[RESOLVED] anyone know what this is?

[sprkymrk]

A virus snuck past the Norton Server and has the subject line "Here you are;". I thought I would post here while checking other sources, since there are tons of people on this site that may have heard of or run into this. Thanks.

[MacGyver]

Yeah it is a new virus SST that is spreading like wildfire, attachment ANNAKOURNIKOVA.JPG.VBS. Go to this thread for more info.

------------------
sHIFT hAPPENS

[pcshark]

If you have the Norton AntiVirus for Exchange Server running, you can filter ALL attachments that have a VBS extension so that they don't get to the enduser. Our company has this in place...NOW, after we also got hit with Anna K. Luckily, we only had a couple instances of spreading, and most of the technical people in our office recognized it as a VBS file and deleted the message.

------------------
R. Bret Walker, CNE
(I'm not a Master Tech, but I play one on TV)

Wondering what videos to rent this weekend? Check out The People's Reviews, movie reviews written for the people and by the people.

[cyberhh]

SST.VBS@MM virus really mean virus: If deleted will recreate itself. Check Symantec's site for more info than what I have here.

You will need a virus DAT file of no older than 02-12-2001 to safely remove this virus, as that was the date of it's release.


When run, the worm creates the following registry key:

HKEY_CURRENT_USER\Software\OnTheFly

If the worm is run on January 26, it attempts to direct your Web browser to an Internet address in The Netherlands.

Next, it checks to see if the mass-mailing routine has been executed. If not, the worm emails everyone in your Microsoft Outlook address book and sets the following key value equal to "1" (this is equivalent to true):

HKEY_CURRENT_USER\Software\OnTheFly\mailed

This prevents the mail routine from running again.

The subject, body and attachment sent by the worm are as follows:

Subject:

Here you have, ;o)

Message body:

Hi:
Check This!

Attachment:

AnnaKournikova.jpg.vbs

The worm continues running, and if it is deleted, it attempts to recreate itself. Due to a bug in the code, the worm instead recreates itself as a zero-byte file.

Removal instructions:

Virus definitions dated February 12, 2001, or later will detect this worm. To remove VBS.SST@mm:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. If any files are detected as infected by VBS.SST@mm, click Delete
4. (Optional) Delete the following registry key:

HKEY_CURRENT_USER\Software\OnTheFly


Additional information:

The following information is for network administrators of corporate versions of Norton AntiVirus.

For corporate users, Symantec Technical Support recommends the following

1. Make sure virus definitions are most current.
2. Delete the email. Do not open the attachment.
3. Disable Windows Scripting to prevent VBS files, such as AnnaKournikova.JPEG.VBS, from executing. Filter attachments with a VBS extension.
Microsoft Exchange 2000 in VAPI mode can strip attachments by extension. Contact Microsoft for further information.
Microsoft Exchange Server also provides the ExMerge utility, which can be used to purge the Information Store of messages with a specified subject or attachment name. This can be very useful during a virus crisis. For more information, please see the following Microsoft Articles:
XADM: How to Remove a Message from Exchange by Using the ExMerge Utility -- articleID: Q260037
XADM: Some Questions and Answers About the ExMerge Utility -- articleID: Q265441
4. Outlook 2000 with the latest security update will not execute VBS attachments. Contact Microsoft for further information.
5. Norton AntiVirus for Microsoft Exchange (NAVMSE) can block attachments by extension when in VAPI mode. Make sure NAVMSE is at a current build. The following Symantec's Knowledge Base documents may be helpful:
How to delete email and its attachment with Norton AntiVirus for Microsoft Exchange
How to block email attachments based on the file name or extension of attached files
6. Norton AntiVirus for Email Gateways 2.0 installed, attachments with VBS extensions can be blocked. See the Administrator's Guide for details. The following Symantec Knowledge Base document may also be helpful:
How to block email based on the file name or extension of attached files
How to set up local routing for Norton AntiVirus for Gateways 2.1
How to block attachments by extension with Norton AntiVirus for Gateways
7. Norton AntiVirus for Firewalls 1.5 installed, attachments with VBS extensions can sometimes be blocked. See the Administrator's Guide for details. There are unknown environmental factors that prevent some installations from blocking VBS files. If it works at your site, it will work reliably. If VBS blocking does not work at your site, it will not work at all.


------------------
Death is lighter than a feather - duty heavier than a mountian.