[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Count2K Trojan Virus --This is NOT a Hoax, just a Public Warning...

To: "CCBANK" <ccbank@pursuit.kis.net>, "WS-Software Support" <support@wssoft.net>, "WSbeta@wssoft. net" <WSbeta@wssoft.net>, <WINServer@winserver.com>, <WeThePeople@pursuit.kis.net>, <steve@atomicweb.com>, <PCPursuitsBeta@pursuit.kis.net>, <PCPursuits@pursuit.kis.net>, "Noprivacy@Essential. Org" <noprivacy@essential.org>, <NCSSA-List@ncssa.net>, "Maxine French" <maxine.french@www.pcpursuits.com>, "Mark.Preudhomme@Dclink.Com" <mark.preudhomme@dclink.com>, "Larryc@Netcrafters.Net" <larryc@netcrafters.net>, "Larry Clopper" <larryc@pop.netcrafters.net>, "Larry Anderson" <anderson@kua.net>, "Larry Anderson" <larry@kua.net>, "IRC Admin SysopNet.Org" <ircadmin@sysopnet.org>, <Insights@pursuit.kis.net>, <ICON@wwbbs.otherside.com>, "Ernie Butler" <tebutler@worldnet.att.net>, <CSsupport@pursuit.kis.net>, "Chad Casselman" <webmaster@websitereporter.com>, "Carl Carter" <cvcarter@awod.com>, "Brian. Tafoya@Rgcomputing. Com" <brian.tafoya@rgcomputing.com>, "Blair" <blairjr@flash.net>, "Ace Starry" <astarry@ix.netcom.com>, "Andrea Santos" <andrea.santos@santronics.com>, "Andy Meyerson" <smandy@erols.com>, <rage@netcrafters.net>, <donna.preudhomme@pursuit.kis.net>, "Suzanne. Preudhomme" <suzanne.preudhomme@pursuit.kis.net>
Subject: RE: Count2K Trojan Virus --This is NOT a Hoax, just a Public Warning...
From: "Bruce Preudhomme" <brucep@pop.kis.net>
Date: Tue, 21 Sep 1999 06:51:25 -0400
Importance: Normal
In-Reply-To: <613EA0A4FEACD211AC340000F89CCD005C9D89@emss09m02.ems.lmco.com>

Sorry for any intrusion to your normal use of this email address. I have
sent this out to all my friends, family members, mailing lists, and business
contacts to make sure the word gets out.

I received this from my help desk at work with Lockheed Martin. This is a
legitimate virus going around. Please read the message below and take
whatever precautions. The best advice is not to open ANY attachments from
anyone (regardless if it is someone you know or a company you trust) without
first contacting the source.

Take care...
Bruce Preudhomme, the SYSOP of The Pursuit of Happiness!
         ...where the mind's eYe is always open!
URL: www.pcpursuits.com  telnet: pcpursuits.com BBS dial up:(301)695-5260
   PC Pursuits ~Bringing people, computers and software together!~
The PC Pursuits Product page: http://www.pcpursuits.com/products.htm
   A Member of International Community Online Network (ICON)
          ICON site: http://icon.rgcomputing.com/


> Virus Alert Bulletin #025 - 09/17/1999 - Count2K Trojan
> Context: Alert - Condition: Yellow
> Severity Code: Likelihood: 5, Damage: 4
>
> Likelihood of 5 means: Has not been detected in the company, has been seen
in many
> places., Protestion already in place on the main company Internet email
> relays.
> Damage of 4 means: Can send passwords to an Internet site.
>
> Solution: VirusScan 4.03 with 4043 DAT File and the new Extra.dat file
>
> It is strongly suggested to upgrade to version 4.03 if you are running
> version 3.

> From: Information Protection and Enterprise Virus Management
>
> Alert Content:  Alert - Count2K Trojan
>
> Main discussion point: Microsoft does not email patches to customers, they
> usually send you to their web site with a URL for the patch.  DO NOT
> execute ANY attachment that comes unsolicited.  It could be malicious code
> (especially EXE, DLL, COM, BAT, etc. files)
>
> Trojan Name: Count2K
>
> Date Added: 9/15/99
>
> Trojan Characteristics
>
> This Trojan normally arrives attached to an e-mail proporting to come from
> Microsoft. The email has an attachment "Y2KCOUNT.EXE" of 124,885 bytes and
> the following text:
>
>                   ........................
> From: support@microsoft.com
>
> Sender: support@microsoft.com
> Received: from Microsoft (stara65.pip.digsys.bg [193.68.4.65])
> Subject: Microsoft Announcement
> Date: Wed, 15 Sep 1999 00:49:57 +0200
>
> To All Microsoft Users,
> We are excited to announce Microsoft Year 2000 Counter.
>
> Start the countdown NOW.
> Let us all get in the 21 Century.
> Let us lead the way to the future and we will get YOU there FASTER
> and
> SAFER.
>
> Thank you,
> Microsoft Corporation
>                   ........................
>
> The attached file is a self extracting archive file. If the attached exe
> is run it displays a fake error message box containing the text
>
> Password protection error or invalid CRC32!
>
> The exe is in fact a Winzip self extracting archive consisting of these
> files :
>
> Project1.exe
> file001.dat
> file002.dat
> file003.dat
> file004.dat
>
> The file Project1.exe is set to be automatically run after the self
> extracting archive is executed. This program then copies each of the four
> .dat files into the WINDOWS\SYSTEM folder using the names :
>
> Proclib.exe
> Proclib.dll
> Proclib16.dll
> ntsvsrv.dll
> Nlhvld.dll
>
> The program then adds the filename "ntsvsrv.dll" to the end of the
> 'drivers=' line in the [boot] section of SYSTEM.INI. This causes the
> trojan to be run at the next system startup. At this point the file
> WSOCK32.DLL in WINDOWS\SYSTEM is renamed to Nlhvld.dll (overwriting the
> file just dropped, if WSOCK32.DLL exists). The file Proclib16.dll is then
> copied to WSOCK32.DLL.
>
> This means that the trojan has now 'hooked' the Internet connection and
> whenever a connection is opened the file proclib.exe is run.
>
> The purpose of this trojan appears to be to intercept username and
> password information and presumably pass it onto the trojans author.
>
> Manual Removal Instructions
>
> 1.	Edit the drivers= line in the [boot] section of SYSTEM.INI and
> remove the filename ntsvsrv.dll.
> 2.	Restart the system, and DO NOT load any internet applications, this
> means that WSOCK32.DLL is not loaded into memory and so can be renamed.
> 3.	Copy the file WINDOWS\SYSTEM\Nlhvld.dll to
> WINDOWS\SYSTEM\WSOCK32.DLL. If you are prompted to confirm overwriting the
> existing file, reply yes. If you get an error message saying that the file
> is in use, then WSOCK32.DLL has already been loaded. Disable all internet
> and network applications (or boot from a clean floppy disk) and repeat
> until successful.
>
> 4.	Delete the files
>
> Proclib.exe
> Proclib.dll
> Proclib16.dll
> ntsvsrv.dll
> Nlhvld.dll  from WINDOWS\SYSTEM.
>
> Note the files Proclib.exe, Proclib.dll, Proclib16.dll, ntsvsrv.dll are
> detected as "Count2K trojan"; the original file "Y2KCount.exe" is detected
> as "Count2K.sfx" and the "Project1.exe" is detected as "Count2K.dr".
>
> Indications Of Installation
> Existence of the files listed above; messages in your sent folder matching
> the above message body content.
>
> Method Of Installation
> Running the ill-fated attachment Y2KCOUNT.EXE from the received email
> messages.
>
> Trojan Information
>
> Discovery Date: 9/15/99
>
> Type: Trojan
>
> Risk Assessment: Medium
>
> Minimum DAT: 4045 (Available 9/29/99) - EXTRA.DAT currently
>
> Variants: Unknown
>
> Aliases: Y2KCOUNT, Count2K.sfx, Count2K.dr
>
>
> Current Versions of the McAfee (NAI) Software:
>
> VirusScan/NetShield NT: 4.03a
> VirusScan 95/98: 4.03
> DAT Files: Version 4043.
> At a minimum, you should be running McAfee engine 3.22 or higher.
> Anything lower than this version is considered a high risk for obtaining
> undetectable viruses and MUST BE UPGRADED.
>
> It is strongly suggested to upgrade to the Version 4.x engine if you are
> still running the version 3.x engine.

Prev by Date: RE: The Real Threat to Privacy (and every other liberty)
Next by Date: **Protecting yourself from home invasion**
Prev by thread: More "paranoia" re: misuse of social security numbers
Next by thread: **Protecting yourself from home invasion**
Index(es):
- Date
- Thread