McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Aliz (AVG)

• Aliz.4096 (Norman)

• I-Worm.Aliz.A (VirusBuster)

• TROJ_ALIZ.A (Trend)

• W32.Aliz.Worm (Ikarus, NAV)

• W32/Aliz (Antivir, Panda)

• W32/Aliz-A (Sophos)

• W32/Aliz.A (F-Prot)

• Win32.Aliz (AVP, CAI)

• Win32.Aliz.4098 (DrWeb)

• Win32.Aliz.A@mm (Softwin)

• Win32/Aliz.A worm (ESET)

• Win32/Aliz.A@mm (GeCAD)

• Win32:Aliz [Wrm] (Alwil)

Characteristics

This worm is a short encrypted mass-mailer written purely in assembly language. The virus sends emails in HTML format and makes use of a MIME vulnerability so that if the Email is opened the embedded EXE is executed automatically without any warning. This happens when the HTML mail body is interpreted by IE 5.0 or 5.5 (if not patched). IE 6.0 is not vulnerable. When the worm is executed, it sends itself to all e-mail addresses in the Windows Address book. The subject is generated from a list of possible words, and the attachment is called whatever.exe. The message body is an attempt to run the worm using the security hole described at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

There are two minor variants known of this worm- of 4096 and 4098 bytes in size.

This small worm carries that many text strings inside. This text is never displayed:

@.:::iworm.alizee.by.mar00n!ikx2oo1:::.. 

while typing this text i realize this text got added on many 
av.description sites, because this silly worm could be easily 
a.hype. i wonder which av claims '[companyname] stopped high 
risk.worm before it could escape!' or shit like that. heh, 
or they.boycot my virus because of this text. well, it is 
easy enough.for the poor av's to add this worm; since it was 
only released.as source in coderz#2... btw, loveletter*2 
power in pure win32asm.and only a 4k exe file. heh, vbs 
kiddies, phear win32asm. :).thx to: bumblebee !29a, asmodeus!ikx. 
greets to: starzer0! ikx,.t-2000!ir, ultr as!mtx & sweet 
gigabyte....btw,burgemeester van sneek: ik zoek nog een baantje.. 
..(alignmentfillingtext). 

Fw: Re: Cool.Nice.Hot.some.Funny.weird.funky.great. Interesting.many.website.site.pics.urls.pictures. stuff.mp3s.shit.music.info..to check.for you.i found. to see.here.- check it. :-) hehe ;-)

Symptoms

Receiving the e-mail mentioned above. This worm does not install itself into the system in any way.

Method of Infection

On an unpatched system, simply opening the e-mail without opening the attachment results in infection.

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Aliz (AVG)

• Aliz.4096 (Norman)

• I-Worm.Aliz.A (VirusBuster)

• TROJ_ALIZ.A (Trend)

• W32.Aliz.Worm (Ikarus, NAV)

• W32/Aliz (Antivir, Panda)

• W32/Aliz-A (Sophos)

• W32/Aliz.A (F-Prot)

• Win32.Aliz (AVP, CAI)

• Win32.Aliz.4098 (DrWeb)

• Win32.Aliz.A@mm (Softwin)

• Win32/Aliz.A worm (ESET)

• Win32/Aliz.A@mm (GeCAD)

• Win32:Aliz [Wrm] (Alwil)

Characteristics

Characteristics -

This worm is a short encrypted mass-mailer written purely in assembly language. The virus sends emails in HTML format and makes use of a MIME vulnerability so that if the Email is opened the embedded EXE is executed automatically without any warning. This happens when the HTML mail body is interpreted by IE 5.0 or 5.5 (if not patched). IE 6.0 is not vulnerable. When the worm is executed, it sends itself to all e-mail addresses in the Windows Address book. The subject is generated from a list of possible words, and the attachment is called whatever.exe. The message body is an attempt to run the worm using the security hole described at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

There are two minor variants known of this worm- of 4096 and 4098 bytes in size.

This small worm carries that many text strings inside. This text is never displayed:

@.:::iworm.alizee.by.mar00n!ikx2oo1:::.. 

while typing this text i realize this text got added on many 
av.description sites, because this silly worm could be easily 
a.hype. i wonder which av claims '[companyname] stopped high 
risk.worm before it could escape!' or shit like that. heh, 
or they.boycot my virus because of this text. well, it is 
easy enough.for the poor av's to add this worm; since it was 
only released.as source in coderz#2... btw, loveletter*2 
power in pure win32asm.and only a 4k exe file. heh, vbs 
kiddies, phear win32asm. :).thx to: bumblebee !29a, asmodeus!ikx. 
greets to: starzer0! ikx,.t-2000!ir, ultr as!mtx & sweet 
gigabyte....btw,burgemeester van sneek: ik zoek nog een baantje.. 
..(alignmentfillingtext). 

Fw: Re: Cool.Nice.Hot.some.Funny.weird.funky.great. Interesting.many.website.site.pics.urls.pictures. stuff.mp3s.shit.music.info..to check.for you.i found. to see.here.- check it. :-) hehe ;-)

Symptoms

Symptoms -

Receiving the e-mail mentioned above. This worm does not install itself into the system in any way.

Method of Infection

Method of Infection -

On an unpatched system, simply opening the e-mail without opening the attachment results in infection.

Removal -

Removal -

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants -

N/A