[RESOLVED] NEW VIRUS??? PLEASE HELP

[shulax26]

Gang, We just got hit at our company with a virus called OnTheFly.vbs, has anyone heard of it??? It was launched by someone who clicked on an attachment called AnnaKornicova.jpg.vbs.

Any suggestions Please post!!!

It is just like the melissa virus but the code of the virus is a lot harder to crack.

------------------
Arty De Gaetano II
Software Developer
The Clayton Group

[sprkymrk]

We just got hit with that today as well, see my post. We are checking it out. Let me know if you find anything.

[shulax26]

Yeah we just got hit and the code of it is a mean one. This guy really wrote some code that is hard to figure out. AS far as I know, the norton site knows about it and it not ready for it.


------------------
Arty De Gaetano II
Software Developer
The Clayton Group

[jfesler]

We are getting hammered by this same virus. Symantec's site does not have info on it yet.

------------------
Everywhere you go, there you are...

[MacGyver]

OK, first thing you have to do is stop the virus from spreading anymore. The best way to do this is to shutdown your outgoing mail server(s) ASAP!!!

Then download this file: http://www.cerberus-infosec.co.uk/vf.exe
and run it on every workstation you have. What this program does is search through your registry and remove all references to VBS related stuff so that the VBS viruses can't run anymore. Most people do NOT have any use for Visual Basic Scripting so this is a very good idea both for now and any future VBS viruses.

Then pray that the antivirus companies come out with a solution real fast. Also prepare to do some serious system repair, and book some overtime. Let the wife and kids know you won't be home on time tonight. Get the tape backups ready to be restored once you get rid of the virus if the mail db has been overloaded/corrupted or there is other damage.

And lastly: good luck gentlemen.

------------------
sHIFT hAPPENS

[pmailloux]

Hey we are getting hammered with it as well, anyone got any info on it yet?

[jfesler]

VBS.SST@mm
Discovered on: February 12, 2001
Last Updated on: February 12, 2001 at 10:10:59 AM PST


The Symantec AntiVirus Research Center (SARC) has confirmed a new mass-mailing worm. SARC is currently analyzing the worm. The worm is being reported in an attachment named ANNAKOURNIKOVA.JPEG.VBS. SARC recommends that you filter attachments with a VBS extension if you have not already done so.

Category: Worm

Virus definitions: Pending

Threat assessment:


Wild:
Medium Damage:
Low Distribution:
High


Wild

Number of infections: 0-49
Distribution

Subject of email: Here you have, ;o)
Name of attachment: AnnaKournikova.jpg.vbs
Technical description:

The worm spreads via MS Outlook

Subject: Here you have, ;o)
Text: Hi: Check This!
Attachment: AnnaKournikova.jpg.vbs

Still no fix.



------------------
Everywhere you go, there you are...

[shulax26]

OK here is what I know so far after looking at the code.

So far it can affect your registry placing a key in:
HKEY_CURRENT_USER_Software_OnTheFly

There are 2 entry's there, one is the default and the other is called "MAIL" with a value of "1" in it.

This is all I can report right now. We are still breaking down the code and are about 60% finished. So watch out for the registry key, Delete all *.vbs on your system and definityly purge all files in recycle bin and it Temp_Internet_Files.

Arty


------------------
Arty De Gaetano II
Software Developer
The Clayton Group

[Ruslan]

<font face="Verdana, Arial" size="2">Originally posted by jfesler:
The worm is being reported in an attachment named ANNAKOURNIKOVA.JPEG.VBS. </font>

I'm pretty sure,what it's made in Russia (or probably in Ukraine,it doesn't matter)virus. Typical russian name of attachment point me on this...
So I'll try to ask for help somewhere in Russian forums.

------------------
Ruslan Khyzha

[jfesler]

I found some info on cleaning infected mailboxes on an Exchange server.http://www.microsoft.com/technet/support/kb.asp?ID=224493

These are the cleaning files, mentioned in the above article.

http://download.microsoft.com/downlo.../wormhelpi.zip



------------------
Everywhere you go, there you are...

[MacGyver]

CA Just released this info: http://www.ca.com/virusinfo/virusalert.htm#vbs_sstworm , it is being classified as a worm.

They also have updated virus definitions 20.40 posted on their site at support.ca.com that is supposed to pick this up.

------------------
sHIFT hAPPENS

[captpackrat]

We're getting hit by it here. The anti-virus on the Exchange server seems to be utterly useless against it. And IS insists on keeping everyone on Outlook 97. If they'd only upgrade to OL98 or OL2K, they could install the Security Patch, and these viruses would be a thing of the past!

(I'm the only one here running OL98, and have the Security Patch, so I'm totally immune to it!)

------------------
Captain Troy D. Pack Rat
`akbar Press

If you're furry and you know it, hug the mouse!

[Manicheya]

Our anti-virus detected Anna.Kournikova.vbs right away. Two separate incidents as of 2:15pm PST.

Hate to sound like I an advertisement but F-Secure Antivirus did it's job. Check www.f-secure.com.

[martyzman]

Anyone interested can go to the following site for info. on the new AnnaK (VBS/SST@MM) virus.

http://www.cert.org/current/current_activity.html#virus

Most detectors have updates out for this one at this time. The main problem is getting the time to scan the message stores while people are still opening the stupid attachment. We had to set all of our allowed attachment sizes to 0 to stop the noise temporarily.

Good Luck... Marty


------------------
"It's full of Stars"

[Mustang]

F.Y.I. Symantec has just released a definition update.
latest definition files are dated 2/12/2001

------------------
Perception: Our day in, day out world is real.

Reality: That world is a hoax, an elaborate deception spun by all powerful machines of artificial intelligence that control us.