IF the user urn the attachment a worm runs using the windows scripting host
program. This is not normally prsent on Win95, NT unless IE 5.0 or greater
has been installed.
This is a VERY nasty one becuase it will try to donwloadn and install an
excutable file called WIN-BUGSFIX.exe from the internet. This is a password
stealing programs that will email any chached passwords to
mailme@super.net.ph
IF you suspect you've been hit here is a quick way to find out.
The worm copies itself in the following places:
c:\windows\system\mskernel32.vbs
c:\windows\win32dll.vbs
c:\system\love-letter-for-you.txt.vbs
also the following reg keys
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\RUN\MSKERNEL32=
C:\WINDOWS\SYSTEM\MSKERNEL32.VBS
HKEY_LOCAL_MACHINE\Software\microsoft\windows\CurrentVERSION\RUNSERVICES\WIN
32DLL=C:\windows\Win32DLL.VBS
If anyone is running MCAFEE Anti Virus I have the extra.dat file and can
e-mail it upon request..
Greg Straw
Network Technician
Wahchang an Allegeney Technologies Company
Greg.Straw@wahchang.com
Greg Straw
Network Technician
WahChang an Allegeny Technologies Company
Phone: (541) 926-4211 x6321
Fax: (509) 275-2608
E-mail: Greg.Straw@wahchang.com
For more information about this list (including removal) go to:
http://www.iea-software.com/support/maillists/liststart