Microsoft does not distribute software via email and Microsoft will only distribute year 2000 related updates from its website (http://www.microsoft.com:80/y2k/) or a tangible CD ROM, such as the Microsoft Year 2000 Resource CD.

Microsoft distributes upgrades via the Internet. When Microsoft does this, the software will be available via the web site, http://www.microsoft.com:80/, or through the FTP site, ftp://ftp.microsoft.com. Microsoft occasionally sends e-mail to customers to inform them that upgrades are available. However, the e-mail will only provide links to the download sites -- Microsoft will never attach the software itself to the e-mail. Microsoft always uses authenticity verification code to digitally sign their products and allows users to ensure that they have not been tampered with.

If a customer receives an e-mail that claims to contain software from Microsoft, customers should not execute the attachment. The safest course of action is to delete the mail altogether.

Microsoft is broadly notifying its customers of this Trojan horse and has updated its year 2000 website with the latest information/details.

The following is a direct excerpt from the from Network Associates web site, a world leader in anti-virus information. http://www.vil.nai.com:80/vil/tro10358.asp

Trojan Name
Count2K

Date Added
9/15/99

Trojan Characteristics
This Trojan normally arrives attached to an e-mail purporting to come from Microsoft. The email has an attachment "Y2KCOUNT.EXE" of 124,885 bytes and the following text: ........................
From: support@microsoft.com

Sender: support@microsoft.com
Received: from Microsoft (stara65.pip.digsys.bg [193.68.4.65])
Subject: Microsoft Announcement
Date: Wed, 15 Sep 1999 00:49:57 +0200
To All Microsoft Users,

We are excited to announce Microsoft Year 2000 Counter.
Start the countdown NOW.
Let us all get in the 21 Century.
Let us lead the way to the future and we will get YOU there FASTER and SAFER.

Thank you,
Microsoft Corporation
........................

The attached file is a self extracting archive file. If the attached exe is run it displays a fake error message box containing the text

Password protection error or invalid CRC32!

The exe is in fact a Winzip self-extracting archive consisting of these files:

Project1.exe
file001.dat
file002.dat
file003.dat
file004.dat

The file Project1.exe is set to be automatically run after the self extracting archive is executed. This program then copies each of the four .dat files into the WINDOWS\SYSTEM folder using the names:

Proclib.exe
Proclib.dll
Proclib16.dll
ntsvsrv.dll
Nlhvld.dll

The program then adds the filename "ntsvsrv.dll" to the end of the 'drivers=' line in the [boot] section of SYSTEM.INI. This causes the Trojan to be run at the next system startup. At this point the file WSOCK32.DLL in WINDOWS\SYSTEM is renamed to Nlhvld.dll (overwriting the file just dropped, if WSOCK32.DLL exists). The file Proclib16.dll is then copied to WSOCK32.DLL.

This means that the Trojan has now 'hooked' the Internet connection and whenever a connection is opened the file proclib.exe is run.

The purpose of this Trojan appears to be to intercept username and password information and presumably pass it onto the Trojans author.

Manual Removal Instructions
1. Edit the drivers= line in the [boot] section of SYSTEM.INI and remove the filename ntsvsrv.dll.

2. Restart the system, and DO NOT load any internet applications, this means that WSOCK32.DLL is not loaded into memory and so can be renamed.

3. Copy the file WINDOWS\SYSTEM\Nlhvld.dll to WINDOWS\SYSTEM\WSOCK32.DLL. If you are prompted to confirm overwriting the existing file, reply yes. If you get an error message saying that the file is in use, then WSOCK32.DLL has already been loaded. Disable all internet and network applications (or boot from a clean floppy disk) and repeat until successful.

4. Delete the files

Proclib.exe
Proclib.dll
Proclib16.dll
ntsvsrv.dll
Nlhvld.dll

from WINDOWS\SYSTEM.
Note the files Proclib.exe, Proclib.dll, Proclib16.dll, ntsvsrv.dll are detected as "Count2K trojan"; the original file "Y2KCount.exe" is detected as "Count2K.sfx" and the "Project1.exe" is detected as "Count2K.dr".

Indications Of Installation
Existence of the files listed above; messages in your sent folder matching the above message body content.

Method Of Installation
Running the ill-fated attachment Y2KCOUNT.EXE from the received email message.

Trojan Information
Discovery Date: 9/15/99
Type: Trojan
Risk Assessment: Medium
Minimum DAT: 4045 (Available 9/29/99)

Variants
Unknown