THIS IS NOT A SPAM EMAIL/NEWSGROUP POST. You may be unaware but there is a
new malicious virus going around that causes you to send out emails with
viruses. These emails will already have been sent to everyone on your
contact list/address book if you have it. Please urgently forward this
email to everyone on your contacts/address book so that they may check
their
own PC. Do not worry about sending them the virus, you will have already
done so if you do have the virus! This is microsoft's re****t on this
virus.
http://www.microsoft.com/security/antivirus/authenticate_mail.asp
The fact that you are sending out these virus infected emails indicates
that
you probably have a virus on your PC that is automatically sending out
emails with viruses without your knowledge. You can verify below whether
or
not you may have the virus. After reading this you should virus check
your
PC with the latest anti virus definitions. If you do not have anti virus
software you should connect to the internet and click here Scan your PC
for
viruses now!
http://click.linksynergy.com/fs-bin/click?id=jGkJDpd6dW0&offerid=50252.6&type=1&subid=0
Only email me if you wish more info and want to opt in to a mailing list.
----------------------------------------------------------------------------
----
Extract from Anti Virus companies regarding "W32.Swen.A@[EMAIL PROTECTED]
" worm.
NOTE: This threat was previously detected as Worm.Automat.AHB
Due to an increase in submissions, this has been upgraded W32.Swen.A@[EMAIL PROTECTED]
to
Category 3, as of 6:30pm Thursday, September 18, 2003. It is also rapidly
heading towards being a high risk.
W32.Swen.A@[EMAIL PROTECTED]
is a mass-mailing worm that uses its own SMTP engine to
spread
itself.
The worm can arrive as an email attachment. The subject, body, and from
address of the email may vary. Some examples claim to be patches for
Microsoft Internet Explorer, or delivery failure notices from qmail.
This worm exploits a vulnerability in Microsoft Outlook and Outlook
Express
in an attempt to execute itself when you open or even preview the email.
If
you do not have anti virus software you should connect to the internet and
click here Scan your PC for viruses now!
Information and a patch for the vulnerability IF YOU DO NOT ALREADY HAVE
THE
VIRUS can be found at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
however this will only protect you IF YOU DO NOT ALREADY HAVE THE VIRUS.
Install this patch after you confirm that you are clear of the virus.
Here is some information on what the virus does:
1. This virus attempts to trick you into installing it by pretending to
be
a security vulnerability patch from Microsoft.
2. Upon executing it asks if you want to install the latest security
patch.
3. If you say no, it still installs itself but without your knowledge.
If
you say yes then it displays messages that appear that it is installing an
update to windows.
4. Modifies the value:
"DisableRegistryTools" = "1"
in the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
TO PREVENT THE USER RUNNING REGEDIT ON THE COMPUTER (see below*)
5. Puts a copy of itself to %Windir% with a randomly generated filename.
6. Searches .html, .asp, .eml, .dbx, .wab, .mbx files on the computer
for
email addresses.
7. Creates the file, %Windir%\Germs0.dbv, where it stores the email
addresses it has found.
8. Creates the file, %Windir%\Swen1.dat, where it stores a list of
remote
news and mail servers.
9. Adds the following values to the registry:
"Server"="<The IP address of the SMTP server that the worm retrieves from
the registry>"
"Mirc Install Folder"="<location of mirc client on system>"
"Installed"="...by Begbie"
"Install Item"="<random>"
"Unfile"="<random>"
"CacheBox Outfit"="yes"
"ZipName"="<random>"
"Email Address"="<The current users email address that the worm retrieves
from the registry>"
to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\<rando
m set of letters>
10. So that it can run itself it adds a randomly named value to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
11. Modifies the registry keys:
HKEY_LOCAL_MACHINE\Software\CL*****\regfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CL*****\scrfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CL*****\comfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CL*****\batfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CL*****\piffile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CL*****\exefile\shell\open\command
12. Checks the computer to find messages sent by itself and deletes them
so there is no trace that the PC has sent any virus infected emails.
How do you know if you've been infected?
Display of a series of dialog boxes
Unexpected termination of various security and anti-virus products.
Inability to run RegEdit on the victim's machine
*IF YOU CANNOT RUN REGEDIT ON YOUR PC YOU ARE PROBABLY INFECTED or this
has
been turned off by your computer system administrator. If you are on a
network check with your system administrator.
Click <start>, Click <run>, type regedit and click <OK>. Registry editor
should run, it looks similar to windows explorer but has a name of
Registry
Editor in the name bar at the top. If it has run ok then close it with
the
X in top right. If the program ran ok this does not confirm that you are
not infected. It could mean that your registry may be corrupted and the
virus was unable to stop the program from running.
For further information visit Anti Virus now!
http://click.linksynergy.com/fs-bin/click?id=jGkJDpd6dW0&offerid=50252.6&type=1&subid=0
|
