What's Up Doc
"What up, Doc?" is the Bugs Bunny character in Looney Tunes cartoons catch phrase. A French hacker too seems to have decided its his. Except its morphed to "Wazup?" But don't panic. This is not a virus; merely a hoax. If you receive a copy just kill it and forget about it. Under no circumstances forward it to everyone you know. That's spam. The hoax's body contains "Attention, nouveau virus!!!! a prendre au serieux AVIS DE NOUVEAU VIRUS Il est très important de lire ce oui suit surtout pour crux et belles oui naviguent sur internet. Vous connaissez certainement la pub de Budweiser où de jeunes hommes s'amusent a beugler dans leur téléphone leur crie de ralliement " WAZ UP ? " (dites Waza )."
Meanwhile, Mcon.B, another VBS (Visual Basic Script) worm is spreading its tentacles through network shares and mIRC. The worm first copies itself into the Windows Fonts directory. It then installs itself in the Registry to run on startup. Right now the worm pings random Web addresses and puts itself into an infinite loop. This constant data chatter will make your system slow down.
But the most persistent are another outbreak of Word 97 macro viruses. Generally known as WM97, the latest are WM97.Eight941.R and WM97.Chronic.A. Eight941 doesn't have a working payload. Chronic.A can overwrite your CMOS settings. This virus also tracks the number of times its code is executed. And on every 25th occurrence, the virus executes. Its payload consists of a complex series of checks on the day part of the date. If this can be divided exactly by 5, the virus attempts to set the write password for the current document to a value gained from the system (normally "1297307460"). The payload also modifies the first 1020 bytes of specific files. And appends "Karachi_y2k7" to the modified files. The virus currently affects only Windows 9x users operating systems. Unfortunately, the file modifications corrupt the files beyond repair.
The payload affects SOL.EXE, MSHEARTS.EXE and FREECELL.EXE. If the day is exactly divisible by 3, these Windows files are affected: ROUTE.EXE and PING.EXE. As are NETOS.DLL, NETDI.DLL, NETBIOS.DLL, NETAPI.DLL and NETAPI32.DLL in the Windows System folder.
If
the day is divisible exactly by 3 or 6, these files are affected:NETCPL.CPL"
INETCPL.CPL, MODEM.CPL, URL.DLL, SENDMAIL.DLL, MAPI32.DLL, INETCOMM.DLL,
INETCFG.DLL, INETAB32.DLL, and INET16.DLL.
If the day is divisible exactly by 3, 6 or 9, the virus affects LPT.VXD, SPOOL32.EXE, MSPRINT.DLL and MSPRINT2.DLL. But if the day is divided exactly by 2, the virus print 1-9 copies of the current document.
That's not all, because when the day can be divided exactly by 4, the virus modifies "C:\WINDOWS\WIN.COM" to contain the Trojan Troj/KillCMOS-E. This Trojan overwrites CMOS settings with random data and is run when Windows is restarted.
The best advice against these scourges. Make sure your antivirus program is kept regularly updated.
Govind Menon
[email protected]
Other Articles
CareerCorner | ChiefChat
| Mailbox
| ProductGuide
| ProductPreview
| SiteScan
Techtalk
| Tips&Tweaks
| VirusWatch
| Webware