[iwar] [fc:New.virus.deletes.files.claims.to.be.vote.on.terrorism.issues]

• Next message: Fred Cohen: "[iwar] [fc:Powerful.X-flare.Erupts.on.the.Sun]"
• Previous message: Fred Cohen: "Re: [iwar] - a bit of clarification on the 'facts'"
• Next in thread: Tony Bartoletti: "Re: [iwar] [fc:New.virus.deletes.files.claims.to.be.vote.on.terrorism.issues]"
• Reply: Tony Bartoletti: "Re: [iwar] [fc:New.virus.deletes.files.claims.to.be.vote.on.terrorism.issues]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Return-Path: <sentto-279987-2324-1001391626-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Mon, 24 Sep 2001 21:22:12 -0700 (PDT)
Received: (qmail 2750 invoked by uid 510); 25 Sep 2001 04:20:47 -0000
Received: from n15.groups.yahoo.com (216.115.96.65) by 204.181.12.215 with SMTP; 25 Sep 2001 04:20:47 -0000
X-eGroups-Return: sentto-279987-2324-1001391626-fc=all.net@returns.onelist.com
Received: from [10.1.1.222] by ml.egroups.com with NNFMP; 25 Sep 2001 04:20:26 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_3_2_2); 25 Sep 2001 04:20:25 -0000
Received: (qmail 83781 invoked from network); 25 Sep 2001 04:20:25 -0000
Received: from unknown (10.1.10.27) by 10.1.1.222 with QMQP; 25 Sep 2001 04:20:25 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta2 with SMTP; 25 Sep 2001 04:20:25 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id VAA15678 for iwar@onelist.com; Mon, 24 Sep 2001 21:20:24 -0700
Message-Id: <200109250420.VAA15678@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Mon, 24 Sep 2001 21:20:24 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:New.virus.deletes.files.claims.to.be.vote.on.terrorism.issues]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Metromedia Fiber Network
Information Security Directorate
Security Operations Center

Virus Alert: MCA2001-9
September 24, 2001

Name: TROJ_VOTE.A

Aliases:  TROJ_VOTE.A; WTC.EXE

Affected Systems:  All systems running Microsoft Outlook

Bottom Line Up Front: TROJ_VOTE.A is a highly destructive new virus
which is currently spreading in-the-wild (discovered at 2:30 P.M.,
September 24, 2001).  This destructive Trojan was created using Visual
Basic 5.  It propagates via Microsoft Outlook by sending emails to
addresses listed in an infected user's address book.  It arrives in an
email with the following:

        Subject: FW: Peace between America and Islam
        Message Body: Hi Is it a war against America or Islam. Lets Vote
        to live in peace.
        Attachment: WTC.EXE

TROJ_VOTE.A deletes certain antiviral files, adds the file Zacker.vbs to
the local hard drive, modifies the infected user's Internet Explorer
startup page, and formats the infected user's drive c:\. 

Technical Recommendation: This is a new virus and fixes do not yet
exist.  If you receive an email with the above subject line or with an
attachment WTC.EXE, DO NOT OPEN THEM.  MFN e-mail users should always be
cautious when opening e-mail attachments.  Review email attachment names
prior to opening.  If the email is from someone you don't recognize or
responding to a question you did not ask, do not open the email
directly.  Users are further reminded to ensure virus protection on
personal computers is current. 

Although it's just been discovered today, both Symantec and Trend have
updated definitions for it.  I checked Symantec's, McAfee's and Trend's
sites for the information. 

For Symantec:

<a href="http://securityresponse.symantec.com/avcenter/venc/data/w32vote.a@mm.htm">http://securityresponse.symantec.com/avcenter/venc/data/w32vote.a@mm.htm>

Trend:

<a href="http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_VOTE.A">http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_VOTE.A>

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more!
http://us.click.yahoo.com/XrFcOC/m5_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 

• Next message: Fred Cohen: "[iwar] [fc:Powerful.X-flare.Erupts.on.the.Sun]"
• Previous message: Fred Cohen: "Re: [iwar] - a bit of clarification on the 'facts'"
• Next in thread: Tony Bartoletti: "Re: [iwar] [fc:New.virus.deletes.files.claims.to.be.vote.on.terrorism.issues]"
• Reply: Tony Bartoletti: "Re: [iwar] [fc:New.virus.deletes.files.claims.to.be.vote.on.terrorism.issues]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:49 PDT