Microsoft was
notified on Wednesday afternoon (Sept. 15, 1999) that a Trojan email
hoax (called Y2Kcount.exe) had been distributed to Microsoft
customers. This email was not sent by Microsoft and the attachment
that is being distributed is not a Y2K countdown program, but
instead a Trojan horse virus.
Microsoft does not distribute software via email and Microsoft
will only distribute year 2000 related updates from its website (http://www.microsoft.com:80/y2k/) or a
tangible CD ROM, such as the Microsoft Year 2000 Resource CD.
Microsoft distributes upgrades via the Internet. When Microsoft
does this, the software will be available via the web site, http://www.microsoft.com:80/, or through the
FTP site, ftp://ftp.microsoft.com.
Microsoft occasionally sends e-mail to customers to inform them that
upgrades are available. However, the e-mail will only provide links
to the download sites -- Microsoft will never attach the software
itself to the e-mail. Microsoft always uses authenticity
verification code to digitally sign their products and allows users
to ensure that they have not been tampered with.
If a customer receives an e-mail that claims to contain software
from Microsoft, customers should not execute the attachment. The
safest course of action is to delete the mail altogether.
Microsoft is broadly notifying its customers of this Trojan horse
and has updated its year 2000 website with the latest
information/details.
The following is a direct excerpt from the from Network
Associates web site, a world leader in anti-virus information. http://www.vil.nai.com:80/vil/tro10358.asp
Trojan Name
Count2K
Date Added
9/15/99
Trojan Characteristics
This Trojan normally arrives
attached to an e-mail purporting to come from Microsoft. The email
has an attachment "Y2KCOUNT.EXE" of 124,885 bytes and the following
text: ........................
From: support@microsoft.com
Sender: support@microsoft.com
Received: from Microsoft
(stara65.pip.digsys.bg [193.68.4.65])
Subject: Microsoft
Announcement
Date: Wed, 15 Sep 1999 00:49:57 +0200
To All
Microsoft Users,
We are excited to announce Microsoft Year 2000 Counter.
Start
the countdown NOW.
Let us all get in the 21 Century.
Let us
lead the way to the future and we will get YOU there FASTER and
SAFER.
Thank you,
Microsoft Corporation
........................
The attached file is a self extracting archive file. If the
attached exe is run it displays a fake error message box containing
the text
Password protection error or invalid CRC32!
The exe is in fact a Winzip self-extracting archive consisting of
these files:
Project1.exe
file001.dat
file002.dat
file003.dat
file004.dat
The file Project1.exe is set to be automatically run after the
self extracting archive is executed. This program then copies each
of the four .dat files into the WINDOWS\SYSTEM folder using the
names:
Proclib.exe
Proclib.dll
Proclib16.dll
ntsvsrv.dll
Nlhvld.dll
The program then adds the filename "ntsvsrv.dll" to the end of
the 'drivers=' line in the [boot] section of SYSTEM.INI. This causes
the Trojan to be run at the next system startup. At this point the
file WSOCK32.DLL in WINDOWS\SYSTEM is renamed to Nlhvld.dll
(overwriting the file just dropped, if WSOCK32.DLL exists). The file
Proclib16.dll is then copied to WSOCK32.DLL.
This means that the Trojan has now 'hooked' the Internet
connection and whenever a connection is opened the file proclib.exe
is run.
The purpose of this Trojan appears to be to intercept username
and password information and presumably pass it onto the Trojans
author.
Manual Removal Instructions
1. Edit the drivers= line
in the [boot] section of SYSTEM.INI and remove the filename
ntsvsrv.dll.
2. Restart the system, and DO NOT load any internet applications,
this means that WSOCK32.DLL is not loaded into memory and so can be
renamed.
3. Copy the file WINDOWS\SYSTEM\Nlhvld.dll to
WINDOWS\SYSTEM\WSOCK32.DLL. If you are prompted to confirm
overwriting the existing file, reply yes. If you get an error
message saying that the file is in use, then WSOCK32.DLL has already
been loaded. Disable all internet and network applications (or boot
from a clean floppy disk) and repeat until successful.
4. Delete the files
Proclib.exe
Proclib.dll
Proclib16.dll
ntsvsrv.dll
Nlhvld.dll
from WINDOWS\SYSTEM.
Note the files Proclib.exe, Proclib.dll,
Proclib16.dll, ntsvsrv.dll are detected as "Count2K trojan"; the
original file "Y2KCount.exe" is detected as "Count2K.sfx" and the
"Project1.exe" is detected as "Count2K.dr".
Indications Of Installation
Existence of the files
listed above; messages in your sent folder matching the above
message body content.
Method Of Installation
Running the ill-fated attachment
Y2KCOUNT.EXE from the received email message.
Trojan Information
Discovery Date:
9/15/99
Type: Trojan
Risk Assessment:
Medium
Minimum DAT: 4045 (Available 9/29/99)
Variants
Unknown