---------------------- begin virus information report ----------------------
A friend forwarded email messages recently with attached files named
"ANTI_CIH.EXE" and "INTERNET_SECURITY_FORUM.DOC.pif" with a request to see
if I could determine if they contain a virus. Both files proved to be the
same, and, indeed, are a virus carrier. According to CERT, this is an
occurrence of the "Windows32 Apology" virus, first spotted in October, 2000.
It propogates itself by replacing some system files, then sending a copy of
itself each time the infected system sends a mail message.
Within the file, I found this list of names the program will call itself.
DO NOT LAUNCH, DOUBLE-CLICK OR OTHERWISE EXECUTE THESE FILES,
OR YOU WILL INFECT YOUR COMPUTER WITH THIS VIRUS:
ALANIS_Screen_Saver.SCR ANTI_CIH.EXE
AVP_Updates.EXE BILL_GATES_PIECE.JPG.pif
BLINK_182.MP3.pif FEITICEIRA_NUA.JPG.pif
FREE_xxx_sites.TXT.pif FUCKING_WITH_DOGS.SCR
Geocities_Free_sites.TXT.pif HANSON.SCR
INTERNET_SECURITY_FORUM.DOC.pif IS_LINUX_GOOD_ENOUGH!.TXT.pif
I_am_sorry.DOC.pif I_wanna_see_YOU.TXT.pif
JIMI_HMNDRIX.MP3.pif LOVE_LETTER_FOR_YOU.TXT.pif
MATRiX_2_is_OUT.SCR MATRiX_Screen_Saver.SCR
METALLICA_SONG.MP3.pif Me_nude.AVI.pif
NEW_NAPSTER_site.TXT.pif NEW_playboy_Screen_saver.SCR
Protect_your_credit.HTML.pif QI_TEST.EXE
READER_DIGEST_LETTER.TXT.pif README.TXT.pif
SEICHO-NO-IE.EXE Sorry_about_yesterday.DOC.pif
TIAZINHA.JPG.pif WIN_$100_NOW.DOC.pif
YOU_are_FAT!.TXT.pif zipped_files.EXE
The virus file is 18483 bytes. The email messages forwarded to me had no
subject and no message body, only the attached file.
Within the file were also found these text strings:
Software provide by [MATRiX] VX team:
Ultras, Mort, Nbk, LOrd DArk, Del_Armg0, Anaktos
Greetz:
All VX guy on #virus channel and Vecna
I guess these clowns are sufficiently "proud" of their work they feel the
need to sign their name to it.
Personally, I find this virus particularly insidious because of the file
name extension it uses: Microsoft Windows HIDES the .pif extension, even if
you have your system configured with "Hide file extensions for known file
types" turned off. PIF (in this case) stands for "Program Information File"
and is supposed to contain information Windows will use to launch a DOS
application. (Microsoft has also chosen to hide the ".lnk" extension in all
cases, because they use it for the "link" file of a shortcut.) Because the
.pif (or .lnk) extension is hidden, a quick glance at your directory listing
would lead you to believe that "JIMI_HMNDRIX.MP3.pif" is a music file. When
you double-click the directory entry, rather than hearing Jimi's tune, your
system becomes infected with the virus! Your _only_ hope is to notice that
the icon associated with the file is a minature MS-DOS icon with the little
"shortcut" arrow in the lower-left corner. If your system is like mine and
forgets which icons it's supposed to use, there's a very real danger here.
Personally, I think we should all file a complaint at Microsoft and tell
them when we want "Hide file extensions" turned off, we want it turned off
for **ALL** files, including ones the system uses.
----------------------- end virus information report -----------------------
Return to the top of this page
Technical Articles Index
L5 Software Development
The L5 Development Group