Beware Of Virus-Riddled Y2K E-Mail

Welcome Guest. | Log In| Register | Membership Benefits

September 15, 1999 (12:36 PM EDT)

By Lee Kimber, Special To Techweb,

Antivirus experts are urging computer users not to open a year 2000 countdown program that comes in the form of an e-mail sent by Microsoft on Tuesday.

The e-mail was not sent by Microsoft, and the enclosed attachment is not a Y2K countdown program, but rather a Trojan virus. If users attempt to open the alleged program, the virus can install itself onto the user's computer and then is capable of sending data and information from that system across the Internet.

Microsoft did not return calls by publishing deadline time.

Antivirus experts at Star Internet, a U.K.-based ISP, along with Network Associates and Sophos, are analyzing the e-mail attachment, called "Y2Kcount.exe." Star has confirmed that the virus, which has been named Count2K, originated in Bulgaria and has also identified some key warning signs.

"It makes a lot of socket communications calls," said Star antivirusprogrammer Alex Shipp. "There's also a lot of file handle calls and keyboard handling calls."

Shipp said similar to the ExploreZip virus that decimated corporate e-mail systems several months ago, Count2K appears to have the ability to take files from users' systems and send them across the Net. The destination of the files or data has not yet been determined by Star's virus experts. On Wednesday, Network Associates antivirus experts confirmed Shipp's findings.

Shipp's analysis has determined -- that like the ExploreZip Trojan virus -- both are written in Pascal. He also said the internal programming of two viruses are very similar.

Users who simply open the e-mail but do not attempt to load the Y2K program are in no danger from the virus. Users who try to install the program will see a message saying the Y2K counter was unable to install. It says: "Error!..Password protection error or invalid CRC32!."

However, analysis of the program's installation routine shows it already has connected to internal Windows files by the time it displays the error message, Shipp said.

"If you see that [message], you think it failed," said Shipp. "By then, it has installed itself."

The message first raised eyebrows because of awkward wording that didn't seem like it would come from Microsoft. The accompanying message headers also suggested that the e-mail passed through CompuServe's e-mail system. No valid e-mail from Microsoft should route through CompuServe.

Antivirus experts said they are working quickly to develop a Count2K fix. Network Associates confirmed that programmers in their antivirus labs are working on a patch. Sophos has posted a warning on its website alerting users that it is working on a patch. Star Internet has already protected its 1,000 U.K. business customers from the Trojan by installing a scanner on its e-mail servers. The scanner looks for the Trojan's unique signature.