Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Malware :: al200109.txt

AusCERT Alert 2001.09 Homepage.HTML.vbs (Homepage) Virus




-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2001.09  --  AUSCERT ALERT
                     Homepage.HTML.vbs (Homepage) Virus
                                 9 May 2001

===========================================================================

PROBLEM:  

	AusCERT has received information about a new virus known as the
	Homepage.HTML.vbs virus.  This virus has been reported from several
	sources in Australia and New Zealand within a very short period
	of time, indicating that it may be propagating rapidly.

	The virus is encrypted and received via email in the form of an
	attachment named "Homepage.HTML.vbs".  The email message has the
	subject line:

		Homepage

	The body of the email will contain the message:

		You've got to see this page! It's really cool ;O)

	Executing the virus by attempting to open the attachment will
	cause this VBS file to be copied (as Homepage.HTML.vbs) to the
	Windows directory and then resent, as an email attachment, to all
	recipients in Outlook address books, updating the system registry
	as it does so to ensure this action is only taken once.  The virus
	will also attempt to open the web browser and connect to several
	pornographic web sites.

	The virus then checks for emails with the subject "Homepage" in
	the Outlook "Inbox" or "Deleted Items" folders.  When it finds
	email satisfying this criteria, the virus deletes the email in an
	attempt to prevent detection.

IMPACT:   

	At this point in time, the virus is non-destructive to the infected
	machine.  However, future variants may possess more destructive
	abilities.  The mass-mailing methods employed by the virus may
	lead to service denial on mail hosts.

	It appears to be designed for propagation only.  Minor alterations
	are made to the Windows registry for the addition of a flag to
	prevent a repeat of the mailout.  This is done by adding the
	following registry key, set to the value of 1:

		HKCU\Software\An\Mailed


RECOMMENDATIONS: 

	A. User Education

	System Administrators are urged to inform their users about proper
	precautions with regards to handling email attachments.

	AusCERT recommends that sites should update and check their virus
	defences and either delete or do not open any email messages or
	attachments that resemble those described above or in the following
	links.

	B. E-Mail Security Update

	System administrators and users employing Microsoft Outlook 98/2000
	may wish to install the Outlook Security Update available from 

	  http://www.microsoft.com/office/outlook/downloads/security.htm

	The White Paper "Outlook 98/2000 E-Mail Security Update"
	explains:

	"Many damaging viruses, such as the ILOVEYOU virus, spread
	by automatically e-mailing themselves to multiple recipients
	in a user's Global Address Book. The only way to prevent
	viruses from automatically propagating is to block programmatic
	access to the features in Outlook that viruses use to spread
	themselves. The security update blocks programmatic access
	to the Send capabilities and to all e-mail address information
	stored in Outlook, including the Contacts folder, Personal
	Address Book, address fields in Outlook forms such as the
	To: field, and the Global Address Book. This protects
	Outlook users from viruses that collect e-mail addresses
	and send themselves out to those addresses."

	This document is available at:

          http://www.microsoft.com/office/outlook/downloads/OutlkSec.doc

	C. Update Anti-Virus Packages

	System administrators and users are urged to ensure that the latest
	Anti-Virus software is installed and that it is using the most
	current up-to-date virus databases.

	More information can be found at:

          http://www.symantec.com/avcenter/venc/data/vbs.vbswg2.d@mm.html
          http://www.sophos.com/virusinfo/analyses/vbsvbswgx.html
	  http://www.europe.f-secure.com/v-descs/vbswg_x.shtml
          http://www.cai.com/virusinfo/encyclopedia/descriptions/vbsvbswgx.htm

	AusCERT is continuing to monitor this problem. 


- ---------------------------------------------------------------------------
For more information contact your Anti-Virus software vendor.
- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
						       
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOvl3Kih9+71yA2DNAQEvpwP+PCQrsR7y/cQOEcju84VF3eolI2c95p6H
LwKZCAZErMIcjQDz/PpMFfsgyKKOeNh5ctjvYl3yFi6Q4AURwtzvhShEKUQ6oMQa
JkgH56YK+JiwedRVBFm68IOYvFCY1BlGygjpQDoKvq0UDy6niAXwXF3Ca0wX3qDH
r6TEm2l6/i4=
=FwFu
-----END PGP SIGNATURE-----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH