Date: 23 March 2002
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2002.03 -- AUSCERT ALERT
UNIRAS ALERT - W32/Caric-A (aka W32/MyLife-B) Virus
23 March 2002
===========================================================================
AusCERT Alert Summary
---------------------
The message included below is an alert published by UNIRAS regarding a
new email virus "W32/Caric-A", also known as "W32/MyLife-B". Although AusCERT
has not received any reports of local infections, the risk of rapid propagation
of this virus makes it imperative that members disseminate and take action on
this information to prevent any undesirable activity by this virus within their
sites.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - ----------------------------------------------------------------------------------
UNIRAS (UK Govt CERT) Alert Notice - 11/02 dated 22.03.02 Time: 09:15
UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- - ----------------------------------------------------------------------------------
UNIRAS material is also available from its website at www.uniras.gov.uk and
Information about NISCC is available from www.niscc.gov.uk
- - ----------------------------------------------------------------------------------
Title
=====
Malicious Software Report - W32/Caric-A
Aliases: W32.Caric@mm, W32/MyLife.b@MM
UNIRAS Comment
==============
MyLife.A has been around since the 7 March. This is a new variant and Messagelabs
indicates that they are stopping a number of EMails infected with it.
URLs:
http://www.messagelabs.co.uk/viruseye/
http://www.sophos.co.uk/virusinfo/analyses/w32carica.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.caric@mm.html
http://www.outpost24.com/
http://vil.nai.com/vil/content/v_99414.htm
Detail
======
Name: W32/Caric-A
Aliases: W32.Caric@mm, W32/MyLife.b@MM
Type: Win32 worm
Date: 22 March 2002
A virus identity file (IDE) which provides protection is
available now from our website and will be incorporated
into the May 2002 (3.57) release of Sophos Anti-Virus.
Sophos has received several reports of this worm from the wild.
Description:
W32/Caric-A is a worm which arrives in an email with the
following characteristics:
Subject line: bill caricature
Attached file: cari.scr
Message text:
Hiiiii
How are youuuuuuuu?
look to bill caricature it's vvvery verrrry ffffunny :-) :-)
i promise you will love it? ok
buy
========No Viruse Found========
MCAFEE.COM
If you run the attachment and Outlook is installed, then
W32/Caric-A will send itself to the addresses in your address
book. The worm also displays a cartoon of a man wearing a "Bill"
badge and playing a saxophone.
The worm saves a copy of itself in the Windows system folder and
adds the following value to the registry:
HKEY_CURRENT_USERSoftwareMicrosoftWindows
CurrentVersionRunwin = "C:WindowsSystemcari.scr"
Download the IDE file from
http://www.sophos.com/downloads/ide/caric-a.ide
Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32carica.html
Download a ZIP file containing all the IDE files available for
the current version of Sophos Anti-Virus from
http://www.sophos.com/downloads/ide/ides.zip
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
To unsubscribe from this service please visit
http://www.sophos.com/virusinfo/notifications
- - ----------------------------------------------------------------------------------
For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@niscc.gov.uk
Tel: 020 7821 1330 Ext 4511
Fax: 020 7821 1686
- - ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of SOPHOS for the information
contained in this Alert.
- - ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- - ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
- -----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQCVAwUBPJr37opao72zK539AQGW7gP+KbA5Gi/Q9yxsLNhBBXA7iL1KiXz5UZ6R
5FZH2VFubcF8cRVqPKvEWzf+qYILSFZSvYtVbMPuMvaEh1UJKNwjeZLziUBJK5hl
r7M4G9SpdSQX1o8AgVXPYznya3B2WMDDqPdLqHbGGpyxw2WnYF5xxpeHEouYQhIX
xUU28eKjnCA=
=PU8x
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This alert is provided as a service to AusCERT's members. As AusCERT did
not write the document quoted above, AusCERT has had no control over its
content. The decision to use any or all of this information is the
responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the alert. It may not be
updated when updates to the original are made. If downloading at a later
date, it is recommended that the alert is retrieved directly from the
original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the alert above. If you have any questions or need further information,
please contact them directly.
Previous advisories, alerts and external security bulletins can be
retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPJw9+Sh9+71yA2DNAQGCYgQAkImISYBZmMUvvzU2YIZ132dvKqLrDjpt
MAW16ZGcz0r3BBWu1ga9KHOeDTI0SipXoTM1m82ewRgYw2CkH4xfAdD7xg0hg6MZ
5ore3SWouHJFYyNgz0UBi3NSk44DY7miMFcJc8P5bUUWpEZT+iTsJeP/jsMCIDlb
lDHVof4gk7Y=
=F9D+
-----END PGP SIGNATURE-----
|