Concept Virus(CV) V.5 - Quick analysis update

[Olle Segerdahl <olle () defcom com>]

More infectation routes:

The worm, upon infecting a new host, goes through all the
shared directories and their subdirecories and plants the
following files in each dir:

sample.nws
sample.eml
desktop.eml
desktop.nws

which are eml messages with copies of itself ("readme.exe")
autoloaded by a html script tag,

riched20.dll

which is a trojan dll version of itself probably designed
to infect people running notepad/wordpad in that dir.


It also infects htm/html/asp files all over the system with
a <SCRIPT> tag appendage that links to a readme.eml file in 
the current directory, thus infecting more webservers and 
even windows helpsystem and the IE "freindly" error messages.

The worm puts a trojan mmc.exe in the winnt directory that
is a copy of itself in the above "readme.exe" format.....

So in short: This thing spreads vi fileserver shares and 
also infects all web content files it sees, it's EVIL.

/olle

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com