Helping to Improve the Quality of Information in Northwest Florida
"Improving the Quality of Information in Northwest Florida..."



Be one of the thousands that have helped BeachBrowser keep on delivering the news.
!!DONATE HERE!!
 

New 'Cholera' virus discovered

By Martin Stone
09/09/99- Updated 01:47 PM ET

Cybersleuths are warning of a new combined worm and virus threat, called Cholera, discovered Wednesday morning on a German hacker's Web site. Vendors of anti-virus programs are scrambling to identify it and create an antidote before it becomes epidemic like Melissa and Worm.ExploreZip, although no cases of infection have yet been reported.

Anti-virus experts Computer Associates International, of Long Island, N.Y., who discovered the bug, are warning Web-surfers not to accept suspicious e-mail attachments even though the virus had not been found "in the wild" as of Thursday morning.

Product Manager Narender Mangalam of Computer Associates told Newsbytes that the worm/virus was discovered by his company while scanning known hacker sites as part of their regular surveillance routine.

Cholera is currently listed as a medium threat since it has not yet been reported to have infected user systems, but the company says the warning will automatically be upgraded to a high threat as soon as it is reported to have entered a remote computer.

He added that his company is in contact with other anti-virus vendors and will have a consensus later Thursday as to whether Cholera has spread to user-systems.

Mangalam said his company has already created a fix which is available as a free download from http://www.cai.com/

Computer Associates describes Cholera as similar to Worm.ExploreZip because it unleashes a worm-like attack and will automatically send itself to any e-mail address it finds on an e-mail system. The bug therefore supports the potential to glut and shut down e-mail servers.

Cholera is not platform-dependent and can operate on any e-mail system, said Mangalam. The bug also contains a virus aspect, dropping a virus file called W32/CTX, once it infects a new computer. Investigators at Computer Associates are presently attempting to determine what payload, if any, the virus will inflict.

In its present form, Cholera sends itself to a recipient with a "smiley" face in the text and an attachment titled Setup.exe which has the appearance of a self-extracting setup program.

The sleuths describe the icon of this attachment as looking like a standard Windows install program, but with slightly different color tones, adding that the worm activates when the system is rebooted.

Once resident, the worm installs itself by adding keys to WIN.INI on Win9x and registry on WinNT and tries to copy itself to any shared drives currently connected, then proceeds to infect executable files in the directory with a virus named W32/CTX.

Computer Associates says that when recipients open the attachment they find a message reading: "Cannot open file: it does not appear to be a valid archive. If you downloaded this file, try downloading the file again."

The worm remains invisible to the user and becomes an auto-start application by writing a RUN entry to the Win.ini file (Windows 9x) or to the registry (Windows NT) and then deletes itself after resending itself as e-mail, leaving the virus resident.

Anti-virus vendors warn that even though no reports of infection "in the wild" have yet been received, there is a strong potential that virus writers might create and launch "copy-cat" versions of the bug.

Mangalam said that because of the unusual nature of the worm/virus combination, it becomes tempting for other hackers to attempt to copy and expand upon it.

Copyright © 1999, Newsbytes News Network LLC. All rights reserved.

Top of Page