ES - virus warning - from ListAdmin

Rayburn, Timothy TRayburn at insurdata.com
Tue Dec 21 11:05:25 PST 1999


Ladies and gentlemen of the List,

I apologize in advance since this is not 'first hand' information, but here
goes...

The panther.exe file is one form of the W32.NewApt.Worm virus.  The
HyperLink version of this Virus was posted to the Ansteorran list the other
day.  This is very likely the source of Gilli's infection (He followed the
link to the Website listed there which infected him).

Since this virus affects Outlook users, it has access to their addressbook,
which is why lots of folks Gilli knows got the message.  It is very likely
using the Sent Mail folder to capture subject lines you hace used as well.
The full text from Symantec.Com (makers of Norton Anti-Virus, a very
reputable source) is included below.  I do not believe this is a case of
someone abusing the list, simply a more widespread infection that happen to
hit Ansteorra at ansteorra.org which we have alot of cross-subscribers to, etc.

Timothy of Glastonbury
mka Tim Rayburn
Protégé to Viscount Galen of Bristol


<BEGIN QUOTE FROM SYMANTEC.COM>

W32.NewApt.Worm 

Detected as: W32.NewApt.Worm 
Aliases: Worm.NewApt 
Infection Length: 69,632 bytes 
Likelihood: Common 
Region Reported: US, Europe 
Characteristics: Worm 

Norton AntiVirus users can protect themselves from this virus by downloading
the current virus definitions either through LiveUpdate or from the Download
Virus Definition Updates page. 




Description 

W32.NewApt.Worm was discovered on December 14, 1999 in Italy. This worm will
email itself out when receiving email via Microsoft Outlook or Netscape
Navigator. When activated, the worm will display an error dialog and modify
the registry so the worm is reloaded each time the computer is restarted.
The error message box will appear as: 

 

When received by email (and if you do not have an HTML capable email
client), the message body will be: 

he, your lame client cant read HTML, haha.
click attachment to see some stunningly HOT stuff

Otherwise, the text will include a reference to a website and the following
message: 


Hypercool Happy Year 2000 funny programs and 
animations....
We attached our recent animation from this 
site in our mail ! Check it out!

Attached to the message will be one of the following file names:
g-zilla.exe, cooler3.exe, cooler1.exe, copier.exe, video.exe, pirate.exe,
goal1.exe, hog.exe, party.exe, saddam.exe, monica.exe, boss.exe, farter.exe,
cheeseburst.exe, panther.exe, theobbq.exe, goal.exe, baby.exe, bboy.exe,
cupid2.exe, fborfw.exe, casper.exe, irnglant.exe, or gadget.exe 

The worm will add the following registry key: 

HKLM/Software/Microsoft/Windows/CurrentVersion/
Run/tpawen 
To remove the worm from memory, remove the above registry key and then
restart. Delete all infected files. 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ansteorra.org/pipermail/elfsea-ansteorra.org/attachments/19991221/c9d57e07/attachment-0006.htm>


More information about the Elfsea mailing list