From: Sally Khudairi (sk@zotgroup.com)
Date: Fri Jan 07 2000 - 07:07:58 PST
>From ComputerGram International:
Anti-virus software vendors this week warned that they have discovered a new
type of virus that spreads its payload via HTML pages, making a new hazard
unwary web surfers. Computer Associates International Inc said yesterday that
the virus, catchily named Win32/H4.1852, is currently quite tame and has not
yet been seen in the wild, but represents a "disturbing new mechanism in
virus distribution."
The virus infects surfers using Microsoft Corp's Internet Explorer on
machines running Windows with Scripting Host installed (Win98 and up) and a
low internet security setting. The virus comes in two parts - a regular
Trojan horse virus that is passed around on disk or by email, and a VBScript
that is embedded in an HTML web page.
When an infected user visits the web site containing the malicious script,
the virus acts upon the instructions in the script to create the payload on
the user's hard drive. This way, the payload can have different effects
depending on the contents of the script, which could be changed by the virus
writer.
The current effects of Win32/H4.1852 include the deletion of anti-virus files
from a number of vendors' software, and the creation of a Favorites link to
the virus writer's web site. The virus spreads by appending the VBScript to
all the HTML files it can find on the user's hard disk. Narinder Mangalan
from CA told ComputerWire as well as being an overly complicated delivery
mechanism, the virus is currently very buggy and will not actually work. But
the issue here is the new method of payload delivery that virus writers have
come up with, that could be commonplace.
... ... ... ... ... ... ... ... ... ...
Sally Khudairi, ZOT Group
<sk@zotgroup.com>
+1.617.818.0177
http://www.zotgroup.com/
This archive was generated by hypermail 2b29 : Wed Jan 19 2000 - 15:03:04 PST