|
Details - This is a combo worm and virus - and is transmitted by e-
mail that will include a file attachment that appears to be a text file.
The file is - in fact - text, but is a Program Information File (which
usually carries a .pif file extension). When executed it will dump a
payload file into the \windows\temp directory (or whatever your
default temp directory is!) with the file name GLB1A2B.EXE and
then execute this program.
To save you all the gory details - the short version is that GLB1A2B
will add the files MTX_.EXE and IE_PACK.EXE to the windows
directory, as well as a file titled WININIT.INI. Every time windows is
started the WININIT file will load the other programs, and the
computer will attempt to call home. If the programs fail to reach the
author, they will repeat the attempt every two minutes until
successful.
GLB1A2B also fixes a hidden attribute to many of the files so that
they are 'typically' invisible to the end user.
Once MTX_ or IE_PACK run - as many as 60 other files can be
infected - making the virus virtually impossible to remove manually
Detection - Start Windows Explorer, click on View and then folder
options. Click on the view tab, and then click on the radio button next
to "show all files". Click on apply and then OK. Next click
on Tools,
Find Files and Folders. Conduct a search on Drive C for a tile titled
MTX_.EXE and / or IE_PACK.EXE.
If either of these files are located, disconnect the computer from it's
internet access and obtain a copy of Mcafee's Anti-Virus program,
including the update version 4094.
Mcafee was the first company (and the only one I know of at this
time) that has virus definitions for this one - the bug was discovered
on 8/30/00. McAfee's antivirus program will rename and / or delete
the infected files - but you may need to manually reinstall certain
Windows programs such as REGEDIT, NOTEPAD, CALC, etc.
Transmission - via e-mail manually, or via Microsoft e-mail programs
in the same manner as the love-bug. There are several (as many as
a hundred or so) different e-mail subject lines, most of which
reference MP3 files, Napster, or za-odrasle-ographic image files.
Closing information - we haven't figured out what information is sent
back to the point of origin, or the exact point of origin, other than
to
say that it's in Germany somewhere! Additional information is
available from
www.mcafee.com
as well as the latest virus definitions. One extremely interesting
feature of the bug is that if you are infected, and you attempt to
access mcafee.com or datafellows.com in an effort to obtain virus
information or definitions etc. the bug will cause Internet Explorer
(versions 4.X and 5.X at least) to crash. We haven't tested it with
Netscape.
Nesto svakako jeste sto ne valja!!!
|
