Interesting People mailing list archives
IP: Shoho outbreak--New worm, old tricks
From: David Farber <dave () farber net>
Date: Fri, 21 Dec 2001 15:23:14 -0500
Date: Fri, 21 Dec 2001 12:14:13 -0800 From: Ari Ollikainen <Ari () OLTECO com> Subject: Shoho outbreak--New worm, old tricks X-Sender: ari () mail olteco com To: farber () cis upenn edu 'tis the season for email worms and virii, apparently: Shoho outbreak--New worm, old tricks By Robert Vamosi ZDNet Reviews December 20, 2001 4:41 PM PT Yet another worm has cleverly taken advantage of a well-publicized and already patched vulnerability in Internet Explorer by offering an e-mail message that sounds legitimate to frequent Internet users. On some systems, Shoho (w32.Shoho.a@mm, alias Welyah) will launch itselfwhen the infected e-mail is previewed or viewed. Shoho also uses its own SMTP engine, as SirCam does, to send out copies of itself to e-mail addresses found in the Outlook Address book and other address files. However, Shoho deletes some Windows files and can cause a general protection error on some systems upon reboot.Because of the potential for excess e-mail and file damage, Shoho currently ranks a 6 on the ZDNet Virus Meter.How it worksShoho arrives as e-mail with a subject line that reads "Welcome to Yahoo! Mail."The body text reads as follows: This messages a character set that is not supported by the Internet Service. To view the original message content, open the attached message. If the text doesn't display correctly, save the attachment to disk, and then open it using a viewer that can display the original character set.The attached file, readme.txt, is not really a text file but a forged EXE file that contains the malicious code.If a user opens the attached file, Shoho copies itself to the Windows directory as Winl0g0n.exe and adds a line to the Registry in order to run every time Windows is started.Shoho also adds the following files to an infected computer to the C:Windows subdirectory:email.txt emailinfo.txt drwatson drwatsonframe.htm winl0g0n.exeThe worm will attempt to delete the following files from the C:Windows subdirectory:1stboot.bmp asd.exe cleanmgr.exe clspack.exe control.exe cvtaplog.exe defrag.exe dosrep.exe drwatson.exe drwatson drwatsonframe.htm emm386.exe himem.sys hwinfo.exe jautoexp.dat kacheln.bmp kreise.bmp license.txt logos.sys logow.sys moricons.dll nddeapi.dll nddenb.dll netdet.ini ramdrive.sys runhelp.cab script.doc setup.bmp smartdrv.exe streifen.bmp suback.bin support.txt telephon.ini w98setup.bin wellen.bmp win.com win.ini winsock.dllDeletion of the above files may result in a general protection failure the next time the computer is rebooted.PreventionPatch or upgrade your Internet Explorer to avoid the "Automatic execution of embedded MIME types" vulnerability. Users of IE 5.01 will need to download security bulletin MS01-020 from Microsoft.Users can also upgrade to IE 5.5 SP2 or IE 6.0, if they choose a full install. Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe. Users who have not upgraded to Outlook 2002 or who have not installed the Outlook 98 Security Patch or the Outlook 2000 Security Patch should do so.In general, do not open attached files in e-mail until you've saved them to the hard disk and scanned them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signatures.RemovalA few antivirus software companies have updated their signature files to include this worm. These updates will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see F-Secure, Kaspersky, McAfee, Sophos, and Trend Micro._/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ You can't depend on your judgement when your imagination is out of focus. -- Mark Twain. _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ OLTECO Ari Ollikainen P.O. BOX 20088 Networking Architecture and Technology Stanford, CA Ari () OLTECO com 94309-0088 415.517.3519
For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: Shoho outbreak--New worm, old tricks David Farber (Dec 21)