exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CA-2001-03.OnTheFly

CA-2001-03.OnTheFly
Posted Feb 14, 2001
Site cert.org

CERT Advisory CA-2001-03 - The "VBS/OnTheFly" malicious code is a VBScript virus that spreads via email to users of Microsoft Outlook who have not applied previously available security updates. When the malicious code executes, it attempts to send copies of itself, using Microsoft Outlook, to all entries in each of the address books. Outlook update available here.

tags | virus
SHA-256 | 857d86f779215cacaef6a95c16b3a5b35d2bc60ec5f355777384615d79db7342

CA-2001-03.OnTheFly

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2001-03 VBS/OnTheFly (Anna Kournikova) Malicious Code

Original release date: February 12, 2001
Last revised: February 12, 2001
Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected

Users of Microsoft Outlook who have not applied previously available
security updates.

Overview

The "VBS/OnTheFly" malicious code is a VBScript program that spreads
via email. As of 7:00 pm EST(GMT-5) Feb 12, 2001, the CERT
Coordination Center had received reports from more than 100 individual
sites. Several of these sites have reported suffering network
degradation as a result of mail traffic generated by the
"VBS/OnTheFly" malicious code.

This malicious code can infect a system if the enclosed email
attachment is run. Once the malicious code has executed on a system,
it will take the actions described in the Impact section.

I. Description

When the malicious code executes, it attempts to send copies of
itself, using Microsoft Outlook, to all entries in each of the address
books. The sent mail has the following characteristics:

SUBJECT: "Here you have, ;o)"

BODY:

Hi:
Check This!

ATTACHMENT: "AnnaKournikova.jpg.vbs"

Users who receive copies of the malicious code via electronic mail
will probably recognize the sender. We encourage users to avoid
executing code, including VBScripts, received through electronic mail,
regardless of the sender's name, without prior knowledge of the origin
of the code or a valid digital signature.

It is possible for the recipients to be be tricked into opening this
malicious attachment since file will appear without the .VBS extension
if "Hide file extensions for known file types" is turned on in
Windows.

II. Impact

When the attached VBS file is executed, the malicious code attempts to
modify the registry by creating the following key:

HKEY_CURRENT_USER\Software\OnTheFly="Worm made with Vbswg1.50b"

Next, the it will then place a copy of itself into the Windows
directory.

C:\WINDOWS\AnnaKournikova.jpg.vbs

Finally, the malicious code will attempt to send separate, infected
email messages to all recipients in the Windows Address Book. Once the
mail has been sent, the malicious code creates the following registry
key to prevent future mailings of the malicious code.

HKEY_USERS\.DEFAULT\Software\OnTheFly\mailed=1

The code's propagation can lead to congestion in mail servers that may
prevent them from functioning as expected.

Beyond this effect, there does not appear to be a destructive payload
associated with this malicious code. However, historical data has
shown that the intruder community can quickly modify the code for more
destructive behavior.

III. Solution

Update Your Anti-Virus Product

It is important for users to update their anti-virus software. Some
anti-virus software vendors have released updated information, tools,
or virus databases to help combat this malicious code. A list of
vendor-specific anti-virus information can be found in Appendix A.

Apply the Microsoft Outlook E-mail Security Update

To protect against this malicious code, and others like it, users of
Outlook 98 and 2000 may want to install the Outlook E-mail Security
update included in an Outlook SR-1. More information about this update
is available at

http://office.microsoft.com/2000/downloaddetails/Out2ksec.htm

You may also find the following document on Outlook security useful

http://www.microsoft.com/office/outlook/downloads/security.htm

The Outlook E-mail security update provides features that can prevent
attachments containing executable content from being displayed to
users. Other types of attachments can be configured so that they must
be saved to disk before they can be opened (or executed). These
features may greatly reduce the chances that a user will incorrectly
execute a malicious attachment.

Filter the Virus in Email

Sites can use email filtering techniques to delete messages containing
subject lines known to contain the malicious code, or can filter
attachments outright.

Exercise Caution When Opening Attachments

Exercise caution when receiving email with attachments. Users should
disable auto-opening or previewing of email attachments in their mail
programs. Users should never open attachments from an untrusted
origin, or that appear suspicious in any way. Finally, cryptographic
checksums should also be used to validate the integrity of the file.

IV. General protection from email Trojan horses and viruses

Some previous examples of malicious files known to have propagated
through electronic mail include:

Melissa macro virus - discussed in CA-99-04
http://www.cert.org/advisories/CA-1999-04.html

False upgrade to Internet Explorer - discussed in CA-99-02
http://www.cert.org/advisories/CA-1999-02.html

Happy99.exe Trojan Horse - discussed in IN-99-02
http://www.cert.org/incident_notes/IN-99-02.html

CIH/Chernobyl virus - discussed in IN-99-03
http://www.cert.org/incident_notes/IN-99-03.htm

In each of the above cases, the effects of the malicious file are
activated only when the file in question is executed. Social
engineering is typically employed to trick a recipient into executing
the malicious file. Some of the social engineering techniques we have
seen used include

* Making false claims that a file attachment contains a software
patch or update
* Implying or using entertaining content to entice a user into
executing a malicious file
* Using email delivery techniques that cause the message to appear
to have come from a familiar or trusted source
* Packaging malicious files in deceptively familiar ways (e.g., use
of familiar but deceptive program icons or file names)

The best advice with regard to malicious files is to avoid executing
them in the first place. CERT advisory CA-1999-02.html and the
following CERT tech tip discuss malicious code and offers suggestions
to avoid them.

http://www.cert.org/advisories/CA-99-02.html

http://www.cert.org/tech_tips/malicious_code_FAQ.html

Appendix A. - Vendor Information

Appendix A. Anti-Virus Vendor Information

Aladdin Knowledge Systems

http://www.aks.com/home/csrt/valerts.asp#AnnaK

Command Software Systems, Inc.

http://www.commandcom.com/virus/vbsvwg.html

Computer Associates

http://ca.com/virusinfo/virusalert.htm#vbs_sstworm

F-Secure

http://www.f-secure.com/v-descs/onthefly.shtml

Finjan Software, Ltd.

http://www.finjan.com/attack_release_detail.cfm?attack_release_id=47

McAfee

http://www.mcafee.com/anti-virus/viruses/vbssst/default.asp

Dr. Solomon, NAI

http://vil.nai.com/vil/virusSummary.asp?virus_k=99011

Sophos

http://www.sophos.com/virusinfo/analyses/vbsssta.htm

Symantec

http://www.symantec.com/avcenter/venc/data/vbs.sst@mm.html

Trend Micro

http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=VBS_KALAMAR.A

You may wish to visit the CERT/CC's Computer Virus Resources Page
located at:

http://www.cert.org/other_sources/viruses.html
______________________________________________________________________

This document was written by Cory Cohen, Roman Danyliw, Ian Finlay,
John Shaffer, Shawn Hernan, Kevin Houle, Brian B. King, and Shawn Van
Ittersum.
______________________________________________________________________

This document is available from:
http://www.cert.org/advisories/CA-2001-03.html
______________________________________________________________________

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site

http://www.cert.org/

To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_____________________________________________________________________

Conditions for use, disclaimers, and sponsorship information

Copyright 2001 Carnegie Mellon University.

Revision History
February 12, 2001: Initial release







-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQCVAwUBOoiQEgYcfu8gsZJZAQE5ywQAiY1gtNtBfjO79N0O4NocSq9lzNJKsXlE
fSxC3vcBKZcnew5BGFJD/kGOnKvJvl1aYltDiLoRvfDGxoG3QisD+kzp3L76zBI2
JwK8xk8/EAqM7YvVqAKHGxwujkTAU5Y9K5ioeuZsIvqkXTUlTYxNV2aI9iM6teG2
d8+/N4weQ1M=
=cD9T
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close