nanog mailing list archives

RE: Virus Update

From: "Branden R. Williams" <brw () netvitality net>
Date: Thu, 4 May 2000 10:54:45 -0500 (CDT)


On Thu, 4 May 2000 msarges () midco net wrote:

Just to clarify, it will look at files on network or net-mapped drives.
Our organization just found out the hard way.


Ok, we must have stopped it before that happened to us.  The person who
ran this (argh) only affected their own hard drive and missed any network
drives.

On 04-May-2000 Branden R. Williams wrote:


Ok, this thing is pretty nasty...  Here is a quick summary of what it
does.

Should you run it, you will lose any files of the following
extensions.  They will be renamed to filename.extension.vbs with a fresh
copy of the replication part.

File extensions
affected:  vbs,vbe,js,jse,css,wsh,sct,hta,jpg,jpeg,mp2,mp3.

Every file with that extension is overwritten with the virus.  It looks to
be localized to mounted hard drives.  It does not appear to affect mapped
network drives.

It also makes a dozen or so registry entries including one to reset your
start page to the following URL.

http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqweras
djhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe

I have not gone to this URL yet to see what it is, but it downloads a copy
of a file called WIN-BUGSFIX.exe.

In addition, it creates a MIRC script called script.ini to DCC SEND this
to whatever channel you are on.

Of course it sends it to everyone in your address book with the subject
ILOVEYOU.  It looks to only affect people who actually run the vbs
script.  I would assume that if you are not on a Windows platform that you
are not affected.

I'll let you know more when we find more.

Cheers,

Branden R. Williams <brw () netvitality net>
Vice President, Systems - NetVitality, Inc.
http://www.netvitality.net/
Internet Commerce Specialists


----------------------------------
E-Mail: msarges () midco net
Date: 04-May-2000
Time: 10:49:31

We have met the enemy, and he is us.
                -- Walt Kelly

----------------------------------


Cheers,

Branden R. Williams <brw () netvitality net>
Vice President, Systems - NetVitality, Inc.
http://www.netvitality.net/
Internet Commerce Specialists

Current thread:

product liability (was: Virus Update), (continued)
- - - product liability (was: Virus Update) William Allen Simpson (May 09)
    - Re: product liability (was: Virus Update) Jim Mercer (May 09)
    - Re: product liability (was: Virus Update) William Allen Simpson (May 09)
    - Re: product liability (was: Virus Update) Jim Mercer (May 09)
    - Re: product liability (was: Virus Update) Greg A. Woods (May 09)
    - off-topic rant Re: product liability (was: Virus Update) brad reynolds (May 09)
    - Re: off-topic rant Re: product liability (was: Virus Update) Bruce Campbell (May 09)
    - Re: off-topic rant Re: product liability (was: Virus Update) Steve Sobol (May 09)
    - Re: off-topic rant Re: product liability (was: Virus Update) Valdis . Kletnieks (May 09)
- Re: Virus Update Branden R. Williams (May 04)
- RE: Virus Update Branden R. Williams (May 04)
- Re: Virus Update David Charlap (May 04)