Re: [CH] Received Chile list attachment FARTER.EXE

=Mark (mstevens@exit109.com)
Tue, 21 Dec 1999 08:55:40 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: McWilliams, Dan: "[CH] Habs for Work or Play?"
Previous message: danceswithcarp: "Re: [CH] Recipe Request"
In reply to: D. Gibson: "[CH] Received Chile list attachment FARTER.EXE"
Next in thread: Suzanne Fike: "Re: [CH] Received Chile list attachment FARTER.EXE"

At 12:30 AM 12/21/99 -0600, D. Gibson wrote:
>Hi Chileheads.  I received a message from the list with
>an executable attachment named FARTER.EXE, so what is
>the deal?  Is it a virus?  Are list messages supposed
>to contain executable attachments?
>
>I deleted it as I was wary of the executable's name.
>

I've gotten it 3 times since Saturday from various mailing lists.  I got it
as MONICA1.EXE and GOAL1.EXE.  When executed it starts sending out infected
email to people on your mailing list.  It is similar but not as virulant as
Melissa.

W32.NewApt.Worm was discovered on December 14, 1999 in Italy. This worm
will email itself out when receiving email via Microsoft Outlook or
Netscape Navigator. When activated, the worm will display an error dialog
and modify the registry so the worm is reloaded each time the computer is
restarted. The error message box will appear as: 

When received by email (and if you do not have an HTML capable email
client), the message body will be: 
"he, your lame client cant read HTML, haha.
click attachment to see some stunningly HOT stuff"

Otherwise, the text will include a reference to a website and the following
message: 
"Hypercool Happy Year 2000 funny programs and 
animations&#8230;.
We attached our recent animation from this 
site in our mail ! Check it out!"

Attached to the message will be one of the following file names:
g-zilla.exe, cooler3.exe, cooler1.exe, copier.exe, video.exe, pirate.exe,
goal1.exe, hog.exe, party.exe, saddam.exe, monica.exe, boss.exe,
farter.exe, cheeseburst.exe, panther.exe, theobbq.exe, goal.exe, baby.exe,
bboy.exe, cupid2.exe, fborfw.exe, casper.exe, irnglant.exe, or gadget.exe 

The worm will add the following registry key: 
HKLM/Software/Microsoft/Windows/CurrentVersion/Run/tpawen 

To remove the worm from memory, remove the above registry key and then
restart. Delete all infected files. 

                    =Mark "Runs With Scissors" Stevens

                @ http://www.exit109.com/~mstevens @
                                  @ ICQ# 2059548 @

                Where ya' from?
                                             Jersey.
                                                          Yeah?  What exit?

Next message: McWilliams, Dan: "[CH] Habs for Work or Play?"
Previous message: danceswithcarp: "Re: [CH] Recipe Request"
In reply to: D. Gibson: "[CH] Received Chile list attachment FARTER.EXE"
Next in thread: Suzanne Fike: "Re: [CH] Received Chile list attachment FARTER.EXE"