PeachParts Mercedes-Benz Forum - Virus that attacks Notes

Full text from our IT.

Botnst

To All Staff,

There's a new mass-mailing worm on the loose and it's name is W32.Alua@mm. All indications are that it is spreading very fast throughout the Internet. It has been seen moving throughout the USGS Notes email system.

DO NOT OPEN MESSAGES with the following characteristics:

Subject: ID <6 random characters>... thanks
Attachment: <7 random characters>.exe

If you receive emails similar to this description, simply delete it without attempting to open or save the attachment. If you have already made this mistake, contact the Help Desk ASAP. Please read below for further details.

To: USGS Security Points of Contact
From: IT Security Operations Team
Date: February 17, 2004

ITSOT Advisory 2004-0007: W32.Alua@mm: Immediate Attention Required !

Threat Level:
High - Immediate Attention Required - compliance date 02/17/2004

--/ Vulnerable /--

Microsoft Windows 95/98/ME/NT/2000/XP

--/ Task and Purpose --/

Immediately notify users of this threat, using out-of-band communication channels if necessary.
Update virus definitions on ALL Windows computers as soon as possible.

*** A list of potentially internal infected hosts is being prepared. If you are notified that a host on your network is exhibiting behavior associated with being infected, take the identified host(s) offline immediately.***

--/ Briefing /--

*** Blocks have been put in place on the Lotus servers to defer delivery of potentially infected messages. ***

W32.Alua@mm is a mass-mailing worm that opens a backdoor on TCP port 8866.

DO NOT OPEN MESSAGES with the following characteristics.

The email has the following characteristics:

Subject: ID <6 random characters>... thanks
Attachment: <7 random characters>.exe

--/ Details /--

W32.Alua@mm
Discovered on: February 17, 2004

When W32.Alua@mm is executed, it performs the following actions:

1. Launches sndrec32.exe, the Windows Sound Recorder.

2. Copies itself to %System%\au.exe.

3. Adds the value:

"au.exe"="%System%\au.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.

4. Adds the key:

HKEY_CURRENT_USER\SOFTWARE\Windows2000

5. Opens a backdoor on TCP port 8866.

6. Sends an HTTP GET request to the following Web sites on TCP port 80:

· www.strato.de/1.php
· www.strato.de/2.php
· www.47df.de/wbboard/1.php
· www.intern.games-ring.de/2.php

7. Scans files with the following attachments:

· .wab
· .txt
· .htm
· .html

8. Uses its own SMTP engine to send itself to email addresses found in step 6.

The email has the following characteristics:

· Subject: ID <6 random characters>... thanks
· Body:
· Yours ID <9 random characters>
o -
· Thank
· Attachment: <7 random characters>.exe

--/ Solution /--

Update virus definitions on ALL Windows computers. To protect against this threat, virus definitions should be dated 02/17/2004 or later.

Symantec Security Response will post certified LiveUpdate definitions and Intelligent Updaters containing detection for W32.Alua@mm after 0900 Pacific Time 02/17/2004 (Noon Eastern).

Symantec Security Response has posted Rapid Release definitions containing detection for W32.Alua@mm with build sequence number 27975. These can be downloaded from
http://securityresponse.symantec.com/avcenter/beta.download.html

--/ Questions ? /--

If you have questions about this threat, please contact the IT Security Operations Team, gs_itsot@usgs.gov

Information regarding Lotus servers can be found at: http://notes.usgs.gov/current_events.txt

--/ References /--
http://securityresponse.symantec.com/
http://www.symantec.com/avcenter/venc/data/w32.alua@mm.html

--/ Timeframe /--

Inform users immediately. Push virus definitions to clients using your parent antivirus server as soon as possible. Unmanaged clients should be visited to have their definitions updated manually.