 CP Medical Clinic | CP Legal Advisor | CP Ladies | CP Kids | CP Sports | CP Students | After Hours | Gulf Yellow Pages | Horoscope | Business |
CP Medical Clinic | CP Legal Advisor | CP Ladies | CP Kids | CP Sports | CP Students | After Hours | Gulf Yellow Pages | Horoscope | Business |
| VIRUS ALERT VBS/OnTheFly |
CERT
Advisory CA-2001-03 VBS/OnTheFly (Anna Kournikova) Malicious Code Original
release date: February 12, 2001 Last revised: February 12, 2001 Source:
CERT/CC A complete revision history can be found at the end of this file.
Systems Affected Users of Microsoft Outlook who have not applied
previously available security updates. Overview The "VBS/OnTheFly"
malicious code is a VBScript program that spreads via email. As of 7:00 pm
EST(GMT-5) Feb 12, 2001, the CERT Coordination Center had received reports
from more than 100 individual sites. Several of these sites have reported
suffering network degradation as a result of mail traffic generated by the
"VBS/OnTheFly" malicious code. This malicious code can infect a
system if the enclosed email attachment is run. Once the malicious code
has executed on a system, it will take the actions described in the Impact
section. I. Description When the malicious code executes, it attempts to
send copies of itself, using Microsoft Outlook, to all entries in each of
the address books. The sent mail has the following characteristics:
SUBJECT: "Here you have, ;o)" BODY: Hi: Check This! ATTACHMENT:
"AnnaKournikova.jpg.vbs" Users who receive copies of the
malicious code via electronic mail will probably recognize the sender. We
encourage users to avoid executing code, including VBScripts, received
through electronic mail, regardless of the sender's name, without prior
knowledge of the origin of the code or a valid digital signature. It is
possible for the recipients to be be tricked into opening this malicious
attachment since file will appear without the .VBS extension if "Hide
file extensions for known file types" is turned on in Windows. II.
Impact When the attached VBS file is executed, the malicious code attempts
to modify the registry by creating the following key: HKEY_CURRENT_USER\Software\OnTheFly="Worm
made with Vbswg1.50b" Next, the it will then place a copy of itself
into the Windows directory. C:\WINDOWS\AnnaKournikova.jpg.vbs Finally, the
malicious code will attempt to send separate, infected email messages to
all recipients in the Windows Address Book. Once the mail has been sent,
the malicious code creates the following registry key to prevent future
mailings of the malicious code. HKEY_USERS\.DEFAULT\Software\OnTheFly\mailed=1
The code's propagation can lead to congestion in mail servers that may
prevent them from functioning as expected. Beyond this effect, there does
not appear to be a destructive payload associated with this malicious
code. However, historical data has shown that the intruder community can
quickly modify the code for more destructive behavior. III. Solution
Update Your Anti-Virus Product It is important for users to update their
anti-virus software. Some anti-virus software vendors have released
updated information, tools, or virus databases to help combat this
malicious code. A list of vendor-specific anti-virus information can be
found in Appendix A. Apply the Microsoft Outlook E-mail Security Update To
protect against this malicious code, and others like it, users of Outlook
98 and 2000 may want to install the Outlook E-mail Security update
included in an Outlook SR-1. More information about this update is
available at http://office.microsoft.com/2000/downloaddetails/Out2ksec.htm
You may also find the following document on Outlook security useful http://www.microsoft.com/office/outlook/downloads/security.htm
The Outlook E-mail security update provides features that can prevent
attachments containing executable content from being displayed to users.
Other types of attachments can be configured so that they must be saved to
disk before they can be opened (or executed). These features may greatly
reduce the chances that a user will incorrectly execute a malicious
attachment. Filter the Virus in Email Sites can use email filtering
techniques to delete messages containing subject lines known to contain
the malicious code, or can filter attachments outright. Exercise Caution
When Opening Attachments Exercise caution when receiving email with
attachments. Users should disable auto-opening or previewing of email
attachments in their mail programs. Users should never open attachments
from an untrusted origin, or that appear suspicious in any way. Finally,
cryptographic checksums should also be used to validate the integrity of
the file. IV. General protection from email Trojan horses and viruses Some
previous examples of malicious files known to have propagated through
electronic mail include: Melissa macro virus - discussed in CA-99-04 http://www.cert.org/advisories/CA-1999-04.html
False upgrade to Internet Explorer - discussed in CA-99-02 http://www.cert.org/advisories/CA-1999-02.html
Happy99.exe Trojan Horse - discussed in IN-99-02 http://www.cert.org/incident_notes/IN-99-02.html
CIH/Chernobyl virus - discussed in IN-99-03 http://www.cert.org/incident_notes/IN-99-03.htm
In each of the above cases, the effects of the malicious file are
activated only when the file in question is executed. Social engineering
is typically employed to trick a recipient into executing the malicious
file. Some of the social engineering techniques we have seen used include
* Making false claims that a file attachment contains a software patch or
update * Implying or using entertaining content to entice a user into
executing a malicious file * Using email delivery techniques that cause
the message to appear to have come from a familiar or trusted source *
Packaging malicious files in deceptively familiar ways (e.g., use of
familiar but deceptive program icons or file names) The best advice with
regard to malicious files is to avoid executing them in the first place.
CERT advisory CA-1999-02.html and the following CERT tech tip discuss
malicious code and offers suggestions to avoid them. http://www.cert.org/advisories/CA-99-02.html
http://www.cert.org/tech_tips/malicious_code_FAQ.html
Appendix A. - Vendor Information Appendix A. Anti-Virus Vendor Information
Aladdin Knowledge Systems http://www.aks.com/home/csrt/valerts.asp#AnnaK
Command Software Systems, Inc. http://www.commandcom.com/virus/vbsvwg.html
Computer Associates http://ca.com/virusinfo/virusalert.htm#vbs_sstworm
F-Secure http://www.f-secure.com/v-descs/onthefly.shtml
Finjan Software, Ltd. http://www.finjan.com/attack_release_detail.cfm?attack_release_id=47
McAfee http://www.mcafee.com/anti-virus/viruses/vbssst/default.asp
Dr. Solomon, NAI http://vil.nai.com/vil/virusSummary.asp?virus_k=99011
Sophos http://www.sophos.com/virusinfo/analyses/vbsssta.htm
Symantec http://www.symantec.com/avcenter/venc/data/vbs.sst@mm.html
Trend Micro http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=VBS_KALAMAR.A
You may wish to visit the CERT/CC's Computer Virus Resources Page located
at: http://www.cert.org/other_sources/viruses.html
______________________________________________________________________ |