Virus Alert

Trojan.Count_Y2k.14848

Buy Command AntiVirus online

Name: Trojan.Count_Y2K.14848
Aliases: Count2K, Troj/Polyglot, Y2K hoax
Type: Trojan Horse
Variants:W95/Trojan.Count_Y2k.4608, W95/Trojan.Count_Y2k.147968, W95/Trojan.Count_Y2k.5632

Description:

This Trojan Horse is being spread via an e-mail attachment named "Y2KCOUNT.EXE" in a message that has Microsoft listed as the sender. When executed, the Trojan Horse takes a user's personal information (including password, login and user name). The mail contains the following text:

[email protected]

To All Microsoft Users,

We are excited to announce the Microsoft Year 2000 Counter. Start the countdown NOW. Let us all get in the 21 Century. Let us lead the way to the future and we will get YOU there FASTER and SAFER."

Thank you, Microsoft Corporation

When executed, a message box is displayed with the following text:

Password protection error or invalid CRC321 The trojan then drops the following files into the Windows System directory and modifies the SYSTEM.INI file so that the trojan will be run at startup:

PROCLIB.EXE
PROCLIB.DLL
PROCLIB16.DLL
NTSVSRV.DLL
NLHVLD.DLL

The original WSOCK32.DLL file is overwritten with the contents of the PROCLIB16.DLL. The original file is saved as NLHVLD.DLL. In addition to functioning as WSOCK32.DLL, the rewritten file searches incoming and outgoing mail for the words "password", "login" and "username".

More information about the virus is available at www.microsoft.com/y2k/hoax/hoax2.htm.

Command AntiVirus deffiles dated 9/17/99 detect this trojan and the variants listed at the top of this page when run with Command AntiVirus 4.57+. Command AntiVirus v4.54 SP2 will detect some variants, but not all.

	Virus Databases		Virus Links
	Virus Research		Submitting a Virus

Test
Drives

Year
2000

Site
Map

Customer
Service

Press
Room

Awards/
Reviews

Global
Resellers

Home

Command Software Systems, Inc.
1061 East Indiantown Road · Suite 500
Jupiter · FL 33477
Phone: (561) 575-3200