-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2001.09 -- AUSCERT ALERT
Homepage.HTML.vbs (Homepage) Virus
9 May 2001
===========================================================================
PROBLEM:
AusCERT has received information about a new virus known as the
Homepage.HTML.vbs virus. This virus has been reported from several
sources in Australia and New Zealand within a very short period
of time, indicating that it may be propagating rapidly.
The virus is encrypted and received via email in the form of an
attachment named "Homepage.HTML.vbs". The email message has the
subject line:
Homepage
The body of the email will contain the message:
You've got to see this page! It's really cool ;O)
Executing the virus by attempting to open the attachment will
cause this VBS file to be copied (as Homepage.HTML.vbs) to the
Windows directory and then resent, as an email attachment, to all
recipients in Outlook address books, updating the system registry
as it does so to ensure this action is only taken once. The virus
will also attempt to open the web browser and connect to several
pornographic web sites.
The virus then checks for emails with the subject "Homepage" in
the Outlook "Inbox" or "Deleted Items" folders. When it finds
email satisfying this criteria, the virus deletes the email in an
attempt to prevent detection.
IMPACT:
At this point in time, the virus is non-destructive to the infected
machine. However, future variants may possess more destructive
abilities. The mass-mailing methods employed by the virus may
lead to service denial on mail hosts.
It appears to be designed for propagation only. Minor alterations
are made to the Windows registry for the addition of a flag to
prevent a repeat of the mailout. This is done by adding the
following registry key, set to the value of 1:
HKCU\Software\An\Mailed
RECOMMENDATIONS:
A. User Education
System Administrators are urged to inform their users about proper
precautions with regards to handling email attachments.
AusCERT recommends that sites should update and check their virus
defences and either delete or do not open any email messages or
attachments that resemble those described above or in the following
links.
B. E-Mail Security Update
System administrators and users employing Microsoft Outlook 98/2000
may wish to install the Outlook Security Update available from
http://www.microsoft.com/office/outlook/downloads/security.htm
The White Paper "Outlook 98/2000 E-Mail Security Update"
explains:
"Many damaging viruses, such as the ILOVEYOU virus, spread
by automatically e-mailing themselves to multiple recipients
in a user's Global Address Book. The only way to prevent
viruses from automatically propagating is to block programmatic
access to the features in Outlook that viruses use to spread
themselves. The security update blocks programmatic access
to the Send capabilities and to all e-mail address information
stored in Outlook, including the Contacts folder, Personal
Address Book, address fields in Outlook forms such as the
To: field, and the Global Address Book. This protects
Outlook users from viruses that collect e-mail addresses
and send themselves out to those addresses."
This document is available at:
http://www.microsoft.com/office/outlook/downloads/OutlkSec.doc
C. Update Anti-Virus Packages
System administrators and users are urged to ensure that the latest
Anti-Virus software is installed and that it is using the most
current up-to-date virus databases.
More information can be found at:
http://www.symantec.com/avcenter/venc/data/vbs.vbswg2.d@mm.html
http://www.sophos.com/virusinfo/analyses/vbsvbswgx.html
http://www.europe.f-secure.com/v-descs/vbswg_x.shtml
http://www.cai.com/virusinfo/encyclopedia/descriptions/vbsvbswgx.htm
AusCERT is continuing to monitor this problem.
- ---------------------------------------------------------------------------
For more information contact your Anti-Virus software vendor.
- ---------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT
and AusCERT Advisories, and other computer security information.
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call
after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOvl3Kih9+71yA2DNAQEvpwP+PCQrsR7y/cQOEcju84VF3eolI2c95p6H
LwKZCAZErMIcjQDz/PpMFfsgyKKOeNh5ctjvYl3yFi6Q4AURwtzvhShEKUQ6oMQa
JkgH56YK+JiwedRVBFm68IOYvFCY1BlGygjpQDoKvq0UDy6niAXwXF3Ca0wX3qDH
r6TEm2l6/i4=
=FwFu
-----END PGP SIGNATURE-----
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
