|  | ||||||||||||||||||||||||||||||||
Name: W32/Finaldo.b@MM
Aliases: W32.Finaldo,Finaldo,W32/Finaldo Variants: Type: Internet Worm Platforms: Windows 32-bit Status: not known to be in the wild Threat: V-CON 2 (low) The following has been derived from information provided by F-Secure, Network Associates, and Panda. Virus Characteristics This is a network aware, file-infecting, and mass-mailing worm/virus. The virus also contains bugs and is not fully functional. W32/Finaldo.b@MM arrives in an email message with varying subject lines, and no visible message body. The attachment name is ".exe" and uses the China flag for an icon. This message makes use of the Incorrect MIME Header vulnerability (MS01-020) which results in this attachment being executed by simply viewing the email message on an unpatched system. Once in memory, the file FINALDOOM.DLL is created in the TEMP directory which attempts to infect .EXE, .OCX, and .SCR files on local drives and network shares by appending itself to these files. Once these files have been infected, they may no longer function. NTOSKRNL.EXE and WinZip self-extracting archives are specifically ignored by this process. FINALDOOM.EML is created in the TEMP directory which contains the MIME encoded email message that is sent out by the worm. MAPI API calls are used to obtain email recipients and from existing email messages. The worm then tries to send itself to those recipients via SMTP. The virus also tries to modify .HTM, .HTML, and .ASP documents by inserting a JavaScript call to open a window containing the FINALDOOM.EML file contents. Payload Viewing an infected email message or webpage will infect a system that is not patched. If the system is properly patched, infection can still occur if the executable is intentionally run. The worm infects files with the following extensions: EXE, SCR, OCX, HTM, HTML and ASP. Preventative Measures Block all .exe attachments. Microsoft has also issued a patch which secures against the incorrect MIME header vulnerability which can be downloaded from: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp. Fixes Available F-Secure: No data at time of alert Network Associates: DAT Release Date: 11/14/2001 Panda: No data at time of alert Symantec: November 7th, 2001 SpecDefs < - Virus Information Index - >
| | |||||||||||||||||||||||||
