McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Count2K.dr

• Count2K.sfx

• Y2KCOUNT

Characteristics

This trojan normally arrives attached to an e-mail purporting to come from Microsoft. The email has an attachment "Y2KCOUNT.EXE" of 124,885 bytes and the following text:

From: support@microsoft.com

Sender: support@microsoft.com
Received: from Microsoft (stara65.pip.digsys.bg [193.68.4.65])
Subject: Microsoft Announcement
Date: Wed, 15 Sep 1999 00:49:57 +0200

To All Microsoft Users,
We are excited to announce Microsoft Year 2000 Counter.

Start the countdown NOW.
Let us all get in the 21 Century.
Let us lead the way to the future and we will get YOU there FASTER and SAFER.

Thank you,
Microsoft Corporation

The attached file is a self extracting archive file. If the attached exe is run it displays a fake error message box containing the text

Password protection error or invalid CRC32!

The exe is in fact a Winzip self extracting archive consisting of these files :

Project1.exe
file001.dat
file002.dat
file003.dat
file004.dat

The file Project1.exe is set to be automatically run after the self extracting archive is executed. This program then copies each of the four .dat files into the WINDOWS\SYSTEM folder using the names :

Proclib.exe
Proclib.dll
Proclib16.dll
ntsvsrv.dll
Nlhvld.dll

The program then adds the filename "ntsvsrv.dll" to the end of the 'drivers=' line in the [boot] section of SYSTEM.INI. This causes the trojan to be run at the next system startup. At this point the file WSOCK32.DLL in WINDOWS\SYSTEM is renamed to Nlhvld.dll (overwriting the file just dropped, if WSOCK32.DLL exists). The file Proclib16.dll is then copied to WSOCK32.DLL.

This means that the trojan has now 'hooked' the Internet connection and whenever a connection is opened the file proclib.exe is run.

The purpose of this trojan appears to be to intercept username and password information and presumably pass it onto the trojans author.

Symptoms

Existence of the files listed above; messages in your sent folder matching the above message body content.

Method of Infection

Running the ill-fated attachment Y2KCOUNT.EXE from the received email message.

Removal

1. Edit the drivers= line in the [boot] section of SYSTEM.INI and remove the filename ntsvsrv.dll.

2. Restart the system, and DO NOT load any internet applications, this means that WSOCK32.DLL is not loaded into memory and so can be renamed.

3. Copy the file WINDOWS\SYSTEM\Nlhvld.dll to WINDOWS\SYSTEM\WSOCK32.DLL. If you are prompted to confirm overwriting the existing file, reply yes. If you get an error message saying that the file is in use, then WSOCK32.DLL has already been loaded. Disable all internet and network applications (or boot from a clean floppy disk) and repeat until successful.

4. Delete the files

Proclib.exe
Proclib.dll
Proclib16.dll
ntsvsrv.dll
Nlhvld.dll

from WINDOWS\SYSTEM.

Note the files Proclib.exe, Proclib.dll, Proclib16.dll, ntsvsrv.dll are detected as "Count2K trojan"; the original file "Y2KCount.exe" is detected as "Count2K.sfx" and the "Project1.exe" is detected as "Count2K.dr".

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Count2K.dr

• Count2K.sfx

• Y2KCOUNT

Characteristics

Characteristics -

This trojan normally arrives attached to an e-mail purporting to come from Microsoft. The email has an attachment "Y2KCOUNT.EXE" of 124,885 bytes and the following text:

From: support@microsoft.com

Sender: support@microsoft.com
Received: from Microsoft (stara65.pip.digsys.bg [193.68.4.65])
Subject: Microsoft Announcement
Date: Wed, 15 Sep 1999 00:49:57 +0200

To All Microsoft Users,
We are excited to announce Microsoft Year 2000 Counter.

Start the countdown NOW.
Let us all get in the 21 Century.
Let us lead the way to the future and we will get YOU there FASTER and SAFER.

Thank you,
Microsoft Corporation

The attached file is a self extracting archive file. If the attached exe is run it displays a fake error message box containing the text

Password protection error or invalid CRC32!

The exe is in fact a Winzip self extracting archive consisting of these files :

Project1.exe
file001.dat
file002.dat
file003.dat
file004.dat

The file Project1.exe is set to be automatically run after the self extracting archive is executed. This program then copies each of the four .dat files into the WINDOWS\SYSTEM folder using the names :

Proclib.exe
Proclib.dll
Proclib16.dll
ntsvsrv.dll
Nlhvld.dll

The program then adds the filename "ntsvsrv.dll" to the end of the 'drivers=' line in the [boot] section of SYSTEM.INI. This causes the trojan to be run at the next system startup. At this point the file WSOCK32.DLL in WINDOWS\SYSTEM is renamed to Nlhvld.dll (overwriting the file just dropped, if WSOCK32.DLL exists). The file Proclib16.dll is then copied to WSOCK32.DLL.

This means that the trojan has now 'hooked' the Internet connection and whenever a connection is opened the file proclib.exe is run.

The purpose of this trojan appears to be to intercept username and password information and presumably pass it onto the trojans author.

Symptoms

Symptoms -

Existence of the files listed above; messages in your sent folder matching the above message body content.

Method of Infection

Method of Infection -

Running the ill-fated attachment Y2KCOUNT.EXE from the received email message.

Removal -

Removal -

1. Edit the drivers= line in the [boot] section of SYSTEM.INI and remove the filename ntsvsrv.dll.

2. Restart the system, and DO NOT load any internet applications, this means that WSOCK32.DLL is not loaded into memory and so can be renamed.

3. Copy the file WINDOWS\SYSTEM\Nlhvld.dll to WINDOWS\SYSTEM\WSOCK32.DLL. If you are prompted to confirm overwriting the existing file, reply yes. If you get an error message saying that the file is in use, then WSOCK32.DLL has already been loaded. Disable all internet and network applications (or boot from a clean floppy disk) and repeat until successful.

4. Delete the files

Proclib.exe
Proclib.dll
Proclib16.dll
ntsvsrv.dll
Nlhvld.dll

from WINDOWS\SYSTEM.

Note the files Proclib.exe, Proclib.dll, Proclib16.dll, ntsvsrv.dll are detected as "Count2K trojan"; the original file "Y2KCount.exe" is detected as "Count2K.sfx" and the "Project1.exe" is detected as "Count2K.dr".

Variants

Variants -

N/A