|
|
| PROBLEM: | A new Trojan program is spreading rapidly around the Internet. The program travels as an executable attachment to an e-mail message purporting to be a flash movie of a naked wife. |
| PLATFORM: | Windows 95, 98, NT, ME, and 2000 with Outlook installed. |
| DAMAGE: | The Trojan destroys multiple files in the Windows and Windows\System folders. If the Trojan is allowed to run to completion, Windows will no longer be able to run and must be reinstalled along with most of your applications. The Trojan does not destroy documents or other user files. |
| SOLUTION: | Do not run executable files attached to e-mail messages unless you were expecting to receive that executable file. Update your virus definitions as soon as the vendors have new signatures available. If you have run this Trojan, you must reinstall Windows and all your applications. |
| VULNERABILITY ASSESSMENT: |
Risk is HIGH. The Trojan is spreading on the net and does serious damage to a computer's operating system. |
CIAC has information that a new Trojan is rapidly spreading around the Internet. Much like the VBS macro viruses that have been making the rounds lately, this Trojan spreads by using Microsoft Outlook to e-mail itself to everyone in your Outlook address books. This Trojan is not a VBS script file but is a fully compiled Visual Basic executable (.EXE) file. The Trojan is included as an attachment in an e-mail message with the following properties:
Here, CurrentUser is replaced with the Outlook registered name of the person on whose machine the Trojan is currently running.
The executable attachment appears to be a viewer with pictures of a naked wife but is actually
the Trojan program.
If you run it, a window opens that looks like a Flash movie reader loading a movie named
"JibJab".
The only menu on the window that works is the Help, About command which diaplays
a dialog box with a
nasty message.
While the movie appears to be loading, the Trojan is actually sending itself to everyone in your Outlook address book.
When it finishes sending itself, it starts deleting files with the following extensions from your Windows and Windows\System directories.
If the Trojan is allowed to run to completion, your system will not continue running and will not be bootable. Luckily, the Trojan does not destroy documents and other personal files.
Recovery from this Trojan requires the complete reinstallation of your operating system and most of your programs. Any program that stores files in the Windows or Windows\System directories will also be damaged and must be reinstalled. This includes most commercial office applications. Luckily, your personal files and documents are probably not damaged. After your system is working again, look for and delete all files with the name:
As soon as your antivirus company has a signature available, scan your system and delete any files identified as having this Trojan.
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
World Wide Web: http://www.ciac.org/
http://ciac.llnl.gov
(same machine -- either one will work)
Anonymous FTP: ftp.ciac.org
ciac.llnl.gov
(same machine -- either one will work)