the lowdown on it
++++++++++++++++++++++++++++++++++++++++++++
Wednesday, November 21, 2001, 19:02
Aliz's Seeds Sown in May Bear Fruit in November
Kaspersky Labs warns users about the active spreading of the Internet worm, ?Aliz.? Reports of infection by this worm already have been reported in many countries throughout the world.
The worm?s malicious code is spread via the Internet as an infected file attached to e-mail. The worm is a Windows attachment about 4K in length. An infected message contains:
Subject: varying
Body: empty HTML message
Attach: whatever.exe
The worm launches itself by taking advantage of a security flaw in the IFRAME e-mail client in the same way as the ?Nimda? Internet worm. At the same time, the infected enclosure is automatically activated upon reading or viewing a message.
When an infected file is run, the unpacking routine takes control, unpacks the main worm code into the memory and jumps to it. The main code then sends infected messages to e-mail addresses found in WAB (Windows Address Book). To send e-mails, the worm connects by default to the SMTP server. The worm does not install itself to the system, and is not activated anymore, except in cases when a user clicks on an attached e-mail again. Namely, the worm is ?one-time-only,? and does not reveal its presence in the system. The worm?s e-mail-spreading routine has several mistakes and flaws; therefore, it is incapable of spreading on the majority of e-mail client-server configurations.
