For anyone interested, this just came from my server. John
-----Original Message-----
From: Randy Robbins <[log in to unmask]>
To: Recipient list suppressed <Recipient list suppressed>
Date: Friday, December 17, 1999 12:53 AM
Subject: Virus Alert - W32/newapt.worm
>Name
>W32/newapt.worm
>
>Aliases
>I-Worm/MesMate, TROJ_NEWAPT.WORM, W32.NewApt.worm, W32/NewApt.worm
>
>This virus was first reported on Dec 14, 1999 and has already been found
>twice in files sent to N2 The Net users. It was received as by email with
>a size of 69,632 bytes.
>
>It will not infect your computer unless you run the attachment and if your
>computer becomes infected, it can be removed with the latest update of most
>anti-virus programs. Consult your anti-virus program manufacturer about how
>to protect yourself.
>
>The worm arrives by email and depending on if the email application
>supports HTML email body content or not, one of two messages is displayed.
>If HTML is supported, the message content looks like this:
>
>---------------------------------------------------------------
>
>
>Hypercool Happy New Year 2000 funny programs and animations... We attached
>our recent animation from this site in our mail ! Check it out !
>
>---------------------------------------------------------------
>
>If the email client does not support HTML, the email message will have this
>content:
>
>---------------------------------------------------------------
>
>he, your lame client cant read HTML, haha. click attachment to see some
>stunningly HOT stuff
>---------------------------------------------------------------
>
>The email contains an attachment of a randomly selected name from the
>following list: baby.exe,bboy.exe, boss.exe, casper.exe, chestburst.exe,
>cooler1.exe, cooler3.exe, copier.exe, cupid2.exe, farter.exe , fborfw.exe,
>goal.exe, goal1.exe, g-zilla.exe, irngiant.exe, hog.exe, monica.exe,
>panther.exe, panthr.exe, party.exe, pirate.exe, s.exe, saddam.exe ,
>theobbq.exe, video.exe
>
>Please note that the file is not a "messagemates" game program and is not
>related to the web site listed in the email message! Messagemates.com has
>issued a notice about this also on their web site at this location:
>
>If this worm is run, a "dummy" error message is displayed with the text-
>
>The dinamic link library giface.dll could not be found in the specified
>path (list of directory names)
>
>The list of directory names are taken from they system environment variable
>"path" which is set in AUTOEXEC.BAT in Windows 9x and also configurable in
>Windows NT through the control panel. Note the misspelling of the word
>"dinamic". The file is then copied to the Windows folder and the registry
>is modified to load the file at the next Windows startup with a command
>line option of "/x" for example, the executable "chestburst.exe" is run,
>the registry entry would look like this on a Windows 95 system:
>
>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tpanew =
>c:\windows\chestburst.exe /x
>
>On the next Windows startup, the file is loaded. When the worm loads into
>memory, this worm makes use of a DLL on the local system named TAPI32.DLL.
>This dynamic link library refers to "Telephony Application Programming
>Interface" or in other words, a means by which to manage connectivity.
>While the worm is active on Windows 9x system, the following DLLs are
>implemented:
>
>C:\WINDOWS\SYSTEM\WSOCK32.DLL C:\WINDOWS\SYSTEM\WININET.DLL
>C:\WINDOWS\SYSTEM\SHLWAPI.DLL C:\WINDOWS\SYSTEM\USER32.DLL
>C:\WINDOWS\SYSTEM\GDI32.DLL C:\WINDOWS\SYSTEM\ADVAPI32.DLL
>C:\WINDOWS\SYSTEM\KERNEL32.DLL
>
>When an email application such as MS Outlook is in use, the additional DLL
>loaded is TAPI32.DLL.
>
>
>Randy Robbins
>N2_The_Net | FasTrak Solutions
>[log in to unmask] | [log in to unmask]
>
>Freedom is not free!
>
|
