Fishing Time

16 Nov 2000
Virus News

Extraordinary simultaneous activity of several dangerous Internet-worms has been detected

Cambridge, UK, November 17, 2000 - Kaspersky Lab Int., an international data-security software-development company, warns users of the notable activity of several dangerous Internet-worms occurring at this time.

Kaspersky Lab has been receiving reports from users, whose computers have been infected by the Internet-worm Hybris. Recently, Kaspersky Lab informed users of this worm's danger, and we reiterate that this virus is a very complex malicious code that can be updated by its author through his own Web page or through an anti-virus conference alt.comp.virus, which is already replete with this virus' components.

Also still active is an Internet-worm called Navidad, and although it is fairly harmless, it still causes users trouble. The infected e-mail contains an embedded file and the following message in Spanish: "Nunca presionar este boton" (never click on this button). By clicking on this button, a user causes himself headaches, because on the screen appears a dialogue box that tells the user he has lost his computer due to his curiosity. However, in reality, this malicious code is easily deleted.

Yesterday, the first reports about the Internet-worm Music arrived at Kaspersky Lab, who estimate that this worm has all the chances of becoming an epidemic.

An entertaining payload hiding the worm's main activity accompanies this virus, displaying a Christmas scene and playing a carol. Music-worm contains the following Subject and Texts:

Subject: Testing to send file Text: Hi, just testing email using Merry Christmas music file, not bad music.

or:

Text: Hi, just testing email using Merry Christmas music file, you'll like it.

"Music" has the ability to upgrade its components from an Internet site. This malicious utility downloads three files from there (that are supposed to be its plugins) detects their versions, and if these versions are above those currently used, the worm replaces its components with new ones. So the worm is able to change its functionality depending on its author's needs.

Another Internet-worm that has attracted the attention of Kaspersky Lab's specialists is called Blebla, which was discovered on November 16 in Poland. Several reports also have been received from Denmark. The worm appears as an e-mail message in HTML format and has two attached files: MYJULIET.CHM and MYROMEO.EXE.

The worm's specifics are that for the start of the malicious program, no opening attached file is needed. The worm activates itself automatically when an infected message is being opened or previewed. To activate itself, the worm uses a vulnerability in the Windows scripting security: the first part of the malicious utility contains a script program that is automatically executed by this operating system. As a result, the CHM-component of the message (the MYJULIET.CHM file) is loaded and activated, which in turn executes the MYROMEO.EXE file that is the main worm body itself.

When the malicious programme runs, it opens the Address Book, reads E-mail addresses from there and sends its HTML message with the attached CHM and EXE files to there. The message has a Subject that is randomly selected from the following list:

Romeo&Juliet

:))))))

hello world

!!??!?!?

subject

ble bla, bee

I Love You ;)

sorry...

Hey you !

Matrix has you...

my picture

from shake-beer

Protection procedures thwarting all of the above-mentioned Internet worms have been added to the Kaspersky® Anti-Virus (AVP) anti-virus database.

Technical details about these worms' principals and functioning order are available at the Kaspersky Virus Encyclopedia. (www.viruslist.com).