LISTSERV - GAMBIA-L Archives - LISTSERV.ICORS.ORG

GAMBIA-L Archives

The Gambia and Related Issues Mailing List

GAMBIA-L@LISTSERV.ICORS.ORG

	LISTSERV Archives
	GAMBIA-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	virus warning AnnaKournikova.jpg.vbs
From:	"A. P. Dampha" <[log in to unmask]>
Reply To:	The Gambia and related-issues mailing list <[log in to unmask]>
Date:	Tue, 13 Feb 2001 04:57:34 +0100
Content-Type:	text/plain
Parts/Attachments:	text/plain (63 lines)

VBS.SST@mm
Discovered on: February 12, 2001
Last Updated on: February 12, 2001 at 10:10:59 AM PST

The Symantec AntiVirus Research Center (SARC) has confirmed a new
mass-mailing worm. SARC is currently analyzing the worm. The worm is being
reported in an attachment named ANNAKOURNIKOVA.JPEG.VBS. SARC recommends
that you filter attachments with a VBS extension if you have not already
done so.

Category: Worm

Aliases: ANNAKOURNIKOVA.JPEG.VBS

Virus definitions: Pending

Threat assessment:

VBS.SST is a VBS email worm that has been encoded with a virus creation kit.
The worm arrives as an attachment named AnnaKournikova.jpg.vbs When executed
the worm emails itself to everyone in your address book. On January 26, the
worm will attempt to spawn the web browser to http://www.dynabyte.nl
<http://www.dynabyte.nl> This worm appears to have originated in the
Netherlands

When run the virus creates the registry key

HKCU/Software/OnTheFly/
If the day is January 26, the virus attempts to spawn the web browser to
http://www.dynabyte.nl <http://www.dynabyte.nl>

Next, the virus checks to see if the mass-mailing routine has been executed.
If not, the worm emails everyone in the Outlook address book and creates the
registry key HKCU/Software/OnTheFly/mailed

So, the worm does not email every address again. The worm sends the message
with the subject Here you have, ;o)

The message body

Hi:
Check This!

and the attachment AnnaKournikova.jpg.vbs

The worm then remains running and if it is deleted attempts to recreate
itself. Due to a bug in the code, the virus instead recreates itself as a
zero-byte file.

Removal Instructions:

Delete all found infections. If exists, delete the zero-byte file.
Remove registry keys

----------------------------------------------------------------------------

To unsubscribe/subscribe or view archives of postings, go to the Gambia-L
Web interface at: http://maelstrom.stjohns.edu/archives/gambia-l.html
You may also send subscription requests to [log in to unmask]
if you have problems accessing the web interface and remember to write your full name and e-mail address.
----------------------------------------------------------------------------

ATOM RSS1 RSS2

LISTSERV.ICORS.ORG