.htm

National Infrastructure Protection Center (NIPC) Advisory 99-030

Various sources of known reliability are reporting a re-emergence of the W97M/Caligula virus. The currently released virus contains the same payload found in the original W97M/Caligula virus and should be recognized by up-to-date anti-virus software.

Military, federal, state and local governmental and commercial/educational systems have all been affected by the W97M/Caligula virus recently; the potential for further infection is significant due to increased ongoing release activity. The virus has the following characteristics:

A. W97M.Cali.A is a macro virus. This MS Word 97 macro virus will add a VBA module called "Caligula" into infected documents/templates.

B. While infecting a document or global template, this macro virus uses a temporary text file "c:\io.vxd".

C. While closing an infected document on the thirty-first day of any month, it displays a message box entitled W97m/caligula (c) opic [codebreakers 1998].

D. The currently-released W97M/Caligula virus propagates in the same manner as the original W97M/Caligula virus. The virus is propagated via infected document exchange. This exchange may take place via diskette, local drive, network drive, or email attachment.

E. The payload of W97M/Caligula virus is not currently destructive. The virus searches for PGP secret key ring files (secring.skr) and attempts to transmit any located files to a remote host machine. Due to this attempt to obtain keys to encryption software, it can be reasonably deduced that the primary danger is loss of information.

Inasmuch as this virus has been in widespread circulation for nearly a year, all modern and updated commercial anti-virus packages should detect and disable this virus. Additional information about this virus is available at the web sites of Symantec (www.symantec.com/), Network Associates (www.nai.com), and Trend Micro (www.antivirus.com). NIPC recommends that system administrators be advised to update installed anti-virus software immediately and take other appropriate measures to prevent infection by and spread of W97M/Caligula virus. 

The NIPC also recommends widest possible dissemination of this advisory throughout federal, state and local government, military, and private organizations. Please report any information on and damage from infections by this virus to your local FBI office ANSIR or NIPC Coordinator, or corporate incident response group, as appropriate.

20 Nov 99 - From: http://www.emergency.com/ennday.htm

EUROPE:

New Mutant Christmas Virus Reported

A new virus designed to activate on Christmas day was discover in Europe in the past few day. The new virus is called "Prilissa," a combination of Melissa and another virus program called "PRI," according to a spokesperson from Network Associates. Like Melissa, the virus comes as an attachment in an email. Once opened, the virus will email itself to the first 50 addresses in an infected computer's email contact list. From the PRI code, it then inserts random colored squares into a user's documents. But unlike its predecessors, which mostly only led to pesky email traffic, "Prilissa" can be more dangerous. If opened, a user's hard drive could get re-formatted. The various anti-virus companies are or soon will be distributing an antidote...