NIPC CyberNotes #2002-12 Page 28 of 33 06/17/2002
from certain files in Microsoft Outlook Express mail archives. This worm sends out e-mail messages with
the following characteristics:
● Subject: Re: Your password!
● Message Body: Your password is W8dqwq8q918213
● Attachment: Your password placed in password.txt yourpassword.exe
WORM_PETLIL.A (Aliases: W32.Pet_Ticky.B@mm, W32/PetLil@MM, Win32.Petlil.A) (Internet
Worm): This non-destructive, mass-mailing worm propagates via e-mail using Microsoft Outlook. Upon
execution, it displays a message box. On the 1st, 15th, and 31st day of each month, it displays a picture of a
semi-nude woman instead.
WORM_TRILISSA.C (Aliases: TRILISSA.C, I-Worm.Trilissa.c) (Internet Worm): This mass-
mailing worm is dependent on a dropped Visual Basic script file, VBS_TRILISSA.C, for its propagation.
Once this worm has been executed, it displays a series of messages. This worm arrives as an attachment in
e-mail messages with the following details:
● Subject: "Mira el salvapantallas de Shakira!"
● Message Body: "Shakira!! Mejor que la farlopa!! Miralo!!"
● Attachment: "Shakira.scr"
WORM_TRILISSA.D (Aliases: TRILISSA.D, I-Worm.TRILISSA.D) (Internet Worm): This mass-
mailing worm uses another malware, VBS_TRILISSA.D, to propagate copies of itself. Upon execution, it
displays a series of messages. This worm arrives as an attachment in e-mail messages with the following
characteristics:
● Subject: "Bush is a criminal!"
● Message Body: "Bush is a criminal!!!! See this screensaver!! HE IS A BASTARD!!!"
● Attachment: "Bush_you_are_guilty!!!.scr"
WORM_WORTRON.10B (Alias: wortron.10b) (Internet Worm): The Trojan, TROJ_WORTRON.10B
generates this worm, which propagates via e-mail. It sends copies of itself to all e-mail recipients listed in
the infected user's Windows Address Book.
WPRO_SPENTY.A (Alias: WordPro.Spenty) (Macro Virus): This virus has been reported in the wild.
It is a destructive Lotus Word Pro Macro file infector that infects files as they are opened or created. It
replicates only in Chinese versions of Word Pro. The security settings of infected documents are changed to
allow editing only by the creator of the document, and only when the correct password is entered. The
password is "720401." In Chinese versions of Word Pro, several menus, including the Scripts menu, do not
function correctly while the virus is running. If the virus is executed during May or on the 20th of any
month, then the virus attempts to download a file from several Web sites. If it succeeds, then the file is
displayed and the Autoexec.bat file is altered to contain instructions to delete the contents of drives C, D,
and E.
X97M/Anis (Alias: Bdoc2) (Excel 97 Macro Virus): When an infected workbook is opened,
X97M/Anis.A creates "AutoRun.xla" into Excel's startup directory and infects it. The virus infects all
workbooks that are opened, closed or saved. It attempts to disable items from the "Tools" menu and
attempts to hook items in the "File" menu. Anis has two different payloads. When saving a workbook or
exiting the program, it checks if the current day is 5th, 10th, 15th, 20th, 25
th
, or 30th, and if so, it shuts
down Windows. The virus also displays a message on 26th of every month, written in Japanese. Therefore
the message is not readable on versions of Excel that do not support doublebyte characters, such as the
English version.
XM97/Pathetic-D (Alias: XM97/Pathe-D) (Excel 97 Macro Virus): This virus has been reported in the
wild. It is an Excel 97 macro virus that replicates using a file called Book1.xls in the XLSTART folder.
The virus appends the text "@echo T'as été mordu par... Le bec du Saumon " to C:\autoexec.bat and on any
day in May it will close the active workbook.
Comentarios a estos manuales