MA-019.042000: W32/Fix2001.exe WormOriginal Issue Date: 26th April 2000 1.0 Description1.1 OverviewThe Fix2001 is an Internet worm that travels by sending email messages to users. The body of the message is either in English or Spanish, and it will claim that the attachment that came with it, named "Fix2001.exe", is a Y2K Internet bug fix. Upon execution, the worm is able to send a copy of itself to all email addresses that were sent and received by the user. The worm also has a dangerous payload. It can destroy data that existed in the hard disk. 1.2 LimitationThe worm will only be activated once the email attachment "Fix2001.exe" is executed. 2.0 Technical Matters2.1 Installation and FunctionalityThe body of the email message will contain the following: Estimado Cliente: Rogamos actualizar y/o verificar su Sistema Operativo para el correcto funcionamiento de Internet a partir del Año 2000. Si Ud. es usuario de Windows 95 / 98 puede hacerlo mediante el Software provisto por Microsoft (C) llamado -Fix2001- que se encuentra adjunto en este E-Mail o bien puede ser descargado del sitio WEB de Microsoft (C) HTTP://WWW.MICROSOFT.COM Si Ud. es usuario de otros Sistemas Operativos, por favor, no deje de consultar con sus respectivos soportes tecnicos. Muchas Gracias.
Administrador. Internet Customer: We will be glad if you verify your Operative System(s) before Year 2000 to avoid problems with your Internet Connections. If you are a Windows 95 / 98 user, you can check your system using the Fix2001 application that is attached to this E-Mail or downloading it from Microsoft (C) WEB Site: HTTP://WWW.MICROSOFT.COM If you are using another Operative System, please don't wait until Year 2000, ask your OS Technical Support.
Thanks. Administrator. |
Once the attachment is executed and the system rebooted, the worm does the following: When a valid Internet connection is detected, the worm scans sent and received messages, gets e-mail addresses from there, and sends its copy with the above mentioned message to these addresses. The payload is that it can delete all data in the hard drive. However the payload will only be activated once the worm has posted itself to another location and an active connection exists. In this case, the worm deletes the C:\COMMAND.COM file and replaces with a Trojan program with the same name. At the next time the computer restarted, the Trojanized COMMAND.COM is executed. It will destroy hard disk data (overwrites it by using I/O port commands) whenever the hard disk is an IDE drive.
3.0 Posiible Steps3.1 Prevention and DetectionDO NOT execute the attachment "Fix2001.exe". Delete the email including those that are sent to the Trash folder. Regularly update the virus definition file of your antivirus software and run a virus scan on the computer. This is to ensure that the software is able to detect the presence of a new virus. The list of known antivirus vendor can be found below: http://www.mycert.org.my/en/resources/malware/av_sites/main/detail/528/index.html Always run a virus scan on all email attachments and any downloadable files before executing it. It is advisable that your antivirus software is running in Auto Protect Mode all the time.
3.2 Manual RemovalUsing Windows Explorer delete the following file:
C:\WINDOWS\SYSTEM\FIX2001.EXE Using regedit delete the following registry key and reboot:
HKLM\Software\Microsoft\Windows\ CurrentVersion\Run\
"Fix2001"="FIX2001.EXE"
Update the virus definition file of the antivirus software (http://www.mycert.org.my/en/resources/malware/av_sites/main/detail/528/index.html) and run a virus scan on the infected computer.
4.0 More InformationTo obtain more information on this virus, please refer to the following site : 4.1 Symantec Antivirus Research Center
http://www.symantec.com/avcenter/venc/data/w95.fix2001.html 4.2 F-Secure Virus Information Pages
http://www.europe.f-secure.com/v-descs/fix2001.shtml 4.3 McAfee Virus Library
http://vil.nai.com/vil/content/v_10355.htm |
