TechNet Home > TechNet Security

PSS Security Response Team Alert - New Virus: W32.hllp.sharpei@mm.html

SEVERITY: MODERATE REACTIVE

DATE: 03/01/2002

PRODUCTS AFFECTED: Outlook and .NET Framework

**********************************************************************

WHAT IS IT?

W32.hllp.sharpei@mm.html is a mass mailing virus that targets Windows applications if the .NET Framework is installed.

IMPACT OF ATTACK:

Mass mailing, infection of files.

TECHNICAL DETAILS:

The virus arrives in an e-mail message with the following characteristics:

Subject: Important: Windows update

Message: Hey, at work we are applying this update because it makes Windows over 50% faster and more secure. I thought I should forward it as you may like it.

Attachment: MS02-010.exe

When the attached .exe is launched copies of the virus are e-mailed to all entries in the Outlook address book. If the .NET Framework is present on a system, the .exe will launch a .NET Framework application written in C#. This MSIL application will be copied to a user's local hard drive and attempt to infect other .exe files in the /Program Files and /Windows subdirectories on the local hard drive.

Please note: Microsoft does not distribute security patches by e-mail. For information on our full policy please visit: http://www.microsoft.com/technet/security/bulletin/info/swdist.mspx

PREVENTION:

For Outlook 98 and Outlook 2000 Pre SR1: Customers who have installed the Outlook Email Security Update are prevented from launching the .exe file associated with this virus.

http://office.microsoft.com/Downloads/2000/Out2ksec.aspx

For Outlook 2000 Post SR1 and Outlook XP: Functionality to block the opening of .exe attachments is built into these products.

For Outlook Express Pre Version 6.0: Do not open files containing .exe attachments that you are not expecting.

For Outlook Express 6.0: You can turn on the Attachment handling features in Outlook Express 6 by reading this Knowledgebase Article

http://support.microsoft.com/default.aspx?scid=kb;en-us;291387

For Web Based Email Clients: You can block this virus if you are using an application level firewall such as Microsoft Internet Security and Acceleration Server.

http://www.microsoft.com/ISAServer/

RECOVERY:

If you have been infected with this virus please contact Product Support Services or your Antivirus vendor for assistance.

RELATED KB'S:

Available within 72 hours

http://support.microsoft.com/default.aspx?scid=kb;en-us;319072

As always please make sure to use the latest Anti-Virus detection from your Anti-Virus vendor to detect new viruses and their variants.

If you have any questions regarding this alert please contact your Microsoft representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside of the US please contact your local Microsoft Subsidiary.

PSS Security Response Team


Top of pageTop of page