FREEVIEW
Feb 02, 2002, 10:52 PM
Type: JavaScript virus
Description:
JS/Gigger-A is a JavaScript virus which arrives as an email message with one of the following sets of characteristics:
Subject: Outlook Express Update
Message: MSNSofware Co.
Attachment: Mmsn_offline.htm
or
Subject: recipient@Address, i.e. the email address of the recipient
Message: Microsoft Outlook 98.
Attachment: Mmsn_offline.htm
If the virus is executed, it will attempt to drop the following files:
C:\Bla.hta
C:\B.htm
C:\Windows\Samples\Wsh\Charts.js
Type: JavaScript virus
Description:
JS/Gigger-A is a JavaScript virus which arrives as an email message with one of the following sets of characteristics:
Subject: Outlook Express Update
Message: MSNSofware Co.
Attachment: Mmsn_offline.htm
or
Subject: recipient@Address, i.e. the email address of the recipient
Message: Microsoft Outlook 98.
Attachment: Mmsn_offline.htm
If the virus is executed, it will attempt to drop the following files:
C:\Bla.hta
C:\B.htm
C:\Windows\Samples\Wsh\Charts.js
C:\Windows\Samples\Wsh\Charts.vbs
C:\Windows\Help\Mmsn_offline.htm
It will also create files called Script.ini in folders containing a file with the extension INI or HLP. These files will be detected as mIRC/Simp-Fam. The virus will infect HTM, HTML and ASP files and attempts to add the line
Echo y|format c:
to C:\Autoexec.bat. This will have the effect of attempting to format drive C: on restart in versions of Windows which use the character Y for Yes.
JS/Gigger-A creates the following registry keys:
HKCU\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKCU\Software\TheGrave\badUsers\v2.0
and adds the value 'NAV DefAlert' to the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The virus contains the text "This virus is donation from all Bulgarians".
C:\Windows\Samples\Wsh\Charts.vbs
C:\Windows\Help\Mmsn_offline.htm
It will also create files called Script.ini in folders containing a file with the extension INI or HLP. These files will be detected as mIRC/Simp-Fam. The virus will infect HTM, HTML and ASP files and attempts to add the line
Echo y|format c:
to C:\Autoexec.bat. This will have the effect of attempting to format drive C: on restart in versions of Windows which use the character Y for Yes.
JS/Gigger-A creates the following registry keys:
HKCU\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKCU\Software\TheGrave\badUsers\v2.0
and adds the value 'NAV DefAlert' to the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The virus contains the text "This virus is donation from all Bulgarians".
Aliases: Troj/Senecs, W32/Lastscene@mm, TROJ_SCENES
Type: Visual Basic Script worm and Backdoor Trojan horse
At the time of writing Sophos has received just one report of the worm from the wild.
Description:
This notification includes information about a Visual Basic Script worm and a Backdoor Trojan horse that can be downloaded by the worm.
VBS/RTF-Senecs is a Visual Basic script worm that arrives in an email message with the following characteristics:
Subject: "Scene from last weekend"
Message body: "Please do not forward"
Attached filename: scenes.zip.
The attached ZIP file contains an RTF document scenes.wri. If the document is opened, two icons are displayed for two embedded objects. Both icons appear to be icons of an image file but the actual embedded object is an executable. Sophos Anti-Virus detects this executable as Troj/Senecs.
If the embedded executable is launched, it drops and runs a VBS file which attempts to send scenes.zip to all contacts in the Microsoft Outlook address book. Troj/Senecs also drops two additional Trojans (detected by Sophos Anti-Virus as Troj/Optix-03-C and Troj/WebDL-E).
Troj/Optix-03-C is a backdoor Trojan horse that will run in the background as a server process, allowing a remote user (using a client program) to gain access and control over the machine. When first run, it creates the subdirectory:
\OleFiles\,
moves itself there and creates the Registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\exp lorer\User Shell Folders\Common Startup = \OleFiles\.
This ensures that the server process is run automatically each time the machine is restarted. Troj/WebDL-E attempts to download and run a program from a website hosted at tripod.com. The downloaded program is the Troj/Sub7-21-I Backdoor Trojan horse. Troj/WebDL-E will also attempt to send a notification message of its success to an ICQ account. After running, the Trojan horse removes itself from the system.
Troj/Sub7-21-I is a backdoor Trojan horse. When the server program is installed, the computer is exposed to security attacks from remote locations. Once the connection is established, the attacker can acquire sensitive information such as passwords and take control over the infected computer.
Description:
JS/Gigger-A is a JavaScript virus which arrives as an email message with one of the following sets of characteristics:
Subject: Outlook Express Update
Message: MSNSofware Co.
Attachment: Mmsn_offline.htm
or
Subject: recipient@Address, i.e. the email address of the recipient
Message: Microsoft Outlook 98.
Attachment: Mmsn_offline.htm
If the virus is executed, it will attempt to drop the following files:
C:\Bla.hta
C:\B.htm
C:\Windows\Samples\Wsh\Charts.js
Type: JavaScript virus
Description:
JS/Gigger-A is a JavaScript virus which arrives as an email message with one of the following sets of characteristics:
Subject: Outlook Express Update
Message: MSNSofware Co.
Attachment: Mmsn_offline.htm
or
Subject: recipient@Address, i.e. the email address of the recipient
Message: Microsoft Outlook 98.
Attachment: Mmsn_offline.htm
If the virus is executed, it will attempt to drop the following files:
C:\Bla.hta
C:\B.htm
C:\Windows\Samples\Wsh\Charts.js
C:\Windows\Samples\Wsh\Charts.vbs
C:\Windows\Help\Mmsn_offline.htm
It will also create files called Script.ini in folders containing a file with the extension INI or HLP. These files will be detected as mIRC/Simp-Fam. The virus will infect HTM, HTML and ASP files and attempts to add the line
Echo y|format c:
to C:\Autoexec.bat. This will have the effect of attempting to format drive C: on restart in versions of Windows which use the character Y for Yes.
JS/Gigger-A creates the following registry keys:
HKCU\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKCU\Software\TheGrave\badUsers\v2.0
and adds the value 'NAV DefAlert' to the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The virus contains the text "This virus is donation from all Bulgarians".
C:\Windows\Samples\Wsh\Charts.vbs
C:\Windows\Help\Mmsn_offline.htm
It will also create files called Script.ini in folders containing a file with the extension INI or HLP. These files will be detected as mIRC/Simp-Fam. The virus will infect HTM, HTML and ASP files and attempts to add the line
Echo y|format c:
to C:\Autoexec.bat. This will have the effect of attempting to format drive C: on restart in versions of Windows which use the character Y for Yes.
JS/Gigger-A creates the following registry keys:
HKCU\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKCU\Software\TheGrave\badUsers\v2.0
and adds the value 'NAV DefAlert' to the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The virus contains the text "This virus is donation from all Bulgarians".
Aliases: Troj/Senecs, W32/Lastscene@mm, TROJ_SCENES
Type: Visual Basic Script worm and Backdoor Trojan horse
At the time of writing Sophos has received just one report of the worm from the wild.
Description:
This notification includes information about a Visual Basic Script worm and a Backdoor Trojan horse that can be downloaded by the worm.
VBS/RTF-Senecs is a Visual Basic script worm that arrives in an email message with the following characteristics:
Subject: "Scene from last weekend"
Message body: "Please do not forward"
Attached filename: scenes.zip.
The attached ZIP file contains an RTF document scenes.wri. If the document is opened, two icons are displayed for two embedded objects. Both icons appear to be icons of an image file but the actual embedded object is an executable. Sophos Anti-Virus detects this executable as Troj/Senecs.
If the embedded executable is launched, it drops and runs a VBS file which attempts to send scenes.zip to all contacts in the Microsoft Outlook address book. Troj/Senecs also drops two additional Trojans (detected by Sophos Anti-Virus as Troj/Optix-03-C and Troj/WebDL-E).
Troj/Optix-03-C is a backdoor Trojan horse that will run in the background as a server process, allowing a remote user (using a client program) to gain access and control over the machine. When first run, it creates the subdirectory:
\OleFiles\,
moves itself there and creates the Registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\exp lorer\User Shell Folders\Common Startup = \OleFiles\.
This ensures that the server process is run automatically each time the machine is restarted. Troj/WebDL-E attempts to download and run a program from a website hosted at tripod.com. The downloaded program is the Troj/Sub7-21-I Backdoor Trojan horse. Troj/WebDL-E will also attempt to send a notification message of its success to an ICQ account. After running, the Trojan horse removes itself from the system.
Troj/Sub7-21-I is a backdoor Trojan horse. When the server program is installed, the computer is exposed to security attacks from remote locations. Once the connection is established, the attacker can acquire sensitive information such as passwords and take control over the infected computer.