[NTISP] Viurs Info

Greg.Straw@wahchang.com
Thu, 4 May 2000 10:37:40 -0700

Viurs Info:

IF the user urn the attachment a worm runs using the windows scripting host
program. This is not normally prsent on Win95, NT unless IE 5.0 or greater
has been installed.

This is a VERY nasty one becuase it will try to donwloadn and install an
excutable file called WIN-BUGSFIX.exe from the internet. This is a password
stealing programs that will email any chached passwords to
mailme@super.net.ph

IF you suspect you've been hit here is a quick way to find out.

The worm copies itself in the following places:

c:\windows\system\mskernel32.vbs
c:\windows\win32dll.vbs
c:\system\love-letter-for-you.txt.vbs

also the following reg keys

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\RUN\MSKERNEL32=
C:\WINDOWS\SYSTEM\MSKERNEL32.VBS

HKEY_LOCAL_MACHINE\Software\microsoft\windows\CurrentVERSION\RUNSERVICES\WIN
32DLL=C:\windows\Win32DLL.VBS

If anyone is running MCAFEE Anti Virus I have the extra.dat file and can
e-mail it upon request..

Greg Straw
Network Technician
Wahchang an Allegeney Technologies Company
Greg.Straw@wahchang.com

Greg Straw
Network Technician
WahChang an Allegeny Technologies Company
Phone: (541) 926-4211 x6321
Fax: (509) 275-2608
E-mail: Greg.Straw@wahchang.com

For more information about this list (including removal) go to:
http://www.iea-software.com/support/maillists/liststart