Main Menu | Check MS Security

Virus Notices & Links to Hoaxes & Myth Notices


----Original Message-----
From:    Murry, Jim
Sent:    Monday, September 27, 1999 7:16 AM
To:    all-hs
Subject:    New PC viruses
Importance:    High

    Two new viruses have sprouted up over the past week that are worth noting. If you are using our Exchange/outlook email system and using our  anti-virus software package rolled into our Desktop/98 workstation you should be ok. Remember: if you don't know the sender or exactly what an attachment is do not open an attachment!
        Note: your system (Desktop/98 users) s/b on version 4.0.3 of the McAfee Vshield software (to check click on the shield icon on the bottom right of your screen and then click "about" - at the top of the window that appears it should show the version of McAfee Vshield). If you are not on this version please send an email request to <> (in your email directory under "hsishelp") asking that someone upgrade your system.
  The two new viruses:
#1  Microsoft Y2K Trojan Horse <> virus.  Masked as an email from Microsoft, the Y2K countdown Trojan is distributed  as an attachment called Y2KCOUNT.EXE.. Masked as an email from Microsoft, the Y2K countdown Trojan is distributed as an attachment called  Y2KCOUNT.EXE. The mail seems to be coming from Microsoft and contains the  following text: From: Sender: Subject: Microsoft Announcement Date: Wed, 15 Sep 1999 00:49:57 +0200 To All Microsoft Users, We are excited to announce Microsoft Year 2000 Counter. Start the countdown NOW. Let us all get in the 21 Century. Let us  lead the way to the future and we will get YOU there FASTER and SAFER. Thank you, Microsoft Corporation When the Y2KCOUNT.EXE file is executed, it displays a WINZIP self-extracting dialog box and a bogus message box containing the following text appears: Password protection error or invalid CRC32! The Trojan then drops the files PROCLIB.DLL, PROCLIB.EXE, PROCLIB16.DLL and SVSRV.DLL into the Windows System directory and makes changes to the SYSTEM.INI file. It overwrites WSOCK32.DLL with the contents of PROCLIB16.DLL, and keeps a copy of the original WSOCK32.DLL as a file called NLHVLD.DLL. PROCLIB16.DLL mimics the functionality of WSOCK32.DLL and appears to search for the words "password", "login" and "username" in incoming and outgoing mail.
W97M/Suppl is a new Internet worm, discovered 9/17/99 by AVERT's Virus Patrol. AVERT has assigned it a MEDIUM risk assessment, and placed it on the AVERT Watch List. Like W32/Ska, it attempts to infect other computers by attaching itself (as the file SUPPL.DOC) to outgoing email messages using SMTP protocol. If you receive an email with an attachment called
> SUPPL.DOC, DO NOT OPEN the attachment. Delete it immediately. W97M/Suppl has a destructive payload: At infection, the virus replaces the existing WSOCK32.DLL file with a new version that contains a trojan. Approximately 163 hours (6.79 days) after initially infecting the local machine, the corrupted WSOCK32.DLL will seek all files within all fixed drives with the following extensions and null them (similar to W32/ExploreZip): .doc, .xls, .txt, .rtf, .dbf, .zip, .arj, .rar, *.*
Thank you.
Jim Murry
Chief Information Officer / Associate Director - UCI HealthSciences - <> (714)456-6818 <>