NewApt Worm alert (hitting Listservs too!) from M. Hope Aguilar on 1999-12-17 (www-smil@w3.org from October to December 1999)

From: M. Hope Aguilar <hoper@mindspring.com>
Date: Fri, 17 Dec 1999 08:41:18 -0800
To: "Michael M. Krieger" <MKRIEGER/0005975596@MCIMAIL.COM>
CC: "sleepnet, Sandman" <sandman@sleepnet.com>
Message-ID: <385A67AD.7A20A7CF@mindspring.com>
Hi
                  WARNING - UPDATE YOUR ANTIVIRUS PROGRAMS NOW!!

        A newsgroup/Listserv was hit with the NewApt Worm (so it is possible that
they are unknowingly sending the Worm to lots of their friends and other
Listservs.)  See below.

        This is from the Datafellows F-Secure Virus Information Pages:

NAME:             NewApt
ALIAS:             I-Worm.NewApt, W32.NewApt.Worm. Worm.NewApt
SIZE:                69632

            The NewApt worm appeared in the last few days (the middle of
December 1999.) The worm itself is a Windows PE executable file about 70Kb long.
It is transferred via the Internet in e-mail messages as an attachment. The name
of the attached worm copy is randomly selected from 26 variants (so you should
look for all of these!):
            panther.exe      farter.exe
            gadget.exe       boss.exe
            irngiant.exe      monica.exe
            casper.exe       saddam.exe
            fborfw.exe       party.exe
            cupid2.exe       hog.exe
            party.exe         goal1.exe
            bboy.exe         pirate.exe
            baby.exe         video.exe
            goal.exe          copier.exe
            theobbq.exe    cooler1.exe
            panthr.exe       cooler3.exe
           chestburst.exe   g-zilla.exe

          The infected message's subject is sometimes "Just for your eyes". Other
subject variants are possible: in some cases the worm puts "Re:" to the subject
line and adds some random text there.

       The message body contains lines in plain text format:

                    " he, your lame client cant read HTML, haha.
                     click attachment to see some stunningly HOT stuff"

        as well as in HTML format:

                     "Hypercool Happy New Year 2000 funny programs and
animations...
                     We attached our recent animation from this site in our mail!
Check it out!"

        When the infected message is received, one of the above texts is
displayed depending on whether recepient's e-mail browser supports HTML e-mail
format or not.

        When the attached executable is run by a user the worm gets control and
installs itself to the system. It copies itself with its current name (as the
worm arrived in email) to the Windows directory and registers this copy in system
registry in the "Run=" section:

                     SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                     'tpawen' = 'C:\WINDOWS\PANTHER.EXE /x'

        Note that the worm's name (here it is "PANTHER") is not always the same
and can be randomly selected by the worm (see the list above).

        To hide its activity the worm displays a fake error message:

                        [Image]

        For those who cannot see an image in your email, a W95/W98  warning  pops
up - which REQUIRES you to click "OK" before proceeding -  and which says:

        "The dinamic link library giface.dll could not be found in specified path

          C:\; C:\WINDOWS; C:\WINDOWS\COMMAND; C:\FAR; C:\AVP"

 The second line in the above messagebox is the infected system's Windows system
directory name, 'Path' and 'SystemRoot' system variables.

       The worm then registers itself as a service process (not visible in the
task list) and stays memory resident as a hidden application. The worm's main
routines (there are two ones working in the background) then periodically scan
hard drives for Internet-related files (MS Mail, Outlook Express, Netscape
Navigator and other files), open these files, get  Internet addresses from there
and send worm copies to these addresses.

       Starting from 12th of June, 2000 the worm removes "Run=" string from
system Registry and does not install itself to system any more. So, this worm's
life-time is limited by that date. But copies of the worm left in a system after
12th of June may activate again if system date is set incorrectly.

       From 00:00 starting on 26th of December the worm tries to connect to
remote computer somewhere at Microsoft each 3 seconds. This is most likely done
to ping-bomb the server.

       Depending on its counters and some other conditions the worm tries to call
phone numbers randomly selected from its own internal list. These numbers seem to
belong to an unknown company.

        Note that the worm attempts to disguise itself as one of the MessageMates
- amusing animations created to be sent to people on various occasions. The
MessageMates' website now has a warning about the worm.  (The MessageMates
website had nothing to do with this worm.)

[Analysis: Eugene Kaspersky, AVP team, F-Secure team at
http://www.datafellows.com]
_______________________________________________

NOTE FROM HOPE:
An awesome number of Word Macro variants have been released in the wild
(including modifications of previously known, older viruses.)  Check your
antivirus program provider's web site DAILY during the holiday season, as many
worms and viruses are programmed to mess up your PC on Christmas day and New
Years Day.

           Go to  http://www.datafellows.com/v-descs/_new.htm to look at the 50
latest virus description modifications.
__________________________
"Michael M. Krieger" wrote:

> To: <CYBERIA-L@LISTSERV.AOL.COM>
> Sent: Thursday, December 16, 1999 10:34 PM
> Subject: cyberia worm note; do not open attachment re stuart.messagemates.com
>
> Shortly after recently posting to this list I got an email apparently from
> Cyberia-l headed
> Re: Court Jester Awards: Poweel v Georgia. The message had a link to
> messagemates, and an attachment I didnt open containing a worm. Details below.
> So if you get such a message, delete it.

> We have just learned that an email worm has been found circulating the web
> referencing MessageMates.com.  This worm file is in no way connected with
> MessageMates.com.
>
> If you have received an email with a message that reads:
>
>         he, your lame client cant read HTML, haha.
>         click attachment to see some stunningly HOT stuff
> or

>            http://stuart.messagemates.com/index.html
>
>             Hypercool Happy Year 2000 funny programs and animations..
>             We attached our recent animation from this site in our mail! Check
> it out!
>
> then you have been passed the Worm in question.
>
> It is a worm that was created and set loose by someone who's trying to spoil
> all of our Holiday fun.  Do not run the attachment included in the email and
> please delete the email message immediately!
>
> Symantec has named this worm: W32.NewApt.Worm.  Once opened/launched the worm
> will email itself out and reply to messages in your mailbox.  The file being
> passed as an attachment is approximately 68K.
> The subject line of this message will vary and may appear to be a reply to
> something you've previously sent.   The attachment is no way related to any
> MessageMates.com products.
> What you can do:
> Read the details of this worm virus by checking with Symantec at:
> www.symantec.com

___________________
M. Hope Aguilar                            (310) 312-8620
NEUVILLE & AGUILAR
11845 W. Olympic Blvd.
Suite 1000                               Fax: (310) 312-8621
Los Angeles, CA 90064            hoper@bigfoot.com
Received on Friday, 17 December 1999 11:46:21 UTC