 |
||||||||||
 |
 |
 |
 |
 |
||||||
|
UVa
Information Technology and Communication Computing • Cable TV • Telephone
|
||||||||||
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||
|
|
|
|
|
||||||
|
UVa
Information Technology and Communication Computing • Cable TV • Telephone
|
||||||||||
|
|
|
|
|
|
|
|
|
|
|
The purpose of this virus ALERT is to make the University community aware of a computer virus that has the potential to destroy computer files, disable computer functions, or otherwise disrupt normal business operations, patient care services, or academic pursuits at the University of Virginia.
Virus definitions are available for local download at:
http://www.itc.virginia.edu/desktop/security/nav32vdefs.html
Fix for Windows 95, Windows 98, Windows ME
Fix for Windows 2000, Windows XP
When this worm is executed, it does the following:
It copies itself to \%System%\Wink
NOTE: %System% is a variable. The worm locates the Windows System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.
It adds the value
Wink
to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
or it creates the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Wink[random characters]
and inserts a value in that subkey so that the worm is executed when you start Windows.
The worm attempts to disable on-access virus scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active processes. The worm removes the startup registry keys
used by antivirus products and deletes checksum database files including:
* Anti-Vir.dat
* Chklist.dat
* Chklist.ms
* Chklist.cps
* Chklist.tav
* Ivb.ntz
* Smartchk.ms
* Smartchk.cps
* Avgqt.dat
* Aguard.dat
Local and Network Drive copying:
The worm copies itself to local, mapped, and network drives as:
* A random file name that has a double extension. For example, Filename.txt.exe.
* A .rar archive that has a double extension. For example, Filename.txt.rar.
Email:
This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains
its own SMTP engine and attempts to guess at available SMTP servers.
The subject line, message bodies, and attachment file names are random. The From address is randomly-chosen from email addresses that the worm finds on the infected computer.
The worm will search files that have the following extensions for email addresses:
* mp8
* .exe
* .scr
* .pif
* .bat
* .txt
* .htm
* .html
* .wab
* .asp
* .doc
* .rtf
* .xls
* .jpg
* .cpp
* .pas
* .mpg
* .mpeg
* .bak
* .mp3
* .pdf
The email message that this worms sends is composed of "random" strings. The subject can be one of the following:
* Undeliverable mail--"[Random word]"
* Returned mail--"[Random word]"
* a [Random word] [Random word] game
* a [Random word] [Random word] tool
* a [Random word] [Random word] website
* a [Random word] [Random word] patch
* [Random word] removal tools
* how are you
* let's be friends
* darling
* so cool a flash,enjoy it
* your password
* honey
* some questions
* please try again
* welcome to my hometown
* the Garden of Eden
* introduction on ADSL
* meeting notice
* questionnaire
* congratulations
* sos!
* japanese girl VS playboy
* look,my beautiful girl friend
* eager to see you
* spice girls' vocal concert
* japanese lass' sexy pictures
The random word will be one of the following:
* new
* funny
* nice
* humour
* excite
* good
* powful
* WinXP
* IE 6.0
* W32.Elkern
* W32.Klez.E
* Symantec
* Mcafee
* F-Secure
* Sophos
* Trendmicro
* Kaspersky
The body of the email message is random.
If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a
patch are available at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Infection:
The worm also infects executables by creating a hidden copy of the original host file and then overwriting the original file with itself. The hidden copy is encrypted, but contains no viral data. The name of the
hidden file is the same as the original file, but with a random extension.
Virus Insertion:
This worm inserts the virus W32.Elkern.4926 as a file with a random name in the \%Program Files% folder and executes it.
NOTE: %Program Files% is a variable. The worm locates the \Program Files folder (by default this is C:\Program Files and copies the virus to that location.
Symantec Security Response offers these suggestions on how to configure Symantec products in order to minimize your exposure to this threat.
Norton AntiVirus for Gateways (SMTP)
* Block incoming attachments with .bat, .exe, .pif and .scr extensions
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
* Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP client, telnet, and a Web server. These services are avenues of attack.
* If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
* If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
* Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
* Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
* Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, and .src files.
* Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
* Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a
* compromised Web site can cause infection if certain browser vulnerabilities are not patched.
http://www.sarc.com/avcenter/venc/data/pf/w32.klez.h@mm.html
[ Students | Instructors | Researchers | Staff & Administrators | Technical Professionals ]
© 1996-2002
by the Rector and
Visitors
of the University of Virginia | Comments
and Feedback
Maintained by:
itcweb@virginia.edu | Last updated:
Thursday April 04, 2002 11:10:40
Cookie
& Publishing Info | Privacy Policy