The following has been derived from information provided by Network Associates and Trend Micro.

Virus Characteristics

This is a VBScript virus which uses instructions to send copies of itself via Outlook. The script when run contains instructions to do the following:

* Writes itself to <drive>:\Windows\system\injustice.TXT.vbs using environment variables

* Sends a message to the first 50 recipients of the Outlook Address book in this format:

Subject = "RE:Injustice"
Body =
Dear (contact name),
Did you send the attached message, I was not expecting this from you !
Attachments = injustice.TXT.vbs

* This virus then updates a value in the registry to ensure that a particular recipient receives the email with the virus only once.

"HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD"

* It sends itself to several other email recipients, in separate messages, in the same format:

sar@mod.gov.il
sar@mops.gov.il
sar@moin.gov.il
yor@knesset.gov.il
webmaster@israel.com
amuta@ehudbarak.co.il
foundation@habonimdror.org
wlzm@jazo.org.il
office@JAFI.org.il
naamatusa@naamat.org
info@azm.org
arie@kba.org
ncli@laborisrael.org
holyland@inisrael.com
sar@mof.gov.il
hachnasot@mof.gov.il
doar@mof.gov.il
mafkal@police.gov.il
yor@knesset.gov.il
rmarkus@parliament.gov.il
doar@shaam.gov.il
sar@mops.gov.il
hashkal@mof.gov.il
pniotmas@mof.gov.il
menahel@shaam.gov.il

* Displays this message:

"PLEASE ACCEPT MY APOLOGIES FOR DISTURBING YOU. "
"Remember that one day YOU may be in this situation. "
"We need every possible help. "
"Israeli soldiers killed in cold blood 12 year old Palestinian child"
"Mohammad Al-Durra, as his father tried to protect him in vain with"
"his own body. As a result of the indiscriminate and excessive use of"
"machine gun fire by Israeli soldiers, journalists and bystanders"
"watched helplessly as the child was savagely murdered."
"Palestinian Red Crescent Society medic Bassam Balbeisi"
"attempted to intervene and spare the child's life but live"
"ammunition to his chest by Israeli fire took his life in the process."
"The child and the medic were grotesquely murdered in cold blood."
"Mohammad's father, Jamal, was critically injured and permanently"
"paralyzed. Similarly, approximately 40 children were slain, without"
"the media taking notice or covering these tragedies. "
"THESE CRIMINAL ACTS CANNOT BE FORGIVEN OR FORGOTTEN!!!!"
" HELP US TO STOP THE BLOOD SHED!! "

* Several instances of Internet Explorer are started to several websites:

"http://www.sabra-shatila.org/"
"http://www.petitiononline.com/palpet/petition.html"
"http://www.palestine-info.org"
"http://freesaj.org.uk/"
"http://hanthala.virtualave.net/"
"http://www.ummah.net/unity/palestine/index.htm"

* The virus contains the following comments in its code right before its mass-mailing payload:

' Only to 50 entries - not to disturb network and mail servers -

At the end of the virus code, it contains the comment:

'Note:
'Do not worry. This is a harmless virus. It will not do any thing to your system.
'The intension is to help Palestinian people to live in PEASE in their own land.
'S/N : 881844577469


Payload

Creation of the file "injustice.txt.vbs" on the local file system. Email distribution, causing a load impact on email servers. The worm opens several Internet Explorer windows to various websites.


Preventative Measures

Block all files with the VBS extension at the SMTP gateway where possible. Disable the Windows Scripting Host.


Manual Removal

Remove the following registry key:

"HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD"

Remove the following file created by the worm:

<drive>:\Windows\system\injustice.TXT.vbs


Fixes Available

AVP: No information at time of alert
Network Associates: Engine 4.0.70 or greater, DAT 4130(to be released 03/28/2001)
Symantec: Currently detected as Bloodhound.VBS.Worm (Exact Defs to be released 03/21/01)
Trend: Pattern File #864 (currently available)