Name: W32/InvalidSSL
Aliases: Win32.Invalid.A@mm, Invalid
Type: Win32 worm
Date: 31 August 2001
Description:
W32/InvalidSSL is an email-aware
worm that arrives in an email,
purporting to originate from
support@microsoft.com. The email
has the subject line "Invalid
SSL Certificate".
The email body reads:
Hello,
Microsoft Corporation announced that an invalid SSL certificate that web
sites use is required to be
installed
on the user computer to use the https protocol. During the installation,
the certificate
causes a
buffer overrun in Microsoft Internet Explorer and by that allows attackers
to get access to your
computer.
The SSL protocol is used by many companies that require credit card or
personal information so,
there is
a high possibility that you have this certificate installed. To avoid of
being attacked by
hackers,
please download and install the attached patch. It is strongly recommended
to install it because
almost all
users have this certificate installed without their knowledge.
Have a nice
day,
Microsoft
Corportation
When executed the worm will search
the My Documents directory for files matching *.ht* and these files will
then be scanned
for email addresses. The worm
will attempt to send itself to these addresses with itself attached and
encrypted with a Base64
encryption.
The worm will encrypt all EXE
files in the directory from which it was executed.