This came from a friend whose a systems administrator. Please read and be
careful.
Jenny
List Mom
Jenny's Home Page:
http://www.xpressweb.com/~jkernan/index.htm
Your One-Stop Health Mall for all your health needs:
http://www.100fires.awarebuy.com/mall/
----- Original Message -----
From: "Stacy Sansone" <stacy(a)utahrealtors.com>
To: "Richard Adams (E-mail)" <nha(a)worldnet.att.net>; "Doug Boulden
(E-mail)"
<doug(a)metrotitle.com>; "Klair Gunn (E-mail)"
<klairg(a)wardleygmac.com>;
"Larry Larsen (E-mail)" <larry(a)mansell.net>; "Paul Ure
(E-mail)"
<pure(a)enol.com>
Cc: "John Harrison (E-mail)" <GHarrisonJ(a)aol.com>; "Jenny
Kernan-Cienfuegos
(E-mail)" <jkernan(a)xpressweb.com>; "Maria Sanelli (E-mail)"
<Movingdove(a)aol.com>; "Terry Smith (E-mail)" <Terrbear54(a)aol.com>
Sent: Friday, May 19, 2000 10:11 AM
Subject: Urgent virus warning
Please Read:
-
VBS/Spammer.A.Worm
=============================================
Spammer is a very aggressive Visual Basic
Script (VBS) VBS based polymorphic e-mail worm.
The worm does not use a fixed subject line or
attachment name.
It arrives as an attachment of an e-mail and
the subject line starts with "FW: " followed
by a file name. The file name seems to have
no name (due to a bug) and two extensions
like in .Mp3.vbs
The real extension is always .VBS. The faked
extension is one of the following:
Doc
Xls
Mdb
Bmp
Mp3
Txt
Jpg
Gif
Mov
Url
Htm
Txt
The e-mail body does not contain any text, just
an attachment with the same name as in the subject
line. The name will be different each time the
worm generates an e-mail. The name was meant to
be constructed using a random entry in the recently
used files list (Documents folder in the Start menu),
but due to a bug the base file name is always empty.
If the recently used files list is empty the name
of the attachment will be randomly generated, most
likely resulting in a combination of characters
that makes no sense.
The worm spreads itself by generating an e-mail
like described above, attaching itself and sending
that e-mail to all recipients in all Outlook address
books. In big organizations the volume of e-mail
generated has the potential to overload e-mail
servers. When spreading the worm changes its code
by inserting comments, causing each new generation
to grow dramatically in size (typically by
around 200KB).
The worm will spread targeting Windows 98,
Windows 2000 by default and Windows NT 4.0
and Windows 95 if the Windows Scripting Host
(WSH) engine is installed.
After sending itself out on e-mail, the worm will
start to walk through all files on local hard drives
and network drives and effectively rename the
extension of all files to VBS and set their size
to zero. Probably the author intended to
overwrite all files with a copy of the worm code.
If this action is completed it will render the
infected system unbootable. Systems reached
through outgoing shares are possibly rendered
unbootable as well. Note, that even up to date
real time protection running on a system that
is attacked through a share cannot block the
attack because no viral code is actually
transferred to the target system.
InoculateIT signature update 12.04 detects the
VBS/Spammer.A worm. To guarantee protection, make
sure that VBS files are included in the list
of files to scan. To clean an infected system
all detected files have to be deleted and
the Windows Registry has to be manually cleaned.
Because of extremely high Internet traffic today, virus
signature file 12.04 will not be available until later
this afternoon or this weekend. Until it is downloaded
and installed on your system, the best advice is: DO NOT
OPEN ANY EMAIL WITH AN ATTACHMENT HAVING A
.VBS EXTENSION!!!! BE VERY CAUTIOUS IN OPENING
ANY EMAIL!!!!