The UK Home Automation Archive

Archive Home
Group Home
Search Archive


Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024

Latest message you have seen: Re: Re: Mains activated extension socket


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Here we go again :- ( FW: eTrust EZ Virus Alert for Win32.Vote.A Worm


  • To: "UKHA Discussion (E-mail)" <ukha_d@xxxxxxx>
  • Subject: Here we go again :- ( FW: eTrust EZ Virus Alert for Win32.Vote.A Worm
  • From: Keith Doxey <ukha@xxxxxxx>
  • Date: Tue, 25 Sep 2001 09:12:46 +0100
  • Delivered-to: mailing list ukha_d@xxxxxxx
  • Mailing-list: list ukha_d@xxxxxxx; contact ukha_d-owner@xxxxxxx
  • Reply-to: ukha_d@xxxxxxx

Looks like there is another one about guys...and gals

Bugger :-(

Keith

-----Original Message-----
From: support@xxxxxxx [mailto:support@xxxxxxx]
Sent: 25 September 2001 03:30
To: keith@xxxxxxx
Subject: eTrust EZ Virus Alert for Win32.Vote.A Worm


=============================================
eTrust EZ Virus Alert for Win32.Vote.A Worm
=============================================

Win32.Vote.A worm (also known as W32.Vote.A@mm)
Win32.Vote.A is worm that erases files in the Windows and other directories
and overwrites HTM and HTML files, spreading via the Internet by email
using
MAPI and Microsoft Outlook.

The worm appears attached to an email with the following subject:

Fwd:Peace BeTweeN AmeriCa And IsLaM !

and body text:

Hi
iS iT A waR Against AmeriCa Or IsLaM !?
Let's Vote To Live in Peace!

with the attachment:
WTC.exe

The worm launches two browser windows, one to a download site which
contained the Win32.PSW.Barrio.50 trojan, and one to another site that is
no
longer available. The explorer home page is set to point to the download
site.

The worm drops two trojans in the windows system directory: VBS.VoteMix.A
and VBS.VoteZak.A.
The VBS.VoteMix.A trojan is then executed, which searches local and network
drives for HTM and HTML files, replacing them with the line:

AmeRiCa ...Few Days WiLL Show You What We Can Do !!! It's Our Turn
>>>
ZaCkEr is So Sorry For You .

The worm also creates a registry value:

HKLM\software\microsoft\windows\currentversion\run\Norton.Thar =
<windows
system>\ZaCker.vbs
so that on next reboot, the VBS.VoteZak.A trojan is executed. This first
deletes all files in the windows directory, then attempts to modify
C:\AUTOEXEC.BAT with an instruction to format drive C when the computer
next
reboots. This fails however, and the following message box pops up:

I promiss We WiLL Rule The World Again...By The Way, You Are Captured By
ZaCker!!!

An attempt is then made to force windows to reboot, but this also fails
because the trojan has already deleted RUNDLL32.EXE from the windows
directory.
This worm also appears to make attempts at disabling particular Antivirus
Scanners by deleting files found in the following directories:

C:\Program Files\AntiViral Toolkit Pro\*.*
C:\eSafe\Protect\*.*
C:\Program Files\Command Software\F-PROT95\*.*
C:\PC-Cillin 95\*.*
C:\PC-Cillin 97\*.*
C:\Program Files\Quick Heal\*.*
C:\Program Files\FWIN32\*.*
C:\Program Files\FindVirus\*.*
C:\Toolkit\FindVirus\*.*
C:\f-macro\*.*
C:\Program Files\McAfee\VirusScan95\*.*
C:\Program Files\Norton AntiVirus\*.*
C:\TBAVW95\*.*
C:\VS95\*.*


Users with eTrust EZ Antivirus signature files 1517
and up are protected against this worm.


A few simple rules to remember:
==========================
- Prevent viruses from spreading by updating your antivirus
software on a regular basis.
- Do not open attachments received from somebody
you don’t know.
- Be careful when receiving attachments from your friends. In most
cases they are not aware of infection and will not know if the
virus email was sent from their own PCs.


=============================================

The simplest way to check if you have the most
current signatures, or to update your signatures
in the case that you do not, is to use the following
procedure:
1) Start the eTrust EZ
Antivirus gui
2) From the menu bar,
select Tools
3) From the list that is
displayed, select
Autodownload
4) The product will
automatically guide
you through the
process from this
point forward.

To manually download the updates, go to::

http://www.my-etrust.com/products/subscriptions/AntiVirus/

Virus signature update files are cumulative,
therefore the latest signature file update
includes everything from all previous file updates as well as
new virus information. A list of newly detected viruses since
the last update is available at:
http://my-etrust.com/products/encyclopedia/virusinfo/encyclopedia

=============================================

Additional information on viruses, worms, and
Trojan horses can be found at the Computer
Associates Virus Information Center:
http://www.ca.com/virusinfo/

For more detailed virus information and
specialized removal instructions, visit:
http://www.ca.com/virusinfo/virusalert.htm

Carnegie Mellon Software Engineering Institute
(CERT® Coordination Center):
http://www.cert.org/advisories/

=============================================

You can unsubscribe from this news letter or by going to
http://www.my-etrust.com/maintenance/optin/

=============================================

Feedback? Comments? Suggestions?
Send mailto:webmaster@xxxxxxx.  All
submissions
become the property of the publisher and may or may not be
reprinted.

NOTE:  This address should be used only for feedback on
this newsletter.  Requests for technical support should be
submitted through normal channels.




Home | Main Index | Thread Index

Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.