IT@TT - Online

New Updated Scanner

This is the news I was waiting for all week. Trend Micro has finally upgraded Housecall, their online virus scanner. The revised version now traps Trojans as well. To sweeten the pot, Trend Micro is also offering a free copy of the award-winning PC-cillin 2000. Unfortunately, the latter offer is restricted to the US and Canada. But that's no reason not to use Housecall.

The new Trojan System Cleaner is the first generic cleaning tool available. Now HouseCall besides detecting and removing Trojans. Will also delete any code that's been dropped (inserted). Plus reset and restore settings altered by a Trojan attack.

Housecall is free. All you need to do is visit the site. And (optionally) register your email and region. The latter is used by Trend to track virus infections across the world. Housecall then processed to download an authenticated ActiveX control. This is 'installed' in IE and scans your PC in real-time; whenever you are connected to the Internet and have the Housecall site (http://housecall.antivirus.com) open in your browser. The service is certainly popular, and figures on site indicate that over 17 lakh people have visited the service this year!

The virus this week is Hard. Another .VBS worm, this replicates itself using email. And primarily affects Outlook Express users. However, the worm only be run if you have the Windows Scripting Host (WSH) installed and active. For more on disabling WSH, check Tips 'n Tweak, it@ttt, 1 May 01 (http://www.careermosaicindia.com/itattt/May01/01/Tips.htm).

An infected email with its subject as "FW: Symantec Anti-Virus Warning" pretends to originate from a prominent antivirus developer. It includes www.symantec.com.vbs as the file attachments. The email body includes the supposedly forwarded message
"From: [[email protected]]
To: [[email protected]]; [[email protected]];
[[email protected]]; [[email protected]];
[[email protected]]; [[email protected]];
[[email protected]]
Subject: FW: Symantec Anti-Virus Warning
Hello,
There is a new worm on the Net.
This worm is very fast-spreading and very dangerous!
Symantec has first noticed it on April 04, 2001.
The attached file is a description of the worm and how it replicates itself.
With regards,
F. Jones
Symantec senior developer"

Once executed the virus drops C\:WWW.SYMANTEC_SEND.VBS which contains VBS script language that spreads infected e-mails via MS Outlook Express to all addresses found in the Windows Address Book (WAB). As well as C:\MESSAGE.VBS which on 24 November will generate a pop up message "Some shocking news! Don't look surprised! It is only a warning about your stupidity. Take care!"

Both of worms register themselves in the System Registry's auto-run section. This ensures they will load every time you restart Windows until the trigger date. Once sent via email, the virus also creates a false IE home page that purportedly warns about a virus called VBS.AmericanHistoryX_II@mm. To worm is also programmed to avoid duplicate infections. And creates a registry key "HKLM\SOFTWARE\Microsoft\WAB\OE Done" and sets its value to "Hardhead_SatanikChild".

Finally there's JS.Olvort.A@mm, a Javascript worm. This arrives as an attachment and can have a variable name (either Olvortex.msg or Olvortex.html.js) which may be displayed as HTML file. When executed, the worm emails itself to everyone in the contact list of your Microsoft Outlook address book. When JS.Olvort.A@mm runs, it first attempts to substitute the default icon corresponding to the JScript file type with the HTML file type icon. It then either tries to open, using the default browser (usually IE) http://support.microsoft.com/support/kb/articles/Q187/7/96.ASP, http://www.vortexdata.com/,
http://www.vortex.com/ and http://www.idgexecforums.com/vortex/. After doing so, the worm then tries to open http://personal.vineyard.net/bond007/vortex/index.htm.

In the background this .JS worm has dropped itself into the Windows\Startup folder as Regclean.exe.js. It then proceeds to infect the last 5 messages in the Microsoft Outlook Inbox or the 10 messages that precede these last 5 messages. The worm then takes the first 8 characters of existing email's subject line, attaches a copy of itself and appends .htm.js to the file name, and finally saves the email as Olvortex.msg in the Windows\Temp folder. It then proceeds to send a copy of the email to its sender and everyone else in the WAB.

I suspect that this rash of new viruses is because the VBS script generator used for Naked Wife and the Kournikova viruses was available until recently online. Budding hackers among our readers will be disappointed; the worm generator has since been removed.

Govind Menon
[email protected]

Top

Other Articles