U kijkt naar de website van NRC Handelsblad gedurende de periode 1995-2001. Bezoek ook de de huidige site.

NIEUWS  TEGENSPRAAK  SUPPLEMENT  DOSSIERS  ARCHIEF  ADVERTENTIES   SERVICE

Computerbeveiliging

Nieuws

Lekken

Privacy

Hackers

Pentagon

Virussen

Tips

Boeken

Films

Links

 

Virussen

Technische documentatie van Symantec over het Papa-virus.

X97M.Papa.A

Aliases:

X97M.Papa, X97M.Papa.A.Intended

Infection Length:

1196 bytes

Area of Infection:

This is a Worm and spreads as an Excel spreadsheet

Likelihood:

Common

Region Reported:

Worldwide

Characteristics:

Mails itself using Outlook, Pings two IP addresses

Target Platform:

Windows with MS Outlook and MS Excel

Trigger:

Random

Description:

The X97M.Papa.A Worm is a macro worm. The worm replicates in the form of a Microsoft Excel spreadsheet. Using the macro language in Microsoft Excel in conjunction with Microsoft Outlook, the worm sends copies of itself to email addresses configured in Outlook’s address lists. In order for this worm to self-propagate, one must have both Microsoft Excel and Microsoft Outlook installed on their computer system.

Upon opening an infected spreadsheet, the worm composes an email to the first 60 email addresses in each address list configured in Microsoft Outlook. The email contains the subject:

Fwd: Workbook from all.net and Fred Cohen

The body of the email contains the text:

Urgent info inside. Disregard macro warning.

The worm then attaches the Excel spreadsheet to the email and sends the message, propagating itself further. Such mass mailings can cause network congestion and an increase in load on email servers forcing them to be shut down.

The worm contains an additional payload with a random trigger. The payload performs a ping on two different IP addresses with a random buffer size for an indefinite amount of time potentially causing a denial of service and additional network congestion.

As always, one should practice safe computing practices and avoid opening email attachments that can contain viruses, worms, or other malicious programs. The worm will not self-propagate simply by reading your email. You must launch or run the attached Excel spreadsheet. The Excel spreadsheet attachment was originally named PASS.XLS. However, filenames are easily changeable so, the worm may spread as a different filename.

At the time of this write-up, only an Intended version of this worm was seen in the wild. The worm contains a bug that does not allow it to execute properly. However, the virus author has publicly posted the bug has been fixed. Norton Antivirus may detect both versions under the name X97M.Papa.A.Intended.

Write-up by: Eric Chien

Date of write-up: March 29, 1998

Zie ook:
www.symantec.com/avcenter/venc/data/melissa.html

Technische informatie van Network Associates over Papa

NRC Webpagina's
31 maart 1999

    Bovenkant pagina

NRC Webpagina's © NRC Handelsblad