McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Fix2001.exe

• I-Worm.Fix2001

• TROJ_FIX2001

• W32/Admin

• W32/Fix2000

• W95/Backdoor.Fix2001

Characteristics

This is a 32bit Worm that travels by sending email messages to users. The message will come to the user in either Spanish or English, and it will claim that the attachment is a Y2K Internet bug fix.

When the attachment is executed the file will copy itself to the Windows\System directory and make some changes to the users registry keys so it can attempt to use the mail client and load at Windows startup. The user will then see a message dispayed that reads

"Y2K Ready !!"
"Your Internet Connection is already Y2K, you don't need to upgrade it."
[OK]
Once a system is rebooted, this worm monitors email that are sent to gain new target addresses. The worm uses these to send a new message with the worm attached. This action is similar, yet different to the worm W32/Ska. The new message will have a subject line of

"Internet problem year 2000."

The message will appear to have come from the company's administrator, for example if en email message is sent to "John_Doe@company.com", the sender name would be "Admin___@company.com". The text in the message is as follows:

Estimado Cliente:

Rogamos actualizar y/o verificar su Sistema Operativo para el
correcto funcionamiento de Internet a partir del Aņo 2000. Si
Ud. es usuario de Windows 95 / 98 puede hacerlo mediante el
Software provisto por Microsoft (C) llamado -Fix2001- que se
encuentra adjunto en este E-Mail o bien puede ser descargado
del sitio WEB de Microsoft (C) HTTP://WWW.MICROSOFT.COM

Si Ud. es usuario de otros Sistemas Operativos, por favor, no
deje de consultar con sus respectivos soportes tecnicos.
Muchas Gracias.
Administrador.


Internet Customer:

We will be glad if you verify your Operative System(s) before
Year 2000 to avoid problems with your Internet Connections.
If you are a Windows 95 / 98 user, you can check your system
using the Fix2001 application that is attached to this E-Mail
or downloading it from Microsoft (C) WEB Site:
HTTP://WWW.MICROSOFT.COM

If you are using another Operative System, please don't wait
until Year 2000, ask your OS Technical Support.
Thanks.

Administrator.

This worm runs from the system registry from the following location

HKEY_LOCAL_MASHINE\Software\Microsoft\Windows\CurrentVersion\Run Fix2001 = "FIX2001.EXE"

When clearing this worm from your system, this entry should be deleted and then restart the computer to remove the worm from memory.

Symptoms

Existence of file "fix2001.exe" on local system. Users receive email message in the same domain with the sender as "Admin___"@(your domain name).

Method of Infection

Running the file FIX2001.EXE will immediately affect the local system. This Internet worm reportedly has a damaging payload however this was not witnessed in testing.

Removal

Manual removal required. Remove the registry entry mentioned above, restart Windows and then delete the file FIX2001.EXE.

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Fix2001.exe

• I-Worm.Fix2001

• TROJ_FIX2001

• W32/Admin

• W32/Fix2000

• W95/Backdoor.Fix2001

Characteristics

Characteristics -

This is a 32bit Worm that travels by sending email messages to users. The message will come to the user in either Spanish or English, and it will claim that the attachment is a Y2K Internet bug fix.

When the attachment is executed the file will copy itself to the Windows\System directory and make some changes to the users registry keys so it can attempt to use the mail client and load at Windows startup. The user will then see a message dispayed that reads

"Y2K Ready !!"
"Your Internet Connection is already Y2K, you don't need to upgrade it."
[OK]
Once a system is rebooted, this worm monitors email that are sent to gain new target addresses. The worm uses these to send a new message with the worm attached. This action is similar, yet different to the worm W32/Ska. The new message will have a subject line of

"Internet problem year 2000."

The message will appear to have come from the company's administrator, for example if en email message is sent to "John_Doe@company.com", the sender name would be "Admin___@company.com". The text in the message is as follows:

Estimado Cliente:

Rogamos actualizar y/o verificar su Sistema Operativo para el
correcto funcionamiento de Internet a partir del Aņo 2000. Si
Ud. es usuario de Windows 95 / 98 puede hacerlo mediante el
Software provisto por Microsoft (C) llamado -Fix2001- que se
encuentra adjunto en este E-Mail o bien puede ser descargado
del sitio WEB de Microsoft (C) HTTP://WWW.MICROSOFT.COM

Si Ud. es usuario de otros Sistemas Operativos, por favor, no
deje de consultar con sus respectivos soportes tecnicos.
Muchas Gracias.
Administrador.


Internet Customer:

We will be glad if you verify your Operative System(s) before
Year 2000 to avoid problems with your Internet Connections.
If you are a Windows 95 / 98 user, you can check your system
using the Fix2001 application that is attached to this E-Mail
or downloading it from Microsoft (C) WEB Site:
HTTP://WWW.MICROSOFT.COM

If you are using another Operative System, please don't wait
until Year 2000, ask your OS Technical Support.
Thanks.

Administrator.

This worm runs from the system registry from the following location

HKEY_LOCAL_MASHINE\Software\Microsoft\Windows\CurrentVersion\Run Fix2001 = "FIX2001.EXE"

When clearing this worm from your system, this entry should be deleted and then restart the computer to remove the worm from memory.

Symptoms

Symptoms -

Existence of file "fix2001.exe" on local system. Users receive email message in the same domain with the sender as "Admin___"@(your domain name).

Method of Infection

Method of Infection -

Running the file FIX2001.EXE will immediately affect the local system. This Internet worm reportedly has a damaging payload however this was not witnessed in testing.

Removal -

Removal -

Manual removal required. Remove the registry entry mentioned above, restart Windows and then delete the file FIX2001.EXE.

Variants

Variants -

N/A