Mail Archive sponsored by Chazzanut Online

jewish-music

<-- Chronological -->
Find 
<-- Thread -->

REAL Windows Virus Warning



This problematic software is attached to E-mail messages claiming to
contain Y2K updates from Microsoft. As far as I know, it affects *only*
Windows computers, and not Macs. 

The purpose of this "Trojan Horse" (a program that hides on your computer
and does things without your consent) seems to be to collect information
such as usernames and passwords, presumably relaying them to the person
who wrote the software. I became aware of it because someone sent me a
news story about the corruption of military computers by this malicious
application. 

To check the story out, I forwarded it to my husband (a computer
programmer) at work. Having seen a warning on ZDNET about it, he
investigated further, and sent me the information below about detecting
and removing this Trojan Horse. The information comes from Microsoft and
from the Network Associates (McAfee) web site. 

Briefly, the main things to notice are these:
 1) Any E-mail message containing attached software claiming to be updates
    from Microsoft *isn't* from Microsoft, and could be *extremely
    dangerous* (more dangerous than this thing, which doesn't wipe out
    your hard drive, although it does compromise your security). 

  2) To protect yourself against being victimized by such malicious
     applications, you should NEVER start up such attachments or allow
     your computer to do so automatically. 

  3) Keep your anti-virus software up to date!

Hope Ehn                <ehn (at) world(dot)std(dot)com>

---------- Forwarded message ----------
Date: Tue, 19 Oct 1999 08:37:22 -0400
From: Ehn, Dennis <de (at) lautechnologies(dot)com>
To: Hope Ehn Dennis Ehn <ehn (at) world(dot)std(dot)com>

There was a news story on ZDNET about the thing. That story had a pointer
to a Microsoft notice which I am quoting here. 

Dennis

Y2K Virus "Y2Kcount.exe" Market Bulletin 
----------------------------------------------------------------------------

Microsoft was notified on Wednesday afternoon (Sept. 15, 1999) that a
Trojan email hoax (called Y2Kcount.exe) had been distributed to Microsoft
customers. This email was not sent by Microsoft and the attachment that is
being distributed is not a Y2K countdown program, but instead a Trojan
horse virus. 

Microsoft does not distribute software via email and Microsoft will only
distribute year 2000 related updates from its website
(http://www.microsoft.com/y2k/) or a tangible CD ROM, such as the
Microsoft Year 2000 Resource CD. 

Microsoft distributes upgrades via the Internet. When Microsoft does this,
the software will be available via the web site, http://www.microsoft.com,
or through the FTP site, ftp://ftp.microsoft.com/. Microsoft occasionally
sends e-mail to customers to inform them that upgrades are available.
However, the e-mail will only provide links to the download sites --
Microsoft will never attach the software itself to the e-mail. Microsoft
always uses authenticity verification code to digitally sign their
products and allows users to ensure that they have not been tampered with. 

*** If a customer receives an e-mail that claims to contain software from
Microsoft, customers should not execute the attachment. The safest course
of action is to delete the mail altogether. *** Microsoft is broadly
notifying its customers of this Trojan horse and has updated its year 2000
website with the latest information/details. 

The following is a direct excerpt from the Network Associates web site, a
world leader in anti-virus information.
http://vil.nai.com/vil/tro10358.asp

   Trojan Name:   Count2K 
   Date Added:   9/15/99 

   Trojan Characteristics
   This Trojan normally arrives attached to an e-mail purporting to come
   from Microsoft. The email has an attachment "Y2KCOUNT.EXE" of 124,885
   bytes and the following text: 

   From: support (at) microsoft(dot)com
   Sender: support (at) microsoft(dot)com
   Received: from Microsoft (stara65.pip.digsys.bg [193.68.4.65])
   Subject: Microsoft Announcement
   Date: Wed, 15 Sep 1999 00:49:57 +0200 

   To All Microsoft Users,
   We are excited to announce Microsoft Year 2000 Counter. 

   Start the countdown NOW.
   Let us all get in the 21 Century.
   Let us lead the way to the future and we will get YOU there
   FASTER and SAFER. 

   Thank you,
   Microsoft Corporation 

The attached file is a self extracting archive file. If the attached exe
is run it displays a fake error message box containing the text: 

Password protection error or invalid CRC32! 

The exe is in fact a Winzip self-extracting archive consisting of these
files: 

  Project1.exe
  file001.dat
  file002.dat
  file003.dat
  file004.dat 

The file Project1.exe is set to be automatically run after the self
extracting archive is executed. This program then copies each of the four
.dat files into the WINDOWS\SYSTEM folder using the names: 

  Proclib.exe 
  Proclib.dll
  Proclib16.dll
  ntsvsrv.dll
  Nlhvld.dll 

The program then adds the filename "ntsvsrv.dll" to the end of the
'drivers=' line in the [boot] section of SYSTEM.INI. This causes the
Trojan to be run at the next system startup. At this point the file
WSOCK32.DLL in WINDOWS\SYSTEM is renamed to Nlhvld.dll (overwriting the
file just dropped, if WSOCK32.DLL exists). The file Proclib16.dll is then
copied to WSOCK32.DLL. 

This means that the Trojan has now 'hooked' the Internet connection and
whenever a connection is opened the file proclib.exe is run. 

The purpose of this Trojan appears to be to intercept username and password
information and presumably pass it onto the Trojan's author. 

Manual Removal Instructions 

1. Edit the drivers= line in the [boot] section of SYSTEM.INI and remove
   the filename ntsvsrv.dll. 

2. Restart the system, and DO NOT load any internet applications, this
   means that WSOCK32.DLL is not loaded into memory and so can be renamed. 

3. Copy the file WINDOWS\SYSTEM\Nlhvld.dll to WINDOWS\SYSTEM\WSOCK32.DLL. 
    a. If you are prompted to confirm overwriting the existing file, reply
       yes. 
    b. If you get an error message saying that the file is in use, then
       WSOCK32.DLL has already been loaded. 

    c. Disable all internet and network applications (or boot from a clean
       floppy disk) and repeat until successful. 

    d. Delete the files: 
         Proclib.exe
         Proclib.dll
         Proclib16.dll
         ntsvsrv.dll
         Nlhvld.dll 
       from WINDOWS\SYSTEM. 

Note the files Proclib.exe, Proclib.dll, Proclib16.dll, ntsvsrv.dll are
detected as "Count2K trojan"; the original file "Y2KCount.exe" is detected
as "Count2K.sfx" and the "Project1.exe" is detected as "Count2K.dr". 

Indications Of Installation
Existence of the files listed above; messages in your sent folder matching
the above message body content. 

Method Of Installation
Running the ill-fated attachment Y2KCOUNT.EXE from the received email
message. 

Trojan Information Discovery Date:
 9/15/99
 
Type:
 Trojan
 
Risk Assessment:
 Medium
 
Minimum DAT:
 4045 (Available 9/29/99)
 
Variants
 Unknown 

Aliases
 Y2KCOUNT, Count2K.sfx, Count2K.dr 

----------------------------------------------------------------------------

Last Updated: Thursday, September 30, 1999 - 11:25 a.m. Pacific Time
©1999 Microsoft Corporation. All rights reserved.
Terms of Use Privacy Policy Contact Us



---------------------- jewish-music (at) shamash(dot)org ---------------------+


<-- Chronological --> <-- Thread -->