VBS/Lisa.A@mm - The worm arrives in a e-mail message in the following format
.
Subject Click yes to vote against war.
Body For voting agianst war
, please open this message agian and click yes! It is very important! Thank you!
Upon opening this e-mail, the worm then fills the hard disk with up to 5000 folders
names made up of random alphabets. These folders are then filled with text file containing the
string.
I will never stop loving you.
It will then proceed to e-mail itself to everyone in the Microsoft Outlook Express
Book. The worm also spreads through the MIRC and Kazaa networks altough this was not
observed. It drops itself into the download directory for Kazaa as the following filenames:
Silvia Saint Gangbang.avi.vbs , Brittney Spears nude.jpg.vbs , Christina Aguilera Nipple.jpg.vbs , Lolita.jpg.vbs , Madonna-Song.mp3.vbs ,
Jennifer Lopez.mp3.vbs
This worm also deletes all *.DOC files on the hard disk. It also deletes the
REGEDIT.EXE and
WIN.COM - rendering the victim machine incapable of starting Windows subsequently.
In some cases, the worm may delete the data files USER.DAT and SYSTEM.DAT (and their backups after
a certain time frame)
Aother payload of this worm is to reformat the C:\ driver by adding the following
line into the AUTOEXEC.BAT file (This was not observed in testing)
Hoaxes:
This e-mail message is just a Hoax, currently we know of no newsgroup message about
the Hoax as the initial email states.It is known to damage your computer very seriously. It is advised
for you to delete any files that match this description. The reason being that you do not
pass it on to others.
Trojan Virus:
McAfee products using the 4.2.40 engine and 4253 DATs (or greater)with program heuristics enabled proactively detect the server component as 'trojan or variant VB-BackDoor2.gen' (assuming scanning of compressed files is enabled).
There are multiple variants of this trojan, and the specific actions taken are decided by the hacker who uses this trojan, so this description is a general guide.
As with most remote access trojans, this threat appears to consists of multiple components: the configuration, client and server components. Once the server is running on the victim machine, the hacker is able to connect (and administer that machine) using the client component. The configuration component would allow the hacker to create slightly different versions of the trojan.
When run on the victim's machine, the server component installs itself onto the system, typically copying itself to the Windows or System directory. For example, as C:\WINDOWS\SYSTEM\SHELL32EXEC.EXE.
The server component can be used to offer many remote-administration functions to the hacker. These typically include:
Opening/closing CD tray
Turning on and off speakers
Enabling/Disabling Ctrl+Alt+Del
Minimizing windows
Forcing system log-off/restart/shut-down/power-off
Opening the internet browser/Notepad
Retrieving/Sending victim machine information (Windows version/Computer name/Environment variables/passwords)
Virus:
This is a macro virus for Word97 documents and templates, and is also famous for its use of email propagation using MS Outlook! This virus was first posted to several newsgroups on March 26, 1999. This virus will infect Office97 systems which have been updated to SR1 update and above.
This virus uses a self-check method to check for a setting in the registry to test if the system has already been infected. This virus also sets macro security level to low security in Office2000.
Sending email messages via Outlook as mentioned above, text inserted into documents as mentioned above, macro warning when opening infected documents on a non-infected system, registry modifications as mentioned above.
Opening infected documents will directly infect the local Word environment and any document used thereafter.
It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.