Shockwave Virus Plagues Outlook UsersDec 01, 2000, 21:27 (13 Talkback[s])
(Other stories by Michael Singer)
"Just a minor tweak and this thing could be destructive."
A virus that disguises itself as a Shockwave movie is keeping some Microsoft Outlook users busy deleting email this week.
The virus arrives via email with the subject line: "A great Shockwave flash movie." The message reads: "Check out this new flash movie that I downloaded just now It's Great - Bye." The attachment is called CREATIVE.EXE.
By clicking on the attachment, the virus renames all of your JPG and ZIP files with an appendage that reads "change at least now to LINUX." It then drops a text file called MESSAGEFORU.TXT on your desktop.
Virus scanning experts like McAfee AVERT researcher Patrick Nolan who worked on exposing the virus says this Internet worm looked suspicious from the start.
"At first it looked like a version of the Navidad virus because it uses the same Shockwave icon," says Nolan. "Then I thought it resembled the MyPics because it used Visual Basic to create the code. But after looking closer, I figured out that this worm was created with Virtual Basic 6, so we renamed it Prolin because of its pro-Linux message."
That message reads: "Hi, guess you have got the message. I have kept a list of files that I have infected under this. If you are smart enough just reverse back the process. i could have done far better damage, i could have even completely wiped your harddisk. Remember this is a warning & get it sound and clear.
The message is signed - "The Penguin." Linux uses a penguin as its icon.
"At the end of the script, it sends a message to a Yahoo email account," says Nolan. That message reads: Job complete - Got yet another idiot."
Nolan got his first look at the virus on Tuesday and says he will continue to keep his eye on it. He says it is only designed to affect people who use Microsoft Outlook.
"I believe whoever wrote this left it open for creative variations," says Nolan. "Just a minor tweak and this thing could be destructive. It just depends on the whim of the author."
As it is practice in with most viruses, Santa Clara-based McAfee alerted the FBI to the situation.
I FEEL SO USED
The virus seems to have spread so fast because the message promises a Shockwave movie.
So if you opened it, don't feel bad. According to San Francisco-based Macromedia, which makes Shockwave, there are more than 165 million Shockwave players registered.
"From our perspective, viruses that pose as sharing movie files are the most popular," says Anita Chen, a spokesperson for Trend Micro.
The Cupertino-based antivirus company also worked on the problem and reports some wide-spread infections with some of their largest clients.
"To fight the virus, we recommend that you install some type of antivirus software, preferably something you can update online," says Chen.
Chen also recommends that you keep a close eye on your email for the next few weeks.
"If you get an .EXE file from someone that you weren't expecting, you should call them to confirm what they sent," says Chen. "If it looks suspicious, it probably is."
GET THIS THING OFF OF ME
If you see the message but have not launched the attachment, virus experts say you can just delete it. You can only be affected if you open the attachment.
To get rid of the virus you will need some type of antivirus program. There are many types available online.
Once the anitvirus software has cleaned off the virus, your computer will no longer be infected, nor will it send out e-mails with the virus attached, however, all of your JPG and Zip files have been renamed and moved.
They are all located in the root of your C drive (double click my computer, and double click the C drive) In there you will see all of your renamed files, and a file called messageforu.txt. Messageforu.txt has a list of all the renamed files, and the original locations.
To get your files back, you must delete the "change atleast now to LINUX" that was added to the file name, and move the file back to it's original location.
Example c:mycar.jpgchange atleast now to LINUX
To repair it, rename the file back to mycar.jpg (by right clicking on it, and choosing rename), and then look in C:messageforu.txt to determine where it goes.