All About Richmond Newsletter
 

  
 

Newsletter

  
 

January 6, 2004

Virus Alert

Antivirus experts are warning of a troublesome, Christmas-themed e-mail worm and a virus that spreads via MSN Messenger, the popular instant-messaging application.
The Jitux.A virus is not destructive but has already begun to spread via MSN Messenger, according to Panda Software. When executed, the file becomes resident in memory and sends messages to other MSN Messenger users every five minutes, prompting them to download the virus' code, contained in a file called jituxramon.exe.

The virus started to spread more rapidly Friday, affecting mainly Portugal, Spain and Mexico, said Panda Software. It affects Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP. Users can remove the virus simply by scanning their PCs with antivirus software that has up-to-date virus definitions, from Panda, Symantec, McAfee or others.


More troublesome is the PE_QUIS.A worm, according to antivirus company Trend Micro; it is also called W32.HLLP.Belzy@mm by Symantec and has been detected in the past few days by several other companies. Quis spreads itself via Outlook as an e-mail containing a destructive payload. The worm affects Windows 95, 98 and ME.

The worm infects all .exe files in the My Documents and C:\progra˜1\mirc folders. Among its less disruptive effects, it overwrites ring-tone files (using the extension .rtx) with the tune "Jingle Bells" and subjects the user to a quiz.

The worm arrives in an e-mail with the subject line, "Merry Christmas!" The body reads: "You've probably received enough e-cards. Here's a nice Christmas screensaver instead :)," and the message carries an attachment called xmas.scr.

Removal involves identifying infected files with an antivirus program, deleting them and then undertaking the tricky process of removing autostart entries from the registry. Detailed instructions can be found on Trend Micro's Web site. Updated virus definitions can be obtained from Trend Micro, Symantec and others.

When an infected system is restarted, Windows automatically runs an application called "startup.exe", which begins by informing the user that the PC is infected. The pop-up message reads, in part: "Your computer is infected with Win32.HLLP.Quizy. However, if you complete the quiz, you may be able to disinfect it."

The quiz contains such seasonal questions such as "Which animal would Santa have if he actually existed?" (reindeer) and "Which season do I hate the most?" (winter). The virus writer's nationality is signposted in some questions, such as, "In which country do I live?" (Belgium) and "Which keyboard layout is used in Belgium?" (azerty).

Other questions are technical, such as "Which chipset does a U.S. Robotics 22Mbps Wireless PC Card have?" (acx100), or whimsical, such as "What does antivirus person Graham Cluley have between his toes?" (cheese).

Upon completion of the quiz, the program executes the infection code again, and directs the user to a Web site which promises information on how to remove the worm.
 

Thanks for visiting!
Jim Hanus
www.AllAboutRichmond.com
email: list@allaboutrichmond.com

  
     

[All About Richmond Homepage] [Business Directory] [Local Events]
All About Richmond is sponsored and maintained by Jim Hanus and Michigan Imaging Supply L.L.C.
 Copyright 2000-2007 MIS L.L.C. All rights reserved.
Not affiliated with the City of Richmond, Michigan. No commercial reproduction, adaptation,
distribution or transmission of any part or parts of this website or any information contained therein
 by any means whatsoever is permitted without the prior written permission of MIS.
Questions or Comments? Send us Email. Website Design by MIS LLC - Specifications subject to change.
Please read our Disclaimer and Service Agreement. - Last updated 02/20/2008 06:51:52 AM.