Squashing the Worm
Novell Cool Solutions: Feature
Digg This -
Posted: 14 Feb 2001
Current version: ZENworks for Desktops 3, GroupWise 5.5 EP
In case you're currently battling the new VBS/SST@MM worm, don't forget that there are some pretty nifty tools at your disposal in ZENworks for Desktops and GroupWise. For information about the behavior of this worm, check here. Basically, here's what the virus does:
This script was created by a worm generating tool. As such, the particulars of its actions may vary. The most common variant functions as follows.
When run, the script copies itself to the WINDOWS directory as "AnnaKournikova.jpg.vbs". It attempts to mail a separate e-mail message, using MAPI messaging, to all recipients in the Windows Address Book using the following information:
Subject: Here you have, ;o)
It also creates a registry key and key values. The script refers to these values to check if the mailing routine has already taken place:
- HKEY_USERS\.DEFAULT\Software\OnTheFly\mailed=(1 for yes)
Indications Of Infection
- Presence of the file "c:\WINDOWS\AnnaKournikova.jpg.vbs"
- Presence of the registry key: HKEY_USERS\.DEFAULT\Software\OnTheFly
- Users complaining that you've sent them a virus.
Method Of Infection
This script arrives as an e-mail attachment which, if opened, infects your machine. Once your machine is infected, the script attempts to mail itself to all recipients found in the Windows Address Book.
Use specified engine and DAT files for detection and removal. Delete any file which contains this detection.
Discovery Date: 8/14/00
Origin: Virus Construction Kit, Intentional
Risk Assessment: High
Anna Kournikova, AnnaKournikova, VBS/Anna, VBS/SST, VBS/SST-A (Sophos), VBS/VBSWG.J (F-Prot), VBS_Kalamar.a (Trend)
Here's an ADM (works with ZfD2 and ZfD3) that will turn off the Windows Scripting Host. It should help avoid virus outbreaks.
For more information about using this ADM, see this article. It explains how to use ZENworks for Desktops policies to deliver a lockdown which turns off the Windows Scripting Host
If you have GroupWise users to manage, you may want to help them create a rule to move e-mails that might spread the virus into a folder where they can handle them like the toxic waste that they are, without accidentally opening or previewing them.
Tim Harris, a Senior Systems Engineer at Novell, says:
My primary method for viewing mail is in the three-pane-preview. While there's still some debate as to whether .VBS code will execute in preview mode (IS&T says to not even view a message with a .VBS attachment), it's easiest just to avoid it.
I created a rule in GroupWise that moves all received messages with an attachment that contains .VBS to a folder called "Potential Virus." That way I can get out of preview mode and deal with each message more carefully.
If nothing else, it stops that sick feeling from occuring when you see a .VBS attachment pop up in preview mode.
- First, create a new folder in your cabinet called Potential Virus.
- Click Tools, Rules, New.
- Make a Rule that looks like this:
Note: This is a generic filter, so if the text .VBS shows up anywhere in the message, and there's an attachment, the message will get moved. But at least you'll have them all in one place where you can deal with them individually.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com