HTML mails, 3rd attempt

From:"Nader, Alexander" <>

Almost half of the news we read every day in this list are themes concerning
lab safety. And the same people who are discussing the do's and do not's in
their labs are using HTML-encoded mails with encreasing frequency.

Maybe all who sent HTML-encoded mails to this list should read the following
chapter from the Symantec-homepage carefully:
This virus is now on place 2 in the virus chart and since many use email
programs like Outlook it spreads very quick.


Distribution: High 

This worm will appear as the attachment Jer.htm. Opening the attachment in
your internet browser will display a page that contains "The 40 Ways Women
Fail in Bed". This is meant to serve as a distraction while the worm does
its work in the background. There is a script embedded within the .htm file
that allows the worm to spread itself via MS Outlook and mIRC. 

Category: Worm 
Infection length: 16,451 bytes 
Virus definitions: July 6, 2000 


Payload trigger: Opening the jer.htm file in a web browser that supports
Large sale e-mailing: Sends to all addresses in the Outlook Address book.
Also spreads when connecting through mIRC. 
Modifies files: System registry, Script.ini. 
Causes system instability: Could overload mail servers. 

The worm also modifies the following registry keys to disable certain
functions of the OS: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind is
set to "1". 
is set to "1". 
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose is
set to "1". 
HKLM\Software\Microsoft\Windows\CurrentVersion\Version is set to
HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner is set to "I
Love You, Min". 
HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization is set
to "GinsengBoy 2000". 
is set to "1". 

which correspond to the following effects: 

The Find function will not be accessible. 
All icons will have been disabled and will no longer appear on your desktop.

The user will be prevented from shutting down the computer by way of the
Start menu. The computer must be powered off, reset, or shut down by hitting
CTRL+ALT+DEL and selecting shut down. 
The Version and RegisteredOwner/Organization keys will not have an adverse
affect on the system. These keys modify the data that can be seen when the
System Properties are displayed. 
Access to Network Properties is disabled on Windows98 machines. 
MS Outlook is used to send the worm as an attachment to all addresses
located in the MS Outlook Address book. The worm attaches a copy of itself
which is created in the Windows system directory. To make use of mIRC, the
worm will modify the script.ini file which gets called when a connection is
made. The jer.htm file is transferred to all users that are present in any
group an infected user connects to. 


To remove the worm from your system you must delete the jer.htm file located
in your Windows system directory. You must also undo any modifications that
have been made to the registry. Delete the "GinSenG" key that was created.
Set all keys previously noted that were modified to "1" equal to "0".
Restore the correct information such as your name and organization to the
"RegistreredOwner" and "RegisteredOrganization" keys. 


Dr. Alexander Nader
Path. Institut Hanuschkrankenhaus
Heinrich-Collin Straße 30
A-1140 Wien, Österreich
+43-1-910 21 DW:2422

<< Previous Message | Next Message >>