Virus Alert Information

[Richard Cranium]

A new virus called W32Gone.A@MM has been detected by anti-virus research centers, and reported in the media It is a worm virus that spreads through email.

When a user opens the attachment thinking it is a Screen Saver, it sends mail to all entries in the Outlook address book.


Should you receive the email with the following characteristics,
DO NOT open the attachment contained in the message!
Subject:
Subject: Hi

Body: How are you ?
When I saw this screensaver, I immediately thought about you
I am in a harry, I promise you will love it!


[UserName]

Attachment Gone.scr.... Do not open this attachment.

[ClubMed]

Thanks for the heads-up!

[nodnerb2]

Hi,

Thanks for the tip

Cheers

Nodnerb2

[Richard Cranium]

Due to the increased rate of submission and level of damage, Symantec Security Response is upgrading W32.Goner.A@mm from Category 3 to Category 4.

http://www.sarc.com/avcenter/venc/da...oner.a@mm.html

Infection length
This is the size, in bytes, of the viral code that is inserted into a program by the virus. If this is a worm or Trojan horse the length represents the size of the file.



Infection Length: 38,912 bytes

[Richard Cranium]

W32.Maldal.D@mm
Discovered on: December 29, 2001
Last Updated on: January 2, 2002 at 12:46:03 PM PST

W32.Maldal.D@mm is an extremely damaging worm. It was written and distributed on December 28, 2001. The virus code is in Visual Basic. It is about 27 KB in size and is packed using Aspack. The worm uses Microsoft Outlook to send itself to all contacts in your Microsoft Outlook address book.

Virus Definitions: December 29, 2001

Threat Assessment:


Wild: Low
Damage: Medium
Distribution: High

When the worm is executed for the first time, it will installs itself as \Windows\System\Win.exe.

It then adds the value

%System%\win.exe

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

so that the worm runs the next time that you start Windows. In most cases, however, because of the damage that is done by this worm, the computer will no longer load Windows.

Next, the worm obtains the computer name. This is done because the worm is programmed to send email messages with a subject line that includes the name of the computer. The attachment that is sent with the message is an .exe file. The name used for this attached file is composed of the computer name plus the .exe extension, for example, Johns PC.exe.

If the worm is executed a second time, the email message will have the subject "ZaCker" and an attachment named ZaCker.exe. This is because the worm renames the computer to "ZaCker."

The content of the mail will be any of the following (randomly chosen) lines:

Test this game
I wish u like it
I have got this file for you
Surprise !!!
download this game & have fun
desktop maker ,you may need it
have you ever got a gift !?
What women wants !
Don't waste any time ,Subscribe now
Make your pc funny !
new program from my fun groups
Map of the world
Create your Ecard
looooooooooooooooool
Send it to everybody you love
Its made by me
Our symbol
If you have an elegant taste
Test your mind
1 + 1 = 3 !!!
Singer , searsh for any song and sing
For everybody wants to marry a woman that he doesn't love !
nowadays , there is no womanhood !! :P
Just Try to fix it
Keep these advertisements run and earn 0.25 $ per 10 minute
See this file

W32.Maldal.D@mm is a retroworm (a worm virus that actively attacks antivirus programs in an effort to prevent detection). It deletes antivirus programs that it finds in the following folders:

Program Files\AntiViral Toolkit Pro\
Program Files\Command Software\F-PROT95\
eSafe\Protect\
PC-Cillin 95\
PC-Cillin 97\
Program Files\Quick Heal\
Program Files\FWIN32\
Program Files\FindVirus\
Toolkit\FindVirus\
F-macro\
Program Files\McAfeeVirusScan95\
Program Files\Norton AntiVirus\
TBAVW95\
VS95\
Rescue\
Program Files\Zone Labs\

Finally, the worm deletes several files, including those with the file extensions .ini, .php, .exe, .com, .mpeg, .dat, .zip, .txt, .exe, .xls, .doc, and .jpg

http://securityresponse.symantec.com...ldal.d@mm.html

[Xeroid]

There is so much of this going on lately ! Please everyone keep your virus defs up to date.

Mike

[TOAD6147]

...so that the worm runs the next time that you start Windows. In most cases, however, because of the damage that is done by this worm, the computer will no longer load Windows.

That doesn't make sense because it needs Windows to propegate itself. If it does that much damage the first time, it won't spread as badly as they are saying, IMO.

[Bob The Great]

AOL is an extremely damaging virus. It was written and distributed on an unkown date. The virus code is in something similar to what my child does when pounding on the keyboard. It is about 100Mbs in size but quickly consumes your harddrive. The worm uses your computer to summon satan.

Virus Definitions: January 3, 2002

Threat Assessment:


Wild: Low
Damage: Extreme
Distribution: High

When the virus is executed for the first time, it will installs itself as Program Files\AOL\Aol.exe

It also starts with windows. so that the Virus runs the next time that you start Windows. In most cases, however, because of the damage that is done by this virus, the computer will no longer load Windows.

Next, the virus obtains the computer name. This is done because the virus is programmed to send email messages to it's sinister masters with a subject line that includes the name of the computer. This email includes everything about you right down to when the last time you clipped your nails was.

If the Virus is executed a second time the devil comes, takes your soul, and eats you alive.

AOL is a retrovirus (a virus that actively attacks antivirus programs in an effort to prevent detection). It deletes antivirus programs that it finds in the following folders:

Program Files\AntiViral Toolkit Pro\
Program Files\Command Software\F-PROT95\
eSafe\Protect\
PC-Cillin 95\
PC-Cillin 97\
Program Files\Quick Heal\
Program Files\FWIN32\
Program Files\FindVirus\
Toolkit\FindVirus\
F-macro\
Program Files\McAfeeVirusScan95\
Program Files\Norton AntiVirus\
TBAVW95\
VS95\
Rescue\
Program Files\Zone Labs\

Finally, the virus deletes several files, including those with the file extensions .ini, .php, .exe, .com, .mpeg, .dat, .zip, .txt, .exe, .xls, .doc, and .jpg

[Richard Cranium]

Bob, that is funny, and sad ,, OK funny and Sad

Last December my bud got the "Smiley Face" virus(don't know the real name)
Anyway it overwrites your files with little Palm trees, smiley faces and what not.

The very old HD gave up the ghost when we put BC Wipe to it in a vain attempt to rid ol Smiley Face from it

[Mike]

Thanks for the tips guys! Yes, it's been crazy all of the viruses/worms that have been going around!

[Bob The Great]

The best way to avoid viruses are to go with non usual install directories e.g. install windows to the directory "system" (although that can cause probs with some progs), install antivirus programs to different dirs to. Also use an e-mail program such as Juno. Although Juno is probably one of the worst e-mail programs it stops the spread of most viruses as it uses a very different system for email. Also being wary of downloads (download from trusted sites if possible, and scan files before opening them.

It does bite to get a virus!

[NeoStarO1]

Originally posted by TOAD6147

That doesn't make sense because it needs Windows to propegate itself. If it does that much damage the first time, it won't spread as badly as they are saying, IMO.

Make sense to me because if you get this virus and open it, the damage is already done and sent other emails out via outlook.

Even if windows were not to load some may not think to run a dos version virus scan and think, well windows won't load lets re-install windows not relizing they been infected. Now the same virus has a second oportunity to send out again.

So to me if this happens it seems to be best not to shut off your computer and clean this nasty critter out before you do any rebooting otherwise will just re-infect the same pc all over again.

Correct me if I wrong on this.

NeoStar

[e980238]

Thanks for the 411