Re: W32.DonkeyPunch@xxx VIRUS WARNING

From: Tony Earnshaw (tonni@billy.demon.nl)
Date: 02/02/02

  • Next message: stickslinger: "Re: Netscape Issues (bug?)" 

    From: "Tony Earnshaw" <tonni@billy.demon.nl>
Date: Sat, 2 Feb 2002 22:12:32 +0100

    This is indeed an extremely nefarious virus and has been signalled in
    Farawaystan where it has virtually eliminated all donkeys.

    Only the humble mule has proved to be resistant, partly because of it's
    not being a donkey. Only partly, at least.

    All those with donkeys are advised to swap them for someone else's
    horse, before this horrible virus is signalled in their country.

    I've heard that Chinese chickens are not immune, either. Suppose it
    won't be long before all chickens in China are murdered for the second
    time.

    Luckily, cats vaccinated against cat pest and sneezing sickness _are_
    immune. This valuable information will shortly be posted on
    no.alt.katter, probably by Kera A. Fox, whose punch line is: "Think big,
    shrink to fit".

    Or if not by herself, probably someone else.

    If anybody else can be bothered.

    Thanks, Donkey! 

    --
Tony Earnshaw
tonni@billy.demon.nl

    Tel: (+31)(0)172 530428
Mobiel: (+31)(0)6 51153356
"Yahoo Mail" <smtpmailsrv0@yahoo.com> wrote in message
news:52dc0eb9.0202021022.61d2f0d2@posting.google.com...
| Our email administrator sent out notice today about a new virus.
| Apparently this one is incredibly nasty.
|
| Here is the description he sent out after he checked the Symantec
| Security Response site.
|
| If you are infected don't read this email so I won't get it too.
|
| The virus description from Symantec (Norton Antivirus) is below...
|
| -------------------------------------------------------
|
| Symantec Security Response
| http://securityresponse.symantec.com
|
| W32.DonkeyPunch@xxx
| Discovered on: January 1, 2002
| Last Updated on: January 31, 2002 at 12:46:03 PM PST
|
| W32.DonkeyPunch@xxx is an extremely damaging worm. It
| was written and distributed on December 28, 2001. The virus code is in
| Invisible
| Complex. It is about 69000 GB in size and is packaged using AssPacker.
| The worm uses Micro$oft Outlook, the virus client with email
| functionality,
| to send itself to all contacts in your Micro$oft Outlook address book.
|
|
| Virus Definitions: None available.
|
| Threat Assessment:
| Wild: Low
| Damage: Medium
| Distribution: High
|
|
| Wild:
| Number of infections: 0 - 49000
| Number of sites: 0 - 2000
| Geographical distribution: Medium
| Threat containment: Impossible
| Removal: Unlikely
| Damage:
|
| Payload Triggers: Upon viewing this message
|
| Payload:
| Large scale e-mailing: Utilizes Micro$oft
| Outbook to mail everyone in the Outlook
| address book
|
| Deletes files: Attempts to delete antivirus
| software and files with the following
| extensions: .ini, .php, .exe, .com, .mpeg,
| .dat, .zip, .txt, .exe, .xls, .doc, and
| .jpg.
|
| Causes system instability: Critical system
| files may have been deleted
|
| Erases Magnetic Media: Demagnetizes strips
| on credit cards, floppy disks, casette
| and/or VHS tapes.  Beta Max format tapes are
| immune.  The method  by which this is achieved
| is unknown.  Secretly developed US Government
| technology is suspected.  This is effective
| within 20 meters of your PC.
|
| Sub-space field harmonics: Scratches CD media
| using sub-space field harmonics.  Originally
| demonstrated by Nikola Tesla outside a
| whorehouse in Zageb, Croatia.  Additonal damage
| is done by modifying refrigerator settings to
| spoil dairy products.
|
| Poor grammar: Changes all your active verbs to
| passive tense and incorporating undetectable
| misspellings which grossly change the
| interpretations of key sentences. Example:
| "*** you".
|
| Infects Human Interface Devices: May cause
| Dutch Elm Disease and Psitticosis if keyboard
| is not disinfected.
|
| Generally Inconsiderate Behavior: Leaves dirty
| underwear on the coffee table when you are
| expecting company.  Drinks all your single-malt
| scotch.
|
|   Tampers with Hygene Products: Replaces your
| shampoo with Nair, your Nair with Rogaine and
| your KY Jelly with epoxy glue.  Molecularly
| rearranges your cologne or perfume, causing it
| to smell like kim-chee.
|
|
| Distribution:
| Subject of email: 667 neighbor of the beast
| Name of attachment: .cum or iwillspankyou.ok
| Size of attachment: 69000 GBytes
| Color: Interesting shade of mauve
|
| Technical description:
| When the hoax is executed for the first time, it will
| installs itself as \Windows\System\Wino.exe. It then
| adds the value
|
|  %System%\wino.exe
|
| to the registry key (single line, text may wrap)
|
| HKEY_LOCAL_MACHINE\Software\Micro$oft\Winos\
|
| CurrentVersion\Run you big fat wino\
|
| so that the worm runs the next time that you start
| slurring like Winos.  In most cases, however, because
| of the damage that is done by this hoax, the computer
| will no longer load Windows.  It loads Mac OS X.
|
| Next, the worm obtains the computer name. This is done
| because the worm is programmed to use your credit card
| to rent a local hotel room and several strippers. The
| name used for this is composed of the computer name
| plus the .cum extension, for example, Johns_PC.cum.
|
| If the worm is executed a second time, it will program
| your modem to dial only 976 numbers.
|
|
| The content of the mail will be any of the following
| (randomly cheesey) lines:
|
| Hop on my moped because my monster is
| approaching humping velocity!
|
|   What is a tarded hairy tosser like you
| doing in a greek palace like this?
|
| Fist me if I'm shitfaced, but aren't you
| one of the Olsen Twins?
|
|   My car is double-parked, so I'll only
| wank on your shoes.
|
|
| W32.DonkeyPunch@xxx is a pornworm (a worm virus that
| actively forwards you hard found smut to some other
| guy for free). It forwards porn that it finds in the
| following folders:
| Program Files\Porn\
| Program Files\Command Software\Smut\
| Stuff\
| Mike's big porn folder\
| SilkyB\
| Program Files\Quick Heal\
| Program Files\FindTitties\
| Toolkit\Thick Un-Cut Tools\
| Program Files\McAfeeVaginalScan95\
| Program Files\Norton AnalVirus\
| Rescue\
| Program Files\Rectal Zone Labs\
|
| Finally, the worm deletes several files, including
| those with the file extensions .cum, .jiz, .sex,
| and .slz.
|
|
| Removal instructions:
|
| NOTE: If the worm has already executed, it is likely
| that you will first have to reinstall the operating
| system and most (if not all) programs.  In addition,
| most data files such as Micro$oft Word documents,
| text files, and so on will have to be restored from
| a clean backup.  Now is a good time to buy Linux.
|
| To remove the worm, delete all files that are
| detected as *.dll and remove the value that it
| added to the registry.
|
| To remove the worm:
|
| 1. Run LiveUpdate to make sure that you have
| the most recent virus definitions.
|
| 2. Uninstall Micro$oft Outlook and Outlook
| Express then download and install QualComm
| Eudora.
|
| 3. Start Norton AntiVirus (NAV), and make sure
| that NAV is configured to scan all files. For
| instructions on how to do this, read the
| document How to configure Norton AntiVirus to
| scan all files.
|
| 4. Run Find from your Start Menu and delete all
| files that are named *.dll.
|
| 5. Delete all files that are detected as
| W32.DonkeyPunch@xxx.
|
|  ATTACHMENT part 2 application/octet-stream charset=us-ascii
|  ATTACHMENT part 3 application/octet-stream charset=us-ascii