Subject: Virus uyarisi
From: Mustafa Akgul (akgul@Bilkent.EDU.TR)
Date: Mon 06 Dec 1999 - 17:40:27 EET
ZIPFILES.EXE dosaysini attachmnet olarak dagitan bir bir virus aktif
olarak calsiyor sua nda.son yarim saatte bana bir kac tane geldi.
Bu mesaja ek olarak ANTI.ZIP adiyla bir dosya gonderiyorum.
Bu eketeki mesajda bahsedilen zipfiles.zip
zipfiles.zip'i ftp://akgul.bilkent.edu.tr/pub/
ftp://sunsite.bilkent.edu.tr/pub/virus/
http://sunsite.bilkent.edu.tr/pub/virus/
altindanda alabilrisniz.
ekete mesajda bu dosayi ureten datafellow'un tam adrsi veriliyor.
Kolay gelsin
%%%%%%%%%%%%%%%%%%%%
From: kanat.gezgen@mail.abank.com.tr (kanat gezgen)
>From: Bulent Koc [mailto:bulentkoc@ihlas.com.tr]
Sent: Monday, December 06, 1999 10:03 AM
Subject: Ynt: [DUYURU] Virus iceren file hakkinda
New Variant of ExploreZip Worm Wreaks Havoc Across Corporate Networks
Espoo, Finland, December 1, 1999 - Data Fellows, a leading
provider of centrally managed, widely distributed security solutions, today
announced, that a new variation of the ExploreZip worm has been found and
has already infected a number of Fortune 500 companies as well as a host of
smaller companies during business day Tuesday in the US. This virus works
like a chain letter and carries a destructive payload. So far, Data Fellows
has received reports from the USA, Europe and Asia.
The virus is likely to spread globally within hours.
This virus is known as W32/ExploreZip.worm.pak. According to
Data Fellows virus researchers, the original virus has been packed to reduce
its file size to half. This made the new variant undetectable to most
anti-virus programs, which has not been updated very recently. The virus
itself arrives to a user via an e-mail attachment. When the attachment is
opened, the virus will start to reply to e-mail messages, making it appear
as if the user would have replied personally. In addition to this, once the
virus infects one machine in a corporate network, it will start to look for
other Windows workstations in the network. If another user has shared
directories from his machine with others, the virus will try to infect this
machine over the network.
As a result, if a user called John Doe receives an e-mail
from Jane Smith with the subject 'Please check these numbers', John's
machine will automatically send a message which will look like this:
From: John Doe
To: Jane Smith
Subject: RE: Please check these numbers
Hi Jane
I have received your email and I shall send you a reply
ASAP.
Till then take a look at the attached zipped docs.
Sincerely
John.
Attachment: zipped_files.exe
The attachment looks like a WinZip archive file. When the
receiver tries to unpack it by double-clicking it, he will get a WinZip
error message complaining about a broken archive. In addition to spreading
like a chain letter, the virus will try to overwrite the user's document
files on any accessible drives, including all network drives. If the
recipient is using an e-mail system other than Microsoft Outlook,
ZippedFiles will not spread further. However, it will damage the recipient's
files. ZippedFiles operates under the Windows 95, 98 and NT operating
systems. "This seems to be spreading fast," Mikko Hypponen, Manager of
Anti-Virus Research at Data Fellows Corporation, comments, "but not as fast
Melissa. The key issue here is that messages sent by ZippedFiles are very
credible - they are normal-looking replies to messages you have sent
earlier. You're quite likely to trust these messages and open the
attachment."
Data Fellows already have detection and removal of this new
variant worm with a special update that can be downloaded from:
ftp (special update):
ftp://ftp.europe.DataFellows.com/anti-virus/updates/avp/zipfiles.zip
ftp (all updates including the special one):
ftp://ftp.europe.DataFellows.com/anti-virus/updates/fsupdate.exe
(all updates including the special one)
http://www.europe.datafellows.com/download-purchase/updates.html
About Data Fellows
Data Fellows is a leading developer of centrally managed,
widely distributed security solutions. The company offers a full range of
award-winning, integrated anti-virus, file encryption and VPN solutions for
workstations, servers and gateways. F-Secure products and Framework are
uniquely suited for delivery of Security as a Service(tm) by enterprise IT
departments as well as a wide range of partners including ISPs, outsourcing
firms and ASPs. For the end-user, Security as a Service is invisible,
automatic, reliable, always-on, and up-to-date. For the administrator,
Security as a Service means policy-based management, instant alerts, and
centralized management of a widely-distributed user base.
Founded in 1988, Data Fellows is listed on the Helsinki
Stock Exchange (HEX:FSC). The company is headquartered in Espoo, Finland
with North American headquarters in San Jose, California, as well as offices
in Canada, Germany, China, France, Japan and the United Kingdom. Data
Fellows is supported by a network of VARs and Distributors in over 90
countries around the globe.
New worm virus launches directly through e-mail, ("Bubbleboy")
not through attachment
PALO ALTO, Calif. (Reuters) - Researchers have discovered
what they believe to be the first e-mail-borne computer infection that
doesn't require a user to open an e-mail or e-mail attachment for it to
wreak havoc.
Dubbed "Bubbleboy" after an episode of TV sitcom "Seinfeld,"
the virus is known as a worm because it is self-propagating. Researchers at
antivirus software firm Network Associates Inc. (NETA) received the computer
infection anonymously Monday night at about 10 p.m. local time.
"Historically, as long as you don't open e-mail attachments
you're safe from virus infection, but this changes all that," said Sal
Viveros, a marketing manager at Network Associates. "We've finally come to
the point where, if you're using e-mail, specifically Microsoft Corp.'s
(MSFT) Outlook, you need to have some sort of virus protection or you
shouldn't read e-mail."
Although the Bubbleboy virus that researchers received
Tuesday night didn't cause such harm as deleting files or stealing
passwords, it won't be long before variants crop up that are indeed
destructive, Viveros said.
"In this case, it's just sending itself all over the place,
but it could fairly easily delete files or steal passwords," Viveros said.
Bubbleboy appears as an e-mail with "Bubbleboy is Back!" in
the subject line and includes pictures and sounds from the Seinfeld episode
that gave it its name.
Bubbleboy follows other e-mail-borne viruses that already
have swept the Internet such as the "ExploreZip worm," which can erase files
from a user's computer, and the Melissa virus, which gained notoriety for
its ability to spread quickly but not because it destroyed any data.
Network Associates gave Bubbleboy a "low risk"
classification for now because customers haven't yet notified it that the
virus has appeared on their computers.
What makes this worm particularly nefarious is that if a
user is running Outlook Express and has the preview pane enabled, the worm
can infect the computer without the user even opening the e-mail.
The preview pane in Outlook Express lets users scan e-mails
to see their contents without having to open them first. Other e-mail
programs such as Exchange and Lotus Notes also are vulnerable, Viveros said.
"Now, just by reading an e-mail you can be infected, and if
you're using Outlook Express you don't even need to read it," Viveros said.
The worm then will send itself to everyone listed in that e-mail program's
address book.
Bubbleboy refers to a Seinfeld episode in which a boy who
lives in a bubble because of a faulty immune system is a big fan of Jerry
Seinfeld, who plays himself as a stand-up comic on the popular series. Jerry
and George Castanza, a friend of Jerry's, visit the boy and play Trivial
Pursuit.
But the answer on one of the cards is misspelled, and the
boy in the bubble and George get into a fight. The fight ends with George
accidentally popping the boy's bubble. "But unfortunately, this virus is not
very funny," Viveros said.
Data Fellows discovers the first virus to infect MS Project
Data Fellows discovers the first virus to infect MS
Project - Almost all popular Microsoft applications can now be carriers of
viruses.
Espoo, Finland, October 26, 1999. - Data Fellows, one of the
world's leading developers of anti-virus and encryption software, announced
today the discovery of a new computer virus. P98M/Corner is the first macro
virus to infect the Microsoft Project application. This virus is capable of
infecting both Project and Word and can travel between them.
"This virus sample arrived to us in an anonymous e-mail sent
through a remailer service", explains Mr. Mikko Hypponen, Manager of
Anti-Virus Research at Data Fellows Corporation. The Corner virus has not
been seen in the wild yet.
With the discovery of the first MS Project macro virus,
almost all popular Microsoft applications are now suspectible to virus
infections. Macro viruses have been written for the following Microsoft
applications:
a.. Microsoft Word 2.0
b.. Microsoft Word 95
c.. Microsoft Word 97
d.. Microsoft Word 2000
e.. Microsoft Excel 4.0
f.. Microsoft Excel 95
g.. Microsoft Excel 97
h.. Microsoft Excel 2000
i.. Microsoft PowerPoint 97
j.. Microsoft PowerPoint 2000
k.. Microsoft Access 97
l.. Microsoft Project 98
The Corner virus keeps on spreading from one user to another
in infected Word "DOC" and Project "MPP" files. In addition to spreading,
the virus does not do anything visible.
The virus code does contain these comments:
'I never realized the lengths I'd have to go
'All the darkest corners of a sense
'I didn't know
'Just for one moment
'hearing someone call
'Looked beyond the day in hand
'There's nothing there at all
'Project98/Word97-2k Closer
"Although the Corner virus does not do anything but
replicate, it is still a serious risk to users of Microsoft Project",
comments Hypponen. "We're likely to see several new viruses using similar
techniques in the future."
TECHNICAL INFORMATION
When an infected document is opened in Microsoft Word 97 or
2000, Corner.A checks if Microsoft Project is running. If it is, it gets
infected.
The Word part of the virus is a simple class infector. It
spreads when an infected document is closed. At this time it sets the Office
2000 security settings to low, disables the "Tools/Macros" menu and turns
off the macro virus protection. After that the virus replicates to all
opened documents.
Corner is not able to infect Microsoft Word 2000, unless the
user has first changed the security settings to medium or low.
To infect Project, the virus adds a new blank project and
inserts the virus code into the "ThisProject" class module.
When an infected document is opened in Microsoft Project 98,
Corner.A infects the Word application, even if it is not running.
The MS Project part of the virus is not resident, and it
does not infect the global project. The virus replicates during the project
deactivation (after an infected project has been opened).
The virus infects a Word application by opening it and
inserting the virus code in the global template's class module
"ThisDocument". This process is hidden from the user and the user can't see
the infection of Word.
Further technical information is available on our web site
http://www.DataFellows.com/v-descs/corner.htm
An screenshot of the virus is available at:
http://www.DataFellows.com/virus-info/v-pics/