Return-Path: <sentto-279987-2499-1001718696-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Fri, 28 Sep 2001 16:13:08 -0700 (PDT) Received: (qmail 16875 invoked by uid 510); 28 Sep 2001 23:11:50 -0000 Received: from n34.groups.yahoo.com (216.115.96.84) by 204.181.12.215 with SMTP; 28 Sep 2001 23:11:50 -0000 X-eGroups-Return: sentto-279987-2499-1001718696-fc=all.net@returns.onelist.com Received: from [10.1.4.55] by mk.egroups.com with NNFMP; 28 Sep 2001 23:11:36 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_4_1); 28 Sep 2001 23:11:36 -0000 Received: (qmail 39237 invoked from network); 28 Sep 2001 23:11:36 -0000 Received: from unknown (10.1.10.27) by l9.egroups.com with QMQP; 28 Sep 2001 23:11:36 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta2 with SMTP; 28 Sep 2001 23:11:35 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id QAA17449 for iwar@onelist.com; Fri, 28 Sep 2001 16:11:35 -0700 Message-Id: <200109282311.QAA17449@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Fri, 28 Sep 2001 16:11:35 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Vote.Worm.Resurfaces.As.Anti_TeRRoRisM.exe] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Vote Worm Resurfaces As Anti_TeRRoRisM.exe By Steve Gold, Newsbytes, 9/28/2001 <a href="http://www.newsbytes.com/news/01/170619.html">http://www.newsbytes.com/news/01/170619.html> Several antivirus software vendors issued overnight warnings about a rework of the Vote virus that appeared earlier this week, but early indications are that the new version - known as Vote.B or the Anti_TeRRoRisM.exe worm - is spreading on a limited scale. The Vote virus - Win32.Vote.A@mm - which appeared on Monday, is a destructive mass-mailer written in visual basic. Once executed, the virus drops two visual basic scripts and downloads an executable named TimeUpdate.exe. This executable is a hidden remote administration program that, when executed, allows hackers to access data on the users' PC without authorization. Jason Holloway, U.K. general manager with F-Secure, told Newsbytes that Vote.b, as his researchers are calling this latest virus, is a simple variant of the original, although its text has been changed, while its attachment has been renamed. "It's been recompiled, but, like the original Vote, it isn't a major problem, as most users will be aware of what it is, and will delete, rather than clicking on the attachment," he said. PromiseMark, one of the IT security firms issuing an alert to customers overnight, said that the PC users should avoid opening attachments that read Anti_TeRRoRisM.exe. The Fairfax, Va.-based company said that, if a recipient opens the infected attachment the virus will send itself to contacts in the recipient's Microsoft Outlook address book, and download and execute a file called TimeUpdate.exe. PromiseMark added in its advisory that this file allows hackers access to computer user data. As a final act of infection, it will attempt to overwrite all data on the recipients computer. F-Secure's Web site is at http://www.f-secure.com . PromiseMark's Web site is at <a href="http://www.promisemark.com">http://www.promisemark.com> . ------------------------ Yahoo! Groups Sponsor ---------------------~--> Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide! http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:51 PDT