Techguy
November 30, 2000, 05:24 pm
TROJ_SHOCKWAVE.A
Risk rating: http://www.helpfromtechs.com/images/mediumrisk.gif
Virus type: Trojan
Destructive: N
Aliases:
SHOCKWAVE.A, , ,
Previously known as TROJ_NAVIDAD.C
Description:
This Windows Trojan propagates via Microsoft Outlook. Upon execution, this Trojan sends itself as an attachment to every address listed in the address book of the infected user. The subject of this email is " A great Shockwave flash movie" and the attachment is "CREATIVE.EXE." This Trojan also changes the filenames of all JPG and ZIP files and then moves the files to the C:\ root directory.
In the wild: Yes
Trigger condition 1: Upon execution
Payload 1: Others (changes filenames, moves files and propagates via email)
Detected by pattern file#: 811
Detected by scan engine#: 5.170
Language:
English
Platform: Windows
Encrypted: No
Size of virus: 36,864 Bytes
Details:
This Internet worm propagates by sending itself as an attachment to all entries listed in the Microsoft Outlook address book of the infected user. A sample of this email is as follows:
Subject: A great Shockwave flash movie
Message Body: Check out his new flash movie that I download just now...It's Great
Attachment: CREATIVE.EXE
Upon execution, the Trojan drops a copy of itself as:
C:\creative.exe
%Windows Startup%\creative.exe
Where %Windows Startup% is the Windows startup folder. This allows the Trojan to be executed at every Windows start up.
It also creates the file C:\ MESSAGEFORU.TXT, which contains all file modifications made by the Trojan.
The Trojan then finds all JPG and ZIP files in the hard drive, and moves them to C:\ root directory. The filenames of these files are then appended with the text "change atleast now to LINUX". For example, "XXXX.ZIP" becomes "XXXX.ZIPchange atleast now to LINUX". The file C:\MESSAGEFORU.TXT logs the original location of all files so it can be used to restore all moved files.
When viewed, the file C:\ MESSAGEFORU.TXT contains the following text:
Hi, guess you have got the message. I have kept a list of files that I have infected under this. If you are smart enough just reverse back the process. i could have done far better damage, i could have even completely wiped your harddisk. Remember this is a warning & get it sound and clear... - The Penguin
THIS VIRUS WILL BE DETECTED BY THE NEXT PATTERN RELEASE.
TREND CUSTOMERS: WINTHIN THE NEXT HOUR
Risk rating: http://www.helpfromtechs.com/images/mediumrisk.gif
Virus type: Trojan
Destructive: N
Aliases:
SHOCKWAVE.A, , ,
Previously known as TROJ_NAVIDAD.C
Description:
This Windows Trojan propagates via Microsoft Outlook. Upon execution, this Trojan sends itself as an attachment to every address listed in the address book of the infected user. The subject of this email is " A great Shockwave flash movie" and the attachment is "CREATIVE.EXE." This Trojan also changes the filenames of all JPG and ZIP files and then moves the files to the C:\ root directory.
In the wild: Yes
Trigger condition 1: Upon execution
Payload 1: Others (changes filenames, moves files and propagates via email)
Detected by pattern file#: 811
Detected by scan engine#: 5.170
Language:
English
Platform: Windows
Encrypted: No
Size of virus: 36,864 Bytes
Details:
This Internet worm propagates by sending itself as an attachment to all entries listed in the Microsoft Outlook address book of the infected user. A sample of this email is as follows:
Subject: A great Shockwave flash movie
Message Body: Check out his new flash movie that I download just now...It's Great
Attachment: CREATIVE.EXE
Upon execution, the Trojan drops a copy of itself as:
C:\creative.exe
%Windows Startup%\creative.exe
Where %Windows Startup% is the Windows startup folder. This allows the Trojan to be executed at every Windows start up.
It also creates the file C:\ MESSAGEFORU.TXT, which contains all file modifications made by the Trojan.
The Trojan then finds all JPG and ZIP files in the hard drive, and moves them to C:\ root directory. The filenames of these files are then appended with the text "change atleast now to LINUX". For example, "XXXX.ZIP" becomes "XXXX.ZIPchange atleast now to LINUX". The file C:\MESSAGEFORU.TXT logs the original location of all files so it can be used to restore all moved files.
When viewed, the file C:\ MESSAGEFORU.TXT contains the following text:
Hi, guess you have got the message. I have kept a list of files that I have infected under this. If you are smart enough just reverse back the process. i could have done far better damage, i could have even completely wiped your harddisk. Remember this is a warning & get it sound and clear... - The Penguin
THIS VIRUS WILL BE DETECTED BY THE NEXT PATTERN RELEASE.
TREND CUSTOMERS: WINTHIN THE NEXT HOUR