Another Virus Swamps E-mail Systems - Page 2

nternet Explorer to download a file named WIN-BUGSFIX.exe from one of four possible places on http://www.skyinet.net (randomly selected) and the Registry is modified so that this file is executed the next time Windows is launched. This was the portion that collected network passwords. A system administrator at Sky Internet, the company that owns www.skyinet.net, said the four URLs that were collecting the passwords were shut down at about 5 a.m. EST.

Then the virus creates an HTML version of itself, in a file named LOVE-LETTER-FOR-YOU.HTM in the Windows System directory.

Next, the virus starts a copy of Outlook in the background (only Outlook 98 or 2000 will work - not Outlook 97 or Outlook Express). It examines all Outlook Address Books and, if an Outlook Address Book contains more addresses than the Windows Address Book, the virus mass-mails itself to all addresses in that Outlook Address Book. (The virus does NOT mass-mail itself to any addresses in the Windows Address Book.)

Finally, the virus examines all directories on all hard and network drives. If a file has one of the following extensions: VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, MP2, MP3, JPG or JPEG, the virus overwrites the file with a copy of itself. If the extension was not VBS or VBE, the virus adds the extension VBS to the name of the file. For instance, PICTURE.JPG becomes PICTURE.JPG.vbs. If a MP2 or MP3 file was overwritten, the virus also sets its file attribute to ReadOnly.

If, during this directory traversal, the virus finds the files mirc32.exe, mlink32.exe, mirc.ini, script.ini or mirc.hlp, it drops a file in that directory named SCRIPT.INI which begins with the comments ;mIRC Script ; Please dont edit this script... mIRC will corrupt, if mIRC will corrupt... WINDOWS will affect and will not run correctly. thanks ; ;Khaled Mardam-Bey ;http://www.mirc.com

This file tries to send the file LOVE-LETTER-FOR-YOU.HTM from the Windows System directory via IRC's command /DCC to all users joining the IRC channel which the infected user is on.

The virus sets or modifies the following Registry keys:

• HKEY_CURRENT_USERSoftwareMicrosoftWindows Scripting HostSettingsTimeout
• HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunMSKernel32
• HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesWin
• 32DLL HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDownload
• Directory HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainStart.

Jeff Carpenter, senior Internet security technologist with Carnegie Mellon's CERT Coordination Center, said preliminary analysis indicates that the virus is similar to Melissa in that it spreads through e-mail attachments. He said CERT is currently studying the virus and is working with virus experts to understand how the virus works and how to recover. He added that CERT received more than 150 reports of the virus as of 10 a.m. Thursday, higher than normal for an average virus.

Mikko Hypponen, manager of Anti-Virus Research at F-Secure Corp. in Espoo, Finland, said, "We've had two big media houses who've had their photo archives overwritten by this thing."

Hypponen said that organizations struck by the worm should take a number of steps. "If you're not sure what to do, the first thing you should do is to stop incoming mail and outgoing mail, then think what to do next," he said. "I know it sounds drastic, but it gives you time to react. And if you are spooling incoming and outgoing messages, you're not going to lose much if you keep it down for an hour or two until you have time to react.

"After you have down that, number two on your list, is disable scripting in outlook clients if you have outlook clients in your organization. By disabling scripting or support for Windows scripting hosts, you are not vulnerable to this attack at all."

"Number three, update your anti-virus to handle this."