LL-L "Virus" 2001.12.19 (02) [E]

Lowlands-L sassisch at yahoo.com
Wed Dec 19 19:21:36 UTC 2001 

======================================================================
 L O W L A N D S - L * 19.DEC.2001 (02) * ISSN 189-5582 * LCSN 96-4226
 Web Site: <http://www.geocities.com/sassisch/rhahn/lowlands/>
 Rules: <http://www.geocities.com/sassisch/rhahn/lowlands/rules.html>
 Posting Address: <lowlands-l at listserv.linguistlist.org>
 Server Manual: <http://www.lsoft.com/manuals/1.8c/userindex.html>
 Archive: <http://listserv.linguistlist.org/archives/lowlands-l.html>
=======================================================================
 A=Afrikaans Ap=Appalachian D=Dutch E=English F=Frisian L=Limburgish
 LS=Low Saxon (Low German) S=Scots Sh=Shetlandic Z=Zeelandic (Zeeuws)
=======================================================================

From: R. F. Hahn <sassisch at yahoo.com>
Subject: Virus

Dear Lowlanders,

Below please find two *genuine* computer virus warnings I just received from
our computing administrator.  Please watch out for these viruses, and protect
yourselves by not downloading email attachments you do not expect and know
nothing about, even if they are attached to messages from people you do know.

Reinhard/Ron

***

(These virus warning are from www.sophos.com)

**** Virus 1:

Name: W32/Zacker-C
Aliases: W32/Maldal.c at MM, W32/Reeezak.A at mm, I-Worm.Keyluc
Type: Win32 worm
Date: 19 December 2001

A virus identity file (IDE) which provides protection is
available now from our website and will be incorporated
into the February 2002 (3.54) release of Sophos Anti-Virus.

Sophos has received several reports of this worm from the wild.

Description:

W32/Zacker-C is a worm that attempts to spread using Microsoft
Outlook or Microsoft Messenger.

The message has the following characteristics:

Subject: Happy New Year

Body text: Hii
           I can't describe my feelings
           But all I can say is
           Happy New Year:)
           bye

Attachment: Christmas.exe

When first run, the worm copies itself into the Windows
directory as Christmas.exe and creates the registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zacker =
<Windows>\Christmas.exe, so that it is run automatically each
time Windows is restarted.

The worm changes the computer name by setting the registry
key HKLM\System\CurrentControlSet\Control\ComputerName\
ComputerName\ComputerName = Zacker and changes the default
browser home page by setting the registry key
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Start
Page to point to the geocities website.

W32/Zacker-C also attempts to disable the keyboard.

**** Virus 2:

Name: JS/CoolSite-A
Type: JavaScript worm
Date: 19 December 2001

A virus identity file (IDE) which provides protection is
available now from our website and will be incorporated
into the February 2002 (3.54) release of Sophos Anti-Virus.

Sophos has received several reports of this worm from the wild.

Description:

JS/CoolSite-A is a worm which spreads by exploiting a security
vulnerability detailed in Microsoft Security Bulletin MS00-075.

The worm arrives in an email with the subject:

  "Hi!!"

and the body text:

  "Hi. I found cool site! http://[omitted] It's really cool!".

If the embedded link is followed, a malicious script code from a
web page is run locally. The script code uses a Microsoft
Virtual Machine ActiveX component vulnerability to get access to
the local file system.

The script then iterates through messages kept in the Microsoft
Outlook Sent folder. It changes the subject and the body of
every message and attempts to send the message. If a message was
previously sent with an attachment, the attachment will be
resent by the worm.

JS/CoolSite-A also sets the home page of Internet Explorer to
point to a pornographic web site.

==================================END===================================
 You have received this because your account has been subscribed upon
 request. To unsubscribe, please send the command "signoff lowlands-l"
 as message text from the same account to
 <listserv at listserv.linguistlist.org> or sign off at
 <http://linguistlist.org/subscribing/sub-lowlands-l.html>.
=======================================================================
 * Please submit postings to <lowlands-l at listserv.linguistlist.org>.
 * Postings will be displayed unedited in digest form.
 * Please display only the relevant parts of quotes in your replies.
 * Commands for automated functions (including "signoff lowlands-l") are
   to be sent to <listserv at listserv.linguistlist.org> or at
   <http://linguistlist.org/subscribing/sub-lowlands-l.html>.
 * Please use only Plain Text format, not Rich Text (HTML) or any other
   type of format, in your submissions
=======================================================================

More information about the LOWLANDS-L mailing list