Advertisment

Security Alert!

author-image
PCQ Bureau
New Update

Win32.Mypics.worm



This is an e-mail worm that’ll format your hard drives on January 1, 2000 and will also change your home page settings to pornographic sites. It affects Win 95/98 users using Microsoft Outlook and Inter-net Explorer.

Advertisment

It arrives in an e-mail with no subject. The body contains the message “Here’s some pictures for you” and an attachment named “Pics4You. exe” Once opened, it loads itself into memory and executes by sending copies of itself to the first 50 addresses in your address book. It then modifies the system registry and creates the following registry keys:






HKEY_LOCAL_MACHINE\


SOFTWARE\ Microsoft\Windows \Cur r e ntVersion\Run 


HKEY_ LOCAL_MACHINE \SOFTWARE\ Microsoft\WindowsNT \CurrentVer- sion\Windows\Run









After this, it’ll automatically run when you restart your PC. It also changes your default home page to a Geocities-hosted Website that contains adult content. To clean the virus, it’s recommended that you manually delete the two registry keys created by the worm and run a good anti-virus scan on your PC.

Worm.ExploreZip (pack)



According to Symantec (www.symantec.com) the Worm.ExploreZip (pack), also known as MiniZip, is a variant of Worm.ExploreZip. The behavior of the worm is identical to Worm.ExploreZip, the only difference being that this one is a compressed executable Internet worm and its file size is about 40 percent smaller than the original Worm.ExploreZip. 

The worm uses MAPI-capable e-mail programs on Windows systems to propagate itself. The body of the e-mail appears to come from a known e-mail client and contains an attachment named zipped_files.exe. The attached file has a WinZip icon, which prompt unsuspecting users to run it as a self-extracting file. Once the attachment is executed, it executes the original Worm.ExploreZip routine and displays the following error message:

Advertisment

The worm then copies itself to the C:\Windows\System directory with the filename “explore.exe” and modifies the WIN.INI file. It also searches the mapped drives and network machines for Windows installation, and copies itself to the Windows directory of the remote machine. After this, it executes each time Windows starts. 

In addition, when Worm.ExploreZip (pack) is executed, it searches drives C through Z of your computer system and accessible network machines for files with–H,C,

CPP, ASM, DOC, XLS, PPT–extensions. It then destroys these or any newly-created files matching the extension list.

Norton AntiVirus users can protect themselves by downloading the current virus definitions either through LiveUpdate or from www.symantec.com/avcenter/download.html. Others can check their virus sites, and available if download a patch from there.

Symantec AntiVirus Research Center also has a quick workaround for the worm.

Advertisment

1. For Win 9x systems: 

Remove the line 



run=\Explore.exe 


or 


run=\_setup.exe 


from the WIN.INI file


For Win NT:

Advertisment

remove the registry entry 



HKEY_CURRENT_USER\Software \Microsoft\Windows NT\CurrentVersion\Windows\Run 


which refers to explore.exe or _setup.exe 

2. Delete explore.exe or after this _setup.exe. If the file is in use, you may need to reboot first or kill the process using Task Manager

W97M.Melissa.AA



According to Symantec, this is a modified variant of the W97M.Melissa.A virus. 

Advertisment

It’s a macro virus and infects Word 97/2000 documents. When an infected document is opened, it uses Microsoft Outlook to e-mail a copy of this to as many as 100 users from your address book. Before mass-mailing the infected document, it checks the

HKEY_CUR- RENT_USER\Software\Microsoft\ Office\registry key to see if it’s done this e-mailing before. 

If this key has a value name “x” and value data “y”, then e-mailing has been done previously from this machine. In this case, the virus won’t do the mass-mailing a second time. However, if it doesn’t find the registry entry, it’ll do the e-mail payload similar to W97M.Melissa.A. The difference is that it sends up to 100 addresses, with the following subject: 






Duhalde Presidente USERNAME 







where USERNAME is taken from the Word setting and the body contains the following text: 

Programa de gobierno 1999 - 2004

Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions 



either through LiveUpdate or from www.symantec.com/avcenter/download.html. Others can check their virus sites, and if available download a patch from there.
Or, you can change the registry settings using the Regedit command.

Advertisment