I receieved 8 copies this morning!!!

The latest Norton update picks them up immediately BUT do not attempt to delete from Outlook Express. Use Nortons Quarantine and delete from there. I don't know if one of the files this morning was a variation, but when I tried to delete it from O/E it copied its self several times into Temporary Internet Files.

I had to quarantine each copy and delete from there.

So yesterday I think Ray was begining to pull his hair out as he was getting mails from all over saying that he was spreading virus and had no idea about it. I saw some references to Minna Hill down below by Adrienne....Ray doesnät have you in his address book but you got a mail from him with virus....its weird. Anyhow he has updated his virus program , and Norton says his system is clean except that occasionally the mail program is still trying to send out infected mail but Norton is now preventing it before it happens.

This must mean that there are still remains of something in the system files is it Kernell32.exe or something like that?. Ray tried to follow the instructions for removal using Windows ME but it doesnt work in the way suggested on Nortons site. He has done a full system scan with Norton while running in safe mode.

Any help from anyone running ME would be much appreciated.

001 Log every window text
002 Encrypt keylog
004 Send log file to one of its addresses
008 Send cached passwords
010 Shut down at specified time
020 Use copyname as registry name (else kernel32)
040 Use kernel32.exe as copyname
080 Use current filename as copypath (skips 100 check)
100 Copy to %system% (else copy to %windows%)

When it is first executed, it copies itself to %System% or %Windows% as Kernel32.exe, based on the control bits. Then it registers itself as a service process (Windows 9x/Me only). It creates the key log file %System%\Cp_25389.nls and drops %System%\Kdll.dll which contains the key logging code.

NOTE: %Windows% and %System% are variables. The worm locates the \Windows folder (by default this is C:\Windows or C:\Winnt) or the \System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

A timer is used to examine the currently open window once per second, and to check for a window title that contains any of the following as the first three characters:

LOG
PAS
REM
CON
TER
NET

These texts form the start of the words LOGon, PASsword, REMote, CONnection, TERminal, NETwork. There are also Russian versions of these same words in the list. If any of these words are found, then the key logging is enabled for 60 seconds. Every 30 seconds, the log file and the cached passwords are sent to one of these addresses or some others which are currently not operational:

ZVDOHYIK@yahoo.com
udtzqccc@yahoo.com
DTCELACB@yahoo.com
I1MCH2TH@yahoo.com
WPADJQ12@yahoo.com
smr@eurosport.com
bgnd2@canada.com
muwripa@fairesuivre.com
eccles@ballsy.net
S_Mentis@mail-x-change.com
YJPFJTGZ@excite.com
JGQZCD@excite.com
XHZJ3@excite.com
OZUNYLRL@excite.com
tsnlqd@excite.com
cxkawog@krovatka.net
ssdn@myrealbox.com

After 20 seconds, the worm will shut down if the appropriate control bit is set.

If RAS support is present on the computer, then the worm will wait for an active RAS connection. When one is made, with a 33% chance, the worm will search for email addresses in *.ht* and *.asp in %Personal% and Internet Explorer %Cache%. If it finds addresses in these files, then it will send mail to those addresses using the victim's SMTP server. If this server is unavailable the worm will choose from a list of its own. The attachment name will be one of the following:

Pics
images
README
New_Napster_Site
news_doc
HAMSTER
YOU_are_FAT!
stuff
SETUP
Card
Me_nude
Sorry_about_yesterday
info
docs
Humor
fun

In all cases, MAPI will also be used to find unread mail to which the worm will reply. The subject will be "Re:". In that case, the attachment name will be one of the following:

PICS
IMAGES
README
New_Napster_Site
NEWS_DOC
HAMSTER
YOU_ARE_FAT!
SEARCHURL
SETUP
CARD
ME_NUDE
Sorry_about_yesterday
S3MSONG
DOCS
HUMOR
FUN

In all cases, the worm will append two extensions. The first will be one of the following:

..doc
..mp3
..zip

The second extension that is appended to the file name is one of the following:
..pif
..scr

The resulting file name would look similar to CARD.Doc.pif or NEWS_DOC.mp3.scr.

If SMTP information can be found on the computer, then it will be used for the From: field. Otherwise, the From: field will be one of these:

"Mary L. Adams" <mary@c-com.net>
"Monika Prado" <monika@telia.com>
"Support" <support@cyberramp.net>
" Admin" <admin@gte.net>
" Administrator" <administrator@border.net>
"JESSICA BENAVIDES" <jessica@aol.com>
"Joanna" <joanna@mail.utexas.edu>
"Mon S" <spiderroll@hotmail.com>
"Linda" <lgonzal@hotmail.com>
" Andy" <andy@hweb-media.com>
"Kelly Andersen" <Gravity49@aol.com>
"Tina" <tina0828@yahoo.com>
"Rita Tulliani"
"JUDY" <JUJUB271@AOL.COM>
" Anna" <aizzo@home.com>

Email messages use the malformed MIME exploit to allow the attachment to execute in Microsoft Outlook without prompting. For information on this, go to:

<http://www.microsoft.com/technet/security/bulletin/MS01-020.asp>

The worm writes email addresses to the %System%\Protocol.dll file to prevent multiple emails to the same person. Additionally, the sender's email address will have the "_" character prepended to it, to prevent replying to infected mails to warn the sender (eg user@website.com becomes _user@website.com).

After sending mail, the worm adds the value

Kernel32 kernel32.exe

to the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

--------------------------------------------------------------------------------

[ November 28, 2001: Message edited by: AdrienneMorgan ]

*********
November 27, 2001
_____________________________

In this issue:

1. W32.Badtrans.B@mm
2. W32.Aliz.Worm
3. Feedback
4. Subscribing and unsubscribing
5. Disclaimer
_____________________________

NOTE: This is an outgoing email address. Please do not reply to this
email message. If you require assistance installing, configuring, or
troubleshooting a Symantec product, or you have a question for
Customer Service, please visit the Symantec Service & Support Web
site at the following address:

http://www.symantec.com/techsupp/

Select your product and version and click Go.

To see an HTML version of this newsletter, please visit the following
Web site:

http://www.symantec.com/techsupp/vURL.cgi/navarc

_____________________________

1. W32.Badtrans.B@mm

W32.Badtrans.B@mm is a MAPI worm that emails itself out as a file
with one of several different names. This worm also creates a .dll in
the \Windows\System directory as Kdll.dll. It uses functions from
this .dll to log keystrokes. Virus definitions dated November 24,
2001 will detect this worm. For additional information, point your
Web browser to:

http://www.symantec.com/techsupp/vURL.cgi/nav108
_____________________________

2. W32.Aliz.Worm

W32.Aliz.Worm is a very simple SMTP mass-mailer worm. The worm
currently only replicates on Windows 9x computers. It does not seem
to spread on Windows NT platforms. The worm spreads by obtaining
email addresses from the Windows address book and sending itself to
those addresses. Virus definitions dated May 22, 2001 will detect
this worm.

When the worm arrives by email, the worm uses a MIME exploit that
allows the virus to be run just by reading or previewing the email.
Information on and a patch for this exploit can be found at

http://www.symantec.com/techsupp/vURL.cgi/nav110

For additional information, point your Web browser to:

http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html

it tells how to remove it, plus what it does, as above it adds stuff to the regristry so once you resart it comes back, so in this they say to do it all in Safe mode and remove the line it added in your Reg files, read this I hope it helps we are going to do it ourselves here shortly