----- Original Message ----- From: <[log in to unmask]> To: <[log in to unmask]> Sent: maandag 14 mei 2001 13:32 Subject: Kaspersky Lab Virus News: Internet-Worm Gives Users a HardTime under the Guise of an Anti-Virus Warning Kaspersky Lab Virus News, Monday, May 14, 2001 ****************************************************************** 1. Internet-Worm Gives Users a Hard Time under the Guise of an Anti-Virus Warning 2. How to subscribe/unsubscribe **** 1. Internet-Worm Gives Users a Hard Time under the Guise of an Anti-Virus Warning Kaspersky Labs, an international data-security software-development company, warns users about the detection of the new Internet-worm going by the "solid" name of VBS.Hard. Our technical support department has already received several reports from users regarding incidences of the malicious program. VBS.Hard propagates via e-mail, and upon activation, sends itself from infected computers via Microsoft Outlook Express to all addresses located in the Windows address list. This results in the infected computer sending the same number of infected e-mails to as many addresses found in the address book. The worm is written in Visual Basic Script (VBS), and functions only in systems installed with Windows Scripting Host (WSH is installed in Windows98 and Windows2000 by default). The worm propagates via e-mail as the VBS-file attachment "www.symantec.com.vbs," which is the worm's body itself, containing the following features: Subject = "FW: Symantec Anti-Virus Warning" Body = ----- Original Message ----- From: [[log in to unmask]] To: [[log in to unmask]]; [[log in to unmask]]; [[log in to unmask]]; [[log in to unmask]]; [[log in to unmask]]; [[log in to unmask]]; [[log in to unmask]] Subject: FW: Symantec Anti-Virus Warning Hello, There is a new worm on the Net. This worm is very fast-spreading and very dangerous! Symantec has first noticed it on April 04, 2001. The attached file is a description of the worm and how it replicates itself. With regards, F. Jones Symantec senior developer Having been sent as an e-mail, the worm creates a fake page with the so-called warning about the VBS.AmericanHistoryX_II@mm virus, when in fact, this virus does not exist. Following this, the worm creates several files: The first goes by the name of "c:www.symantec_send.vbs" and contains VBS script language that spreads infected e-mails via MS Outlook Express to all addresses found the Windows address book. The second file, going by the name of "c:\message.vbs," contains script that on the 24th of November, distributes the following message: Some shocking news Don't look surprised! It is only a warning about your stupidity Take care! Both of these file worms register in the system registry in the auto-run section, resulting in start-up upon every Windows start-up. In addition to this, the worm also registers fake virus information as an Internet Explorer start-up page. To avoid duplicate spreading from the same machine, the worm creates "HKLM\SOFTWARE\Microsoft\WAB\OE Done" in the system registry key and set its value to "Hardhead_SatanikChild". Thusly, it does not spread from the same machine twice. Detection and removal procedures for the VBS worm "Hard" have already been available in the Kaspersky Labs anti-virus database since May 13. Kaspersky Anti-Virus can be purchased in the Kaspersky Labs online store (http://www.kaspersky.com/buyonline.asp) or from a worldwide network of Kaspersky Anti-Virus distributors and resellers (http://www.kaspersky.com/buyoffline.asp). Download the FREE time-limited trial version of Kaspersky Anti-Virus here: http://www.kaspersky.com/download.asp **** 2. How to subscribe/unsubscribe to/from "Virus News" news block If you would like to subscribe to other Kaspersky Lab news blocks or to unsubscribe from this news block, you can do so by visiting http://www.kaspersky.com/subscribeNow.asp If you experience any problems with this procedure, please contact us at: [log in to unmask] **** Best of Luck, Kaspersky Labs Int. News Agent ----- WWW: http://www.kaspersky.com, http://www.viruslist.com FTP: ftp://ftp.kaspersky.com E-mail: [log in to unmask]