|
Description:
As of November 19, 2004, 1:31 AM (GMT - 08:00), TrendLabs has declared a Yellow Alert to control the spread of this malware, which is propagating via email in Germany, France, and Austria. Users are advised to be wary of email messages containing the following message body:
*-*-* Mail_Scanner: No Virus
*-*-* - Anti_Virus Service
*-*-* http://www.
It sends similar content in German to email addresses in Germany, Austria, Liechtenstein, Switzerland, and other areas (it checks target addresses for country-level domains):
*-*-* X-MS_Scanner: Kein Virus erkannt
*-*-* Attachment-Scanner: NO VIRUS
*-*-* Anti_Virus: Es wurde kein Virus gefunden
For additional information on the email that this worm sends out, please refer to the Technical Details section.
Users should note that the worm messages are spoofed and may appear to be sent by a familiar source.
This worm may cause some increase in network traffic. Distribution, however, may not necessarily be localized, and the worm may not severely affect corporate mail servers since it obtains email targets from files instead of the global address book.
This worm arrives as an email attachment that executes and infects upon manual execution.
A good visual clue to spot this worm is the fake WinZip message box that it displays:
This message box is likely designed to trick users into thinking that the worm file is damaged and does not actually run. In contrast, this worm will have likely infected systems on which the message box has been displayed, especially machines with no antivirus protection.
This worm runs on Windows 95, 98, ME, NT, 2000, and XP.
Users who would like to have an in-depth understanding of this worm may refer to the Technical Details section.
 Behavior Diagram
For additional information about this threat, see:
Solution
Technical Details
Description created: Nov. 19, 2004 1:07:05 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
