Still Another one ????

Afternoon All,

Just another day in paradise...as long as you don't mind paradise being 90+ degrees. Got this alert last night. Took awhile to confirm it. This little nasty can be very destructive so, what are we going to do? Say it with me...

I going to have a good antivirus program
I'm going to keep it updated and run it at least once a week
I'm not going to open up every attachment including those that look like they came from my friends until I have scanned them
Just because the attachment has a cute name, I'm still not going to open it
did I say anything about opening attachments?
Anyway, on to the bug... (and Mac users may skip this)

VBS_SLIP.B

Related to: VBS.SLIP.B@MM
In the wild: No
Payload 1: Modifies Files (It overwrites files in the Windows directory)
Trigger condition 1: Upon execution
Discovered: 12 hours, 9 minutes ago
(Jul. 1, 2002 9:16:55 PM GMT -0800)
Detection available: 11 hours, 9 minutes ago
(Jul. 1, 2002 10:16:55 PM GMT -0800)


Language:
English
Platform: Windows
Encrypted: No
Size of virus: 2,747 Bytes

Details:
Upon execution, this worm sends a copy of itself to all addresses listed in the infected system's Microsoft Outlook address book. The details of the email message it sends are as follows:

Subject: "Actualizacion critica de Anti-virus "
Message Body: "Actulizacion critica contra el virus KLEZ este es el ultimo parche para su desinfecion "
Attachment: [the executed VB script file (2,747 bytes), it may vary.

Then it modifies the registry to contain its infection marker as follows:
HKEY_CURRENT_USER\Software\scan_anti-virus ", "(r)"

This worm has a destructive behavior of overwriting the following files:
"C:\windows\spip.vbs"
"C:\windows\system\slip_b.exe"
"C:\windows\system\nerfix.exe"
"C:\windows\system\xpload.exe"
"C:\windows\system\kuasanagui.exe"
"C:\windows\system\neodrako.exe"
"C:\windows\system\nemesixx.exe"
"C:\windows\system\zirkov.exe"
"C:\windows\system\jefaso.exe"
"C:\windows\system\egrone.exe"
"C:\windows\system\regedit.exe"
"C:\windows\system\dr.neo.exe"
"C:\windows\system\vbs.slip.b.exe"
"C:\windows\system\ip.exe"
"C:\windows\system\regedit.exe"
"C:\windows\system\anti-virus.exe"
"C:\windows\system\Norton.exe"
"C:\windows\system\AVP.exe"
"C:\windows\system\Mcafee.exe"
"C:\windows\system\panda.exe"
"C:\windows\system\per.exe"
"C:\windows\system\loock_down.exe"
"C:\windows\system\bitdefender.exe"
"C:\windows\system\pccillin.exe"
"C:\windows\system\regedit.exe"
It is apparent in the codes of this worm that it executes the %windows%\WORDPAD.EXE file for 100,000,000 times so that it can cause the infected system to hang. This routine, however, failed to execute during the testing. %Windows% is the Windows directory usually located at C:\Windows on Windows 9x/ME systems and at C:\WinNT on Windows NT/2K systems.

Sounds like a fun one huh? Well now that we've gotten that out of the way, just want to past on that the Around Town website has been updated as well as something special for the 4th on the front page. Have fun.

I think I now understand how the Wicked Witch felt... I'm melting.... what a world.

 

Billybob,

Did you get this alert from a Symantec e-mail? How did you confirm it?

I looked on Symantec's site and found VBS.Slip.B@mm
(discovered June 27th) but this new one you're telling us about is much more dangerous, overwriting exe files including regedit and antivirus files.

To me, it makes sense to disable the Windows Script Host to keep yourself safe from those nasty VB script bugs. Ive been using Symantec's NOSCRIPT.EXE for years. Details and a download link HERE

PS I just noticed the path to regedit.exe given is wrong.... I have it in C:\Windows. What about norton.exe? Is that a valid filename/path?

I also noticed in your post, " It is apparent in the codes of this worm that it executes the %windows%\WORDPAD.EXE file for 100,000,000 times so that it can cause the infected system to hang. "

My wordpad.exe is in Program Files\Accessories! Looking more and more like a prank to me.

 

The post is a copy N paste of an e-mail that came righjt from the WebMaster of Road Runner.

But I do share some of your suspicions about paths etc.

I looked for myself and none of the mentioned files are in the Windows\System folder.

But I did not feel that is was too much of a gample to post it just in case.

I have also noticed that the last few days my hardware firewall ( Router ) seems to be working overtime.

BTW. I am running NAV 2002 and have Script Blocking enabled.

BillyBob

 

Hi BB,

I knew you had NAV so was thinking you might have Script Blocking enabled (my sister does too). The Symantec page I mentioned says this (referring to removal of the WSH):

About that e-mail you say is from the Road Runner Webmaster, I'm wondering where HE got the information, and why he didn't give any references!

 

For those who require the WSH, a useful (and free) application can be found here.

 

Just to clarify, disabling the WSH with noscript.exe is not permanent. You can re-enable scripting at any time simply by running noscript.exe again and clicking the "enable' button.