DOWNER-L ArchivesArchiver > DOWNER > 2003-06 > 1055089068
From: Colleen Pustola <>
Subject: [DOWNER] CHAT: THIS IS AN IMPORTANT VIRUS HEADS-UP. EVERYONE PLEASE READ.
Date: Sun, 08 Jun 2003 10:17:48 -0600
This message is going out to all the lists I manage. If you receive
this multiple times, please keep one and read it. Use your delete key
on the rest...
EFFECTIVE IMMEDIATELY... GIVE ME ADVANCE NOTICE and RECEIVE MY RESPONSE
TO IT ***BEFORE*** you send me any material by way of attachment. Any
data arriving before a notice will be deleted.
NEWBIES AND COMPUTER NOVICES, PLEASE BE SURE TO READ **ALL** OF THIS
MESSAGE... print this out if you have to, but understand that you need
this information so you can protect your own computer, hence protect the
rest of us...
A new and dangerous version of the Tanatos Virus has hit cyberspace that
all the major anti-virus houses have elevated to "red" on their scales
and consider it "extremely dangerous." We are talking about one virus
with TWO versions.
** Panda Anti-Virus Software has determined that this virus has already
affected 23% of the computers globally.
** In just a few hours, this virus has already infected more computers
than the Klez.I virus ~ the #1 virus since April 2002.
I personally have already received 32 messages containing attachments
with this virus. It is IMPERATIVE that you know about this one!
The first thing I want to let you know is that YOU CAN NOT be infected
by any messages coming from any of Rootsweb's lists. The threat to your
computer DOES NOT come from the list itself. It comes OFF THE LIST from
those friends, family members, acquaintances who have your email address
in their computer's address books. They MAY OR may not belong to the
same Rootsweb list(s) as you. That being said the following is
important to remember when you read the information after the seven
points I'll list below...
1. Rootsweb allows ONLY text messages through their filters.
Attachments to messages are NOT allowed, nor can they get through those
2. If you receive a message with an attachment that LOOKS like it came
from the list, it's probably a virus-laden message (reread #1, above).
DO NOT click on the attachment. Instead, either delete the message or
email back to the person you received the message from and see if they
sent you something by way of email. Just DON'T click on the attachment,
particularly if it has a double extension (see #5).
3. Next, if you don't already have one, get yourself an anti-virus
program IMMEDIATELY. A good, free one that I know of is AVG by Grisoft
<http://www.grisoft.com>. Once you have it in your computer, be sure to
4. If you already have an AV program installed, update IMMEDIATELY.
Norton AV has issued two AV updates in as many days. AVG has also
issued updates and so has McAfee.
5. ANY file with a double extension (filename.pif.exe OR
filename.gif.scr) is an excellent clue that you're sitting on an
attachment with a virus in it. DO NOT OPEN IT!! Delete it immediately.
6. If your email program automatically opens attachments, go to your
program options and find out how to stop that. You want to have to
manually open them, especially now.
7. Quitting the Rootsweb lists you belong to isn't going to make your
computer safe, nor will this virus "go away" tomorrow or even next week.
Remember, it's whoever has you in their address books that you need to
be concerned about. It IS wise at this point though, to be wary of any
email list (for example, those at yahoogroups) that does allow attachments.
Let's get started learning about this new virus...
The new version of this malicious program, called Tanatos.b, has
dangerously destructive capabilities for infecting computer files.
Tanatos.a, also known as BugBear.a is a worm virus spreading via the
Internet as an attachment to infected emails. The worm also copies
itself over local networks to segments open for full access and runs
backdoor and PSW trojan routines.
Tanatos is a complex worm that contains many different elements:
2. Network Share Propagator
4. Remote Access Trojan
5. Polymorphic Parasitic File Infector
6. Security Software Terminator
The Tanatos (BugBear) worm itself is a Windows PE EXE file about 50KB in
length (it is compressed by the UPX utility), and written in Microsoft
Visual C++. Aliases for the Tanatos virus are:
Bugbear.B (F-Secure), PE_BUGBEAR.B (Trend), W32.Bugbear.B@mm (Symantec),
W32.Kijmo, W32.Shamur, W32/Bugbear.b.dam, Win32.Bugbear.B (CA)
***HOT*** THE INFECTED MESSAGES HAVE DIFFERENT SUBJECTS, BODIES, AND
ATTACHED FILE NAMES...
The worm sends messages of two types (which it randomly selects). In
first case, in order to run from the infected message the worm exploits
the IFrame security breach (as a result the worm activates when a
message is being opened or previewed in vulnerable (victim) systems). In
the second case the worm does not use "breach tricks" and the attached
worm copy activates from infected email only in case a user clicks on
the attached file. The Tanatos worm got its name from the text string
appearing in its code:
While installing the worm copies itself to the Windows system directory
under a random name and registers itself in the system registry auto-run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce The worm's EXE
filename depends on the C: volume name, for example:
The worm also places a DLL file in the Windows system directory under a
random name and uses this file to 'spy' on and record all keyboard input.
The virus contains a long list of domain names (related to banking
institutions). Strings within the virus suggest that if it determines
the victim machine to belong to such a domain, the following Registry
key is set:
"EmableAutodial" = 00 00 00 01
For a list of the domains carried in the worm, go to the bottom of the
page here: <http://vil.mcafee.com/dispVirus.asp?virus_k=100358>
Mass-mailing ~ ***IMPORTANT!!!***
This worm emails itself to addresses found on the local system (in files
and email messages). This goes for both the TO and FROM fields. Thus the
SENDER ADDRESS IS SPOOFED, OR FORGED, AND NOT A DIRECT INDICATION OF AN
It extracts addresses from file names containing these strings:
To send infected messages Tanatos uses a direct connection to the
default email server. Victim email addresses are gotten from the
following file types:
*.ODS, *.MMF, *.NCH, *.MBX, *.EML, *.TBB, *.DBX, *INBOX*
This virus spreads over the network (via network shares) and by mailing
itself (using it's own SMTP engine).
The Tanatos worm searches for these files in the system and extracts
email-like strings from them.
The Subject field is selected from the following variants:
Get 8 FREE issues - no risk!
Your News Alert
$150 FREE Bonus!
New bonus in your cash account
Tools For Your Online Business
Daily Email Reminder
CALL FOR INFORMATION!
25 merchants and rising
My eBay ads
Market Update Report
click on this!
Lost & Found
Get a FREE gift!
I need help about script!!!
Correction of errors
Just a reminder
Additionally, the message Subject can be randomly selected by "Tanatos"
from a randomly selected disk file. Filenames may also be taken from
files found in the infected computer's personal folder.
The message Body is randomly selected by Tanatos varies and may contain
fragments of files found on the victim's system (including old email
The attached file name is also randomly selected and it may have a
double extension, for example:
Tanatos enumerates network resources shared for writing, looks for the
startup folder and copies its file to this folder (if found).
This routine has a bug and the worm also sends copies of itself to
shared network printers.
Backdoor - HOW TANATOS WORKS...
Tanatos is a remote access trojan, which means if your computer is
infected, the worm open a port on your computer where it then listens
for "master" commands (from the person or people who are controlling
it). The backdoor routine grants control over infected machines, giving
those who control Tanatos the ability to send/receive/copy/execute
files, terminate processes, send out user info. etc.
Tanatos also opens the HTTP server on infected machines, doing this
offers a WEB interface with which to manipulate infected machines.
The worm also has a trojan routine that sends user info and cached
passwords to several email addresses that are encrypted in the worm body.
Among many others, Tanatos looks for the following applications and
tries to terminate them:
Recognize that these files are execution files to anti-virus software
programs. A full list of the applications Tanatos tries to attack can
be found at <http://www.viruslist.com/eng/viruslist.html?id=52245>.
Yes, there is a way to remove the virus from your computer if you find
that it's been infected. Depending on the AV program you use, you'll
need to visit their web site to get the repair.
Scan your computer OFTEN. Update to the MAX. Be alert and be cautious.
I've emphasized heavily about Rootsweb in this "head's up" because so
many messages come to us offlist that do, in fact, have viruses
attached. I get them every day. They appear to come FROM the list,
when they actually DON'T. So, don't worry about receiving list mail.
It's those messages offlist you need to be concerned about ~ which leads
me to reiterate...
The Tanatos (Bugbear) virus sends 3rd party emails where the FROM:
address is spoofed. Third party viruses have 2 victims, the receiving
and the spoofed sender. Rarely does a person today receive a virus
directly from the purported sender. The Tanatos virus spoofs email
addresses. So, if you receive an infected message from your mom (for
example), realize that it WILL NOT have come from her computer but from
someone (could even be someone she barely knows) who has her email
address it it. BE VIGILANT with regard to the attachment itself.
This information isn't meant to scare half the computer life out of you.
However, it IS meant to make you aware of this malicious virus that
can cost you money to get your computer repaired, cause you to lose your
files, AND make a lot of people cranky! It's vital that you protect
your computer so you can protect OUR computers.
Permission is given to pass this message along.
|[DOWNER] CHAT: THIS IS AN IMPORTANT VIRUS HEADS-UP. EVERYONE PLEASE READ. by Colleen Pustola <>|