__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ ADVISORY NOTICE The Naked Wife (W32.Naked@mm) Trojan March 7, 2001 00:00 GMT Number L-056 ______________________________________________________________________________ PROBLEM: A new Trojan program is spreading rapidly around the Internet. The program travels as an executable attachment to an e-mail message purporting to be a flash movie of a naked wife. PLATFORM: Windows 95, 98, NT, ME, and 2000 with Outlook installed. DAMAGE: The Trojan destroys multiple files in the Windows and Windows\System folders. If the Trojan is allowed to run to completion, Windows will no longer be able to run and must be reinstalled along with most of your applications. The Trojan does not destroy documents or other user files. SOLUTION: Do not run executable files attached to e-mail messages unless you were expecting to receive that executable file. Update your virus definitions as soon as the vendors have new signatures available. If you have run this Trojan, you must reinstall Windows and all your applications. ______________________________________________________________________________ VULNERABILITY Risk is HIGH. The Trojan is spreading on the net and does ASSESSMENT: serious damage to a computer's operating system. ______________________________________________________________________________ The Naked Wife (W32.Naked@mm) Trojan CIAC has information that a new Trojan is rapidly spreading around the Internet. Much like the VBS macro viruses that have been making the rounds lately, this Trojan spreads by using Microsoft Outlook to e-mail itself to everyone in your Outlook address books. This Trojan is not a VBS script file but is a fully compiled Visual Basic executable (.EXE) file. The Trojan is included as an attachment in an e-mail message with the following properties: From: CurrentUser Subject: Fw: Naked Wife Body: My wife never look like that! ;-) Best Regards, CurrentUser Attachment: NakedWife.exe Here, CurrentUser is replaced with the Outlook registered name of the person on whose machine the Trojan is currently running. The executable attachment appears to be a viewer with pictures of a naked wife but is actually the Trojan program. If you run it, a window opens that looks like a Flash movie reader loading a movie named "JibJab". The only menu on the window that works is the Help, About command which diaplays a dialog box with a nasty message. While the movie appears to be loading, the Trojan is actually sending itself to everyone in your Outlook address book. When it finishes sending itself, it starts deleting files with the following extensions from your Windows and Windows\System directories. *.ini *.log *.dll *.exe *.com *.bmp If the Trojan is allowed to run to completion, your system will not continue running and will not be bootable. Luckily, the Trojan does not destroy documents and other personal files. Recovery ======== Recovery from this Trojan requires the complete reinstallation of your operating system and most of your programs. Any program that stores files in the Windows or Windows\System directories will also be damaged and must be reinstalled. This includes most commercial office applications. Luckily, your personal files and documents are probably not damaged. After your system is working again, look for and delete all files with the name: NakedWife.exe As soon as your antivirus company has a signature available, scan your system and delete any files identified as having this Trojan. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-045: Red Hat Linux 'sysctl, ptrace, & mxcsr P4 ' Vulnerability L-046: The VBS.AnnaKournikova Worm L-047: OpenSSH SSH1 Coding Error and Server Key Vulnerability L-048: Red Hat Linux "vixie-cron buffer overflow username crontab" L-049: Microsoft "Malformed Request to Domain Controller" L-051: Microsoft "Windows 2000 Event Viewer" Vulnerability L-052: Cisco IOS Software SNMP Read-Write ILMI Community String L-053: Cisco IOS Software TCP Initial Sequence Number Improvements L-054: Microsoft IIS and Exchange Malformed URL Denial of Service L-055: pcAnywhere Denial of Service, abnormal server connection