FYI>>F-Secure Virus Descriptions

carl william spitzer iv cwsiv_2nd at JUNO.COM
Thu Feb 14 17:45:18 MST 2002


     NAME: Welyah
     ALIAS: I-Worm.Welyah

     Welyah  is a mass-mailer worm that is 110 kilobytes in  size
     and was written in Visual Basic.

     The worm utilises it's own SMTP engine so it does not depend
     on  Outlook for e-mail sending. The recipient addresses  are
     collected  from  different files in the system,  e.g:  *.wab
     files (Windows Address Book), *.mbx (Mailbox).

     Messages sent by Welyah look like this:



     The  attachment  name  is disguised as a text  file  but  it
     has  .pif extension that is not visible because of the  many
     space characters before it.

     The  worm also uses the IFRAME vulnerabilty that makes  Out-
     look to execute the attachment automatically. More  informa-
     tion  on the vulnerabilty can be found at  http://www.micro-
     soft.com/windows/ie/downloads/critical/q290108/default.asp

     When  the  attachment in executed it copies  itself  to  the
     Windows  directory  as  'Winl0g0n.exe' and adds  it  to  the
     runkeys in the registry as

     '[HKLM]\Software\Microsoft\Windows\CurrentVersion\Run\Winl0g0n'

     so the worm will be started when Windows starts up.

     [Analysis:  Gergely Erdelyi; F-Secure Corp.; 20th of  Decem-
     ber, 2001]

     >http://www.datafellows.com/v-descs/welyah.shtml
     >
     >Friends shouldn't let other friends use Windows.
     >: damocles at TheNostromo.cx :  Bruce Morrow, a man before and

________________________________________________________________
GET INTERNET ACCESS FROM JUNO!
Juno offers FREE or PREMIUM Internet access for less!
Join Juno today!  For your FREE software, visit:
http://dl.www.juno.com/get/web/.



More information about the Rushtalk mailing list