This is the second installment of a new series of monthly updates on computer viruses. The information is provided by the Lab's Computer Protection Program. The viruses described this month are all being blocked by the Lab's "virus wall," which scans all incoming email for viruses. Employees should check to ensure that their home systems also have updated antivirus software.

The first two viruses — ANTIWAR and ANTRAX — covered this month are not spreading very quickly, are not very destructive, and most current antivirus software will detect them before they can infect a computer. However, in the wake of the recent terrorist activity, their names and content have caused these viruses to attract attention. The third virus, REDESI, is more destructive but is not spreading rapidly.

The best protection against all viruses is to update your anti-virus software daily (see related article in this issue of Computing News).

ANTIWAR

This virus is sent by email and the subject line can include one of eight various lines, in one of five languages. There is usually no message and the "From" address is usually root@fun.com. The attachment is labeled BINLADEN_BRASIL.EXE. Unpatched versions of MS Internet Explorer 5.01 and 5.5 may auto execute the attachment upon opening or previewing the email. The virus may disable certain antivirus and security programs, including Norton and ZoneAlarm, and creates an open C:/ share. It is spreading very slowly. Damage is mostly to the desktop and is temporary. The virus only affects Microsoft Windows 9x/Me. Click here for more information.

ANTRAX (note: this is not a misspelling, it is anthrax in Spanish)

This virus arrives with a subject of "Antrax Info" and the message reads "si no sabes que es el antrax o cuales son sus efectos aquite mando una foto para que veas los efectos que tiene." The attachment name is antraxinfo.vbs. The virus sends itself to everyone in Outlook address book, but due to a bug, it fails to send the attachment. Since there is a flaw in way it sends itself via email it might be considered a dud. It does little damage and only affects Microsoft Windows. Click here for more information.

REDESI

Although not spreading rapidly, the REDESI virus could be destructive. On Nov. 11, 2001, the virus will "set" its payload. Upon reboot after the payload is set, the following will be printed to the screen: "Bide ye the Wiccan laws ye must, In perfect love and perfect trust" and all contents of C:\ will be deleted. This email may have any one of 18 subject lines and may include the following message purported to originate from Microsoft Support:

Just received this in my email
I have contacted Microsoft and they say it's real !

-----Original Message-----
From: Microsoft Support Desk <email address removed>
Sent: 17 October 2001 15:21
Subject: Security Update

Due to the recent spate of email-spread computer viruses Microsoft Corp has released a security patch. Please apply the attached file to your Windows computer to stop any further spread or these malicious programs.
Regards
Microsoft Support

or

"heh. I tell ya this is nuts! You gotta check it out!"

This virus spreads by sending copies of itself to addresses found in Outlook directory and includes an attachment labeled Common.exe, rede.exe, Si.exe, UserConf.exe or disk.exe. This virus affects on Microsoft Windows 9x/Me. Click here for more information.