The latest virus (Bugbear) has been elevated to High Risk, and since we all seem to be on someone's distribution list - here is a free scanning and removal tool for three of the latest viruses in circulation.

McAfee (Avert) has created Stinger, which is a stand-alone utility used to detect and remove specific viruses.

NOTE It is not a substitute for full anti-virus protection.

This includes detection for all known variants of  W32/Bugbear, W32/Elkern, and W32/Klez

NOTE:  WindowsME/XP users there is a special read me file with special instructions

To download the removal tool file:
http://download.nai.com/products/mcafee-avert/stingersetup.exe

To read more about stinger:
http://vil.nai.com/vil/stinger/

<<<<<>>>>>

SECURITY VULNERABILITIES in Internet Explorer

Three new security vulnerabilities in Microsoft Corp.'s newest Internet browser gives attackers the ability to execute arbitrary code and read files stored on target computers. Two of these newest flaws involve downloading of files, while the third involves tricking the user into going to a specially crafted web page which contains the attack.  The most common way for this trickery to be accomplished is via an email message, although a web page link could also be used.

These flaws affect Internet Explorer version 6.0 and two of the flaws also affect Internet Explorer version 5.5 with service pack 2.

You can download and protect your computer from all previously found security vulnerabilities affecting Internet Explorer 5.5 SP2 and Internet Explorer version 6, PLUS these three newly discovered vulnerabilities which are known as the "File Execution
vulnerability", a variant of the "Frame Domain Verification vulnerability", and the "File Name Spoofing vulnerability".

For the upgrade patch, released December 13, 2001 go to:
www.microsoft.com/downloads/release.asp?releaseid=34542

If you need the service pack for version 5.5, go to:
www.microsoft.com/downloaads/release.asp?releaseid=31770

<<<<<>>>>>

This Virus HOAX tells you to use your search (find) feature in windows explorer, to find a file named SULFNBK.EXE.

This virus warning is nothing but a hoax.  

Do NOT delete the file because it is a required windows file that is needed to convert long file names.

Your operating system may become erratic without the file. If you already deleted the file, you can recover by copying it from your Windows CD.

NOTE: This file, as well as many files in the windows and window/system folders, may become infected by other viruses sent in email.  The newest generations of viruses such as the W32Magistr series are sophisticated enough to do this.  

For this reason, all attachments to emails MUST be carefully viewed with the possibility that they are capable of destroying, infecting or deleting other files.

MORE INFO

<<<<<>>>>>

W32/goner@MM
Posted 12/4/2001

NOTE: This is a very aggressive Virus

Virus Name W32/goner@MM
Risk: HIGH -
Date Discovered: 12/4
Type/length Virus/Internet Worm - - -
Aliases Goner

Goner is a HIGH RISK virus that spread via Microsoft Outlook and by ICQ file transfers. This is a mass mailing worm that attempts to send itself to all entries in the Outlook Address book. 

The virus will arrive with the following email message characteristics

Subject; Hi

Message How are you ?
When I saw this screen saver, I immediately thought about you
I am in a harry, I promise you will love it!

Attachment GONE.SCR

When run, the worm displays as box entitled "About", which contains 7 lines of text.

After a short time, another window opens saying error - "error while analyze DirectX ".

The worm then copies itself into SYSTEM in the %WinDir% folder and adds the following registry key in order to get started upon boot

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\C\%WINDIR%\SYSTEM\gone.scr=C\%WINDIR%\SYSTEM\gone.scr

The worm also attempts to delete the following files

APLICA32.EXE
ZONEALARM.EXE
ESAFE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
PCFWallICON.EXE
FRW.EXE
VSHWIN32.EXE
NAVW32.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
LOCKDOWN2000.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE

Removal

Both McAfee and Symantec have put out "extra Dat" files today.

We also have manual removal instructions available if needed.  Email:
webmaster@on-line-services.com?subject=Goner_Removal

<<<<<>>>>>

W32/Badtrans@MM

Virus Name: W32/Badtrans@MM

Risk:  HIGH
Date Discovered: The original Badtrans - 4/11/01.  Badtrans B was identified as extremely active over the Thanksgiving Holidays                         
Type/length: Virus/Internet Worm -  13,312 bytes for the A variant - - 29,020 for the B variant
Aliases: Badtrans, Badtrans.b, Backdoor-NK.svr , BadTrans (F-Secure), I-Worm.Badtrans (AVP), TROJ_BADTRANS.A (Trend), W32.Badtrans.13312@mm (NAV)

This is another mass mailing worm type virus, which uses Microsoft Outlook. It replies to all unread email messages. It also places a ackdoor (remote access) trojan on the computer, which attempts to mail the users IP address to the author of the virus. Once this information is obtained, the author can connect to the infected system via the Internet and steal personal information such as usernames, and passwords. In addition, the trojan also contains a keylogger program which is capable of capturing other vital information such as credit card and bank account numbers and passwords.

Email programs with active preview windows (Microsoft Outlook) are vulnerable, unless Anti virus program is current and detects the virus.  If you need information on deactivating the preview window of Outlook, please email:

Webmaster@on-line-services.com Subject = Outlook Preview Deactivation 

The email characteristics are:

Message Body:
Take a look to the attachment.

It will arrive as an attachment that is either 13,312 or 29,020 bytes in length, and uses one of the following names (note that parts of some of these filenames are also associated with other threats, such as W95/MTX.gen@M):

The attachment is created in three sections - as follows:
Example:  Card.docs.pif

The first part is one of the following:

fun
Humor
docs
info
Sorry_about_yesterday
Me_nude
Card
SETUP
stuff
YOU_are_FAT!
HAMSTER
news_doc
New_Napster_Site README
images
Pics 

The second part is one of the following:

.DOC.
.MP3.
.ZIP.

The third part is one of the following:

pif
scr

This new variant also uses the iframe exploit and an incorrect MIME header to run automatically on unpatched systems. The Microsoft Security Bulletin (MS01-020) contains information on this exploit. If you are current in updates, you will not have this as an expoitable area.

Indications Of Infection
- Presence of the file: WinDir\INETD.EXE
- Presence of the file: SysDir\KERN32.EXE
- Presence of the file: SysDir\KERNEL32.EXE
- Presence of the file: HKSDLL.DLL
- Email correspondence noting that you've sent them an attachment when you did not.

When run, the worm displays a message box entitled, "Install error" which reads, "File data corrupt: probably due to a bad data transmission or bad disk access." A copy is saved into the WINDOWS directory as INETD.EXE and an entry is entered into the WIN.INI file to run INETD.EXE at startup. KERN32.EXE (a backdoor trojan), and HKSDLL.DLL (a valid keylogger DLL) are written to the WINDOWS SYSTEM directory, and a registry entry is created to load the trojan upon system startup.

Badtrans Virus and Matcher Virus Information
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce\kernel32=kern32.exe

DETECTION AND REMOVAL - Most virus protection software will detect this - providing the DAT files are current. 

Detection and removal is in McAfee's 4172 DAT files which is the most current file (11/21/01)

Be sure to Scan All Files

If you have been infected, in addition to using an anti-virus program such as McAfee or Norton to clean your system, you will need to manually clean your registry. To do so:

First, make a complete back-up copy of your registry, then do the following

1. Click Start, and click Run. The Run dialog box appears.

2. Type regedit and then click OK. The Registry Editor opens.

3. Navigate to the following key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows/CurrentVersion\RunOnce

4. In the right pane, delete the following value

Kernel32 kernel32.exe

5. Click Registry, and then click Exit.

PREVENTION
Badtrans.B exploits a known vulnerability in Outlook Express that is included in Internet Explorer 5.01 and 5.5. Microsoft has released a patch. Users who have not loaded the patch are encouraged to do so or to upgrade to Internet Explorer 6. The patch information can be found at:

http//www.microsoft.com/technet/security/bulletin/MS01-020.asp

NOTE: Be especially aware of the third part of the attached file identification...

Examples CARD.Doc.pif or NEWS_DOC.mp3.scr

Be on the lookout for attachments ending with the .pif or .scr

Virus Name: W32/Nimda@MM
Risk:  HIGH
Date Discovered:  9/18/01
Type/length: Virus/Internet Worm -  57,344 bytes
Aliases: W32/Minda@MM

Nimda.A is a new mass mailing worm that has been spreading rapidly trough out world today. The worm spreads via e-mail through an attachment named readme.exe. The email attachment name varies and may use the icon for an Internet Explorer HTML document.

IMPORTANT NOTE: Users of Microsoft Outlook should be especially careful.  They do not need to execute the   attachment to get infected.  In Outlook it is enough to open the letter itself because Outlook automatically runs this particular attachment if the preview pane is active. 

The most significant methods of propagation are as follows:

• The email messages created by the worm specifies a content-type of audio/x-wav with an executable attachment type. Thus when a message is accessed, the attachment can be executed without the user's knowledge.
  

• When infecting, it appends HTML documents with javascript code. These open a new browser windows containing the infectious email message itself (taken from the dropped file README.EML).
  

• Thus when this infected HTML is accessed (either locally or
  remotely from the web) the machine viewing the page is then
  infected.
  

• The infected system is then used to seek out others to infect
  over the web. Since this creates a lot of port scanning across a network and the Internet, it can cause a network traffic jam.

It copies itself to the WINDOWS SYSTEM directory as LOAD.EXE and creates a SYSTEM.INI entry to load itself at startup:

Shell=explorer.exe load.exe -dontrunold

Additional indicators are:
- A MIME encoded version of the work is created in each folder on the drive (often as README.EML, can also be .NWS files)
- Certain executable files are selected by the worm and altered.

The virus contains the string : Concept Virus (CV) V.5, Copyright
(C) 2001 R.P.China

NOTE: When Nimda infects a web server it creates a new guest account in the administrator folder that gives the guest account the same privileges that only the administrator would under normal circumstances have.

DETECTION AND REMOVAL - Most virus protection software will detect this - providing the DAT files are current.  Detection and removal is in McAfee's 4159 DAT files. This includes detection and removal for infected .ASP, .DLL, .EML, .EXE, .HTM, .HTML, and .NWS files.

NOTE: ALL FILES MUST BE SCANNED.

<<<<<>>>>>

W32/APost@MM

Virus Name:  W32/APost@MM
Risk: Medium - being watched - probable upgrade soon
Date Discovered:  9/3/2001
Type/length: E-Mail Virus/worm - 24576 bytes
Aliases: New Backdoor, I-Worm.Readme, W32.Urgent.Worm@mm,
W32/Apost-A, W95/Urquest.24576, Win32/Yoview.A@mm
.
Note: There are indications that the readme file length may vary slightly

Virus Characteristics:
This mass-mailing virus/worm attempts to send itself and local documents to all users found in the Windows Address Book and email addresses found in temporary Internet cached files (web browser cache). It can come from addresses that you recognize.


The email message can appear as follows:

Subject: As per your request!

Body: Please find attached file for your review. 
I look forward to hear from you again very soon. Thank you.

Attachment: README.EXE (24,576 bytes long)

When run, the attachment causes the worm to copy itself to the Windows directory (As readme.exe) and send a copy of itself to every entry in the user's Microsoft Outlook Address Book. It will then display a small dialog box titled "Urgent!". This dialog box contains one single large button labeled "Open".

If this button is pressed then the worm sends out further copies of itself, displays an error message box with the title "WinZip SelfExtractor: Warning" and then terminates.

It also creates then following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\macrosoft=C:\WINDOWS\readme.exe


Indications Of Infection: Presence of README.EXE (24,576) in root directory of local drives and in WINDOWS directory.

<<<<<>>>>>

Note: The above information has been provided from the McAfee, Symantec, Trend-Micro and/or Ziff Davis websites.  This information is provided to educate and inform you of the problems indicated.  If you have or suspect you have a virus problem, please visit one of the major anti-virus websites for their specific recommendations before taking any corrective action.

 mail to: webmaster@on-line-services.com
with questions or comments about this web site.
Copyright © 1998 - 2005 ----- On-Line-Services
Last modified: April 23, 2005