Virus Profile: JS/Coolsite@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 12/18/2001
Date Added: 12/18/2001
Origin: Russia
Length: Unknown
Type: Virus
Subtype: JavaScript
DAT Required: 4131
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Contents of the Sent Items folder in Outlook are empty (or only contain very recent items, message which were sent since the infection took place)

Email correspondents stating that you've sent them a message referring them to a porn site when you did not knowingly do so.

Methods of Infection

This script made use of the Microsoft virtual machine vulnerability. It also used a CGI to generate the malicious script. As a result of this threat, .CGI was added to the default extension list.

As this script was quickly removed from this site, it no longer poses a threat.
   

Virus Characteristics

This description has been posted to inform users of a threat which was seen on December 18, 2001. This threat is detected as JS/IEStart with the current dats when scanning all files.

Email messages were circulating which referred to a web site. Upon visiting that site, each message in the Microsoft Outlook Sent Items folder was sent again with a replaced subject and message body. The sent messages are then deleted. This script made use of the Microsoft virtual machine vulnerability. All versions of Internet Explorer 5.5 (SP1) and earlier can be susceptible to this vulnerability.

As this script was quickly removed from this site, it no longer poses a threat. The message appeared as follows:

Subject: Hi!!

Hi. I found cool site! http://[omitted].cjb.net It's really cool!

The URL links to an adult web site. Going to the actual site that the email message displays (not the one listed here) results in many popup windows getting displayed. Some of which contain other script trojans, such as JS/IEStart and JS/NoClose.

The default start page of Internet Explorer is set to an adult web site.

VBS/Loding.a@MM first used this technique of sending the URL of an infectious web page in an email message back in August of 2001.

   
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.