Klarinet Archive - Posting 000633.txt from 1999/09

From: Ken Wolman <Ken.Wolman@-----.com>
Subj: [kl] Yes, another Trojan Horse alert
Date: Tue, 21 Sep 1999 08:43:15 -0400

I know, it doesn't have drilled holes and a mouthpiece, but this came to
us here today from Deutsche Bank's computer security people. This
suggests it's the real deal. Microsoft Word 97 users, beware.

-------- Original Message --------
Subject: VIRUS WARNING W97M/Suppl Trojan Horse Program
Date: Tue, 21 Sep 1999 08:11:39 -0400
From: bts.alert@-----.com

VIRUS WARNING W97M/Suppl Trojan Horse Program

Do not open any word document you receive named Suppl.Doc! This
document contains a macro virus which can potentially delete all of
your data on your local hard drive as well as any network drives.
This file is being propagated through email messages containing
suppl.doc as an attachment. This message could come from someone
you
know. Do not open the attachment named suppl.doc. If you receive
this file, open this file, or have already opened this file, please
call the help desk immediately!

Further information about this new virus is detailed below.

Payload
Sometime after initially infecting the local machine, the
trojanized
WSOCK32.DLL will seek all
files within all local drives
(all mapped and physical drives) with the following
extension and null them
similar to W32/ExploreZip: .doc, .xls, .txt, .rtf,
.dbf, .zip, .arj, and .rar.

Indications Of Infection
Presence of the file "WSOCK33.DLL", "ANTHRAX.INI" and
"ANTHRAX.HST";
notification by persons whom you have
sent email to of an
attachment file named "SUPPL.DOC".

Virus Characteristics
This is Word97 document with a class module macro
having an appended
internet worm binary file. The internet worm binary
is an appended EXE
file with a trojan payload. It is received in a file
attachment named
"SUPPL.DOC" in email messages. It functions similar
to W32/Ska in that the
local file WSOCK32.DLL is replaced with a rogue copy
self contained at the
end of the document. The new WSOCK32.DLL contains
instructions to attach
the file "SUPPL.DOC" to email messages using SMTP
protocol. This virus
was first discovered by "Virus Patrol", a newsgroup
scanning program in use
by Network Associates Inc, cross-posted in several
sex related newsgroups
including "alt.sex.phone".

"SUPPL.DOC" has macro code which uses advanced
technique to make use
of routines found in the DLL files LZ32.DLL and
KERNEL32.DLL. When the
document is opened, if macro warning is enabled, a
warning appears. If the
macros are enabled the code within the macro performs
the following
operations-

* determines the Windows directory using API function * writes 4
files
to the Windows directory
WININIT.INI ( 143 bytes)
DLL.LZH ( 6,712 bytes)
DLL.TMP (16,384 bytes)
ANTHRAX.INI (38,968 bytes)
* expands the compressed file using API function

The file DLL.TMP is a replacement WSOCK32.DLL file.
The contents of the
WININIT.INI file instruct the operating system to
replace the current
WSOCK32.DLL file by first renaming it to WSOCK33.DLL,
then renaming
DLL.TMP to WSOCK32.DLL. The file DLL.LZH is removed.
Windows uses the
WININIT.INI file at boot time to perform these
actions.

Every email message which is sent via SMTP e-mail
client will have the
attachment "SUPPL.DOC". The string "Anthrax" is
within the internet worm
however this name was not chosen for this virus due
to the Anthrax virus
already known (as a rather old DOS virus) .

---------------------------------------------------------------------
Unsubscribe from Klarinet, e-mail: klarinet-unsubscribe@-----.org
Subscribe to the Digest: klarinet-digest-subscribe@-----.org
Additional commands: klarinet-help@-----.org
Other problems: klarinet-owner@-----.org