JS.Fortnight
Description JS.Fortnight
JS.Fortnight is an Internet worm that uses infected emails with hidden links to an Internet Web page from which it downloads its infected code.
Infected messages contain a hidden link to a Web page containing the worm. When a user opens an infected email message the link opens and downloads the worm's body and executes it in a hidden frame.
The worm uses the Microsoft VM ActiveX security vulnerability for which Microsoft released a security patch three years ago. This allows the worm's code to be executed on the local (victim) computer.
More information about this vulnerability and the patch for it is available at:
http://www.microsoft.com/technet/security/bulletin/ms00-075.asp
The Fortnight worm uses a cookie named "TF" to mark infected computers. If this cookie is absent it changes the Internet Explorer default Web page address to a pornographical site.
Next the worm copies the default signature of Outlook Express 5.0 to the file C:Program Filessign.htm with the link added to its body. All messages sent later from an infected computer contain this link.
The Fortnight worm creates 3 links in the "Favorites" folder:
"SEXXX. Totaly Teen.url"
"Make BIG Money.url"
"6544 Search Engines Submission.url"
Fortnight installs two cookies that act as infection marks.
The site that contained the worm's body was blocked as soon as the worm appeared in the wild and is still down.
I-Worm.JS.Fortnight.f
The Fortnight.f worm creates 3 links in the "Favorites" folder:
"Nude Nurses.url"
"Search You Trust.url"
"Your Favorite Porn Links.url."
Check other viruses! Be aware! Use Antiviral Software
Macro.Word.Gavin
Description Macro.Word.Gavin
This is an encrypted macro virus. It contains only one macro named in FileSave in NORMAL.DOT and AutoOpen in documents. The virus infects the global macros area on opening an infected document and infects documents when they are saved.
On infecting global macros area (NORMAL.DOT) the virus saves current date in the CONTROL.INI file in [MS-Word] section, line "Compatibility". In 28 days the virus inserts the auto-correction: "Microsoft" -> "Microbollocks".
The virus contains the comments:
Gavin's Word Virus V2.0 - 1996
Platform Independant
*** NOT FOR RELEASE ***
In emergency contact gr.brock@ic.ac.uk
Macro.Word.Gest
Description Macro.Word.Gest
This is an encrypted macro virus. It contains two macros: AutoOpen and AutoClose. The virus infects the global macros area on opening an infected document and infects documents when they are opened or closed.
The virus creates the [Gest] section in the WIN.INI file and writes the "date" string to there. This string contains the date of infection. In 40 days the virus writes to the AUTOEXEC.BAT file the command that erases all files on the C: drive:
@deltree c:*>nul
|