McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Creative.exe

• I-Worm.Creative

• Prolin

• Prolin-Shockwave

• Shockwave Virus

• TROJ_SHOCKWAVE.A

• W32.Prolin

Characteristics

Update(2) December 1, 2000:
AVERT raised the risk assessment from Medium to High this afternoon for this Internet worm based on samples received. This Internet worm is detected by current DAT and ENGINE as "New BackDoor" when using heuristic scanning methods.

Update(1) December 1, 2000:
AVERT raised the risk assessment from Low to Medium this morning for this Internet worm based on samples received.

This is an Internet worm coded in Visual Basic 6 and compiled as an executable named "CREATIVE.EXE". It carries the icon of a Shockwave Media Player application however it is not.

This Internet worm may be received via email in this form:

Subject = A great Shockwave flash movie
Body =
Check out this new flash movie that I downloaded just now ... It's Great
Bye
Attachment = creative.exe

When run, this Internet worm will write a copy of itself to the local system in these folders:

c:\creative.exe
c:\[WINDOWS folder]\TEMP\creative.exe
c:\[WINDOWS folder]\Start Menu\Programs\StartUp\creative.exe

It then will send a copy of itself via MAPI email to all users in the address book. As a final note, it sends a note to presumably the author:

Author = z14xym432@yahoo.com
Subject = Job complete
Body = Got yet another idiot

Symptoms

Creation of CREATIVE.EXE on the local file system after running the same file name attached to an email message. Distribution of this file via MAPI email after running the file CREATIVE.EXE.

Method of Infection

After running the file CREATIVE.EXE, it will write a copy of itself to the local system in these folders:

c:\creative.exe
c:\[WINDOWS folder]\TEMP\creative.exe
c:\[WINDOWS folder]\Start Menu\Programs\StartUp\creative.exe

This worm will then seek files of .JPG and .ZIP on the local machine. These files are moved to the root of C: and an additional extension is added to them of "change atleast now to LINUX".

Example: "c:\Notebook.jpgchange at least now to LINUX"

A helpful note about this action however, this Internet worm logs the changes to a file named "c:\messageforu.txt". Within this file is the following text:

Hi, guess you have got the message. I have kept a list of files that I have infected under this. If you are smart enough just reverse back the process. i could have done far better damage, i could have even completely wiped your harddisk. Remember this is a warning & get it sound and clear... - The Penguin

Following the above paragraph is a listing of files from their original location. The files are not damaged or "infected", only that they were moved and the suffix added to the end.

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Creative.exe

• I-Worm.Creative

• Prolin

• Prolin-Shockwave

• Shockwave Virus

• TROJ_SHOCKWAVE.A

• W32.Prolin

Characteristics

Characteristics -

Update(2) December 1, 2000:
AVERT raised the risk assessment from Medium to High this afternoon for this Internet worm based on samples received. This Internet worm is detected by current DAT and ENGINE as "New BackDoor" when using heuristic scanning methods.

Update(1) December 1, 2000:
AVERT raised the risk assessment from Low to Medium this morning for this Internet worm based on samples received.

This is an Internet worm coded in Visual Basic 6 and compiled as an executable named "CREATIVE.EXE". It carries the icon of a Shockwave Media Player application however it is not.

This Internet worm may be received via email in this form:

Subject = A great Shockwave flash movie
Body =
Check out this new flash movie that I downloaded just now ... It's Great
Bye
Attachment = creative.exe

When run, this Internet worm will write a copy of itself to the local system in these folders:

c:\creative.exe
c:\[WINDOWS folder]\TEMP\creative.exe
c:\[WINDOWS folder]\Start Menu\Programs\StartUp\creative.exe

It then will send a copy of itself via MAPI email to all users in the address book. As a final note, it sends a note to presumably the author:

Author = z14xym432@yahoo.com
Subject = Job complete
Body = Got yet another idiot

Symptoms

Symptoms -

Creation of CREATIVE.EXE on the local file system after running the same file name attached to an email message. Distribution of this file via MAPI email after running the file CREATIVE.EXE.

Method of Infection

Method of Infection -

After running the file CREATIVE.EXE, it will write a copy of itself to the local system in these folders:

c:\creative.exe
c:\[WINDOWS folder]\TEMP\creative.exe
c:\[WINDOWS folder]\Start Menu\Programs\StartUp\creative.exe

This worm will then seek files of .JPG and .ZIP on the local machine. These files are moved to the root of C: and an additional extension is added to them of "change atleast now to LINUX".

Example: "c:\Notebook.jpgchange at least now to LINUX"

A helpful note about this action however, this Internet worm logs the changes to a file named "c:\messageforu.txt". Within this file is the following text:

Hi, guess you have got the message. I have kept a list of files that I have infected under this. If you are smart enough just reverse back the process. i could have done far better damage, i could have even completely wiped your harddisk. Remember this is a warning & get it sound and clear... - The Penguin

Following the above paragraph is a listing of files from their original location. The files are not damaged or "infected", only that they were moved and the suffix added to the end.

Removal -

Removal -

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants -

N/A