[iwar] [fc:Vote.Worm.Resurfaces.As.Anti_TeRRoRisM.exe]

From: Fred Cohen (fc@all.net)
Date: 2001-09-28 16:11:35


Return-Path: <sentto-279987-2499-1001718696-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Fri, 28 Sep 2001 16:13:08 -0700 (PDT)
Received: (qmail 16875 invoked by uid 510); 28 Sep 2001 23:11:50 -0000
Received: from n34.groups.yahoo.com (216.115.96.84) by 204.181.12.215 with SMTP; 28 Sep 2001 23:11:50 -0000
X-eGroups-Return: sentto-279987-2499-1001718696-fc=all.net@returns.onelist.com
Received: from [10.1.4.55] by mk.egroups.com with NNFMP; 28 Sep 2001 23:11:36 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_4_1); 28 Sep 2001 23:11:36 -0000
Received: (qmail 39237 invoked from network); 28 Sep 2001 23:11:36 -0000
Received: from unknown (10.1.10.27) by l9.egroups.com with QMQP; 28 Sep 2001 23:11:36 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta2 with SMTP; 28 Sep 2001 23:11:35 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id QAA17449 for iwar@onelist.com; Fri, 28 Sep 2001 16:11:35 -0700
Message-Id: <200109282311.QAA17449@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Fri, 28 Sep 2001 16:11:35 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Vote.Worm.Resurfaces.As.Anti_TeRRoRisM.exe]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Vote Worm Resurfaces As Anti_TeRRoRisM.exe 
By Steve Gold, Newsbytes, 9/28/2001
<a href="http://www.newsbytes.com/news/01/170619.html">http://www.newsbytes.com/news/01/170619.html>

Several antivirus software vendors issued overnight warnings about a
rework of the Vote virus that appeared earlier this week, but early
indications are that the new version - known as Vote.B or the
Anti_TeRRoRisM.exe worm - is spreading on a limited scale.  The Vote
virus - Win32.Vote.A@mm - which appeared on Monday, is a destructive
mass-mailer written in visual basic.  Once executed, the virus drops two
visual basic scripts and downloads an executable named TimeUpdate.exe. 

This executable is a hidden remote administration program that, when
executed, allows hackers to access data on the users' PC without
authorization. 

Jason Holloway, U.K.  general manager with F-Secure, told Newsbytes that
Vote.b, as his researchers are calling this latest virus, is a simple
variant of the original, although its text has been changed, while its
attachment has been renamed. 

"It's been recompiled, but, like the original Vote, it isn't a major
problem, as most users will be aware of what it is, and will delete,
rather than clicking on the attachment," he said.  PromiseMark, one of
the IT security firms issuing an alert to customers overnight, said that
the PC users should avoid opening attachments that read
Anti_TeRRoRisM.exe. 

The Fairfax, Va.-based company said that, if a recipient opens the
infected attachment the virus will send itself to contacts in the
recipient's Microsoft Outlook address book, and download and execute a
file called TimeUpdate.exe. 

PromiseMark added in its advisory that this file allows hackers access
to computer user data.  As a final act of infection, it will attempt to
overwrite all data on the recipients computer.  F-Secure's Web site is
at http://www.f-secure.com . 
PromiseMark's Web site is at <a
href="http://www.promisemark.com">http://www.promisemark.com> . 


------------------------ Yahoo! Groups Sponsor ---------------------~-->
Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide!
http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:51 PDT