Symantec United States
 global sites
products
purchase
service and support
security updates
downloads
about symantec
search
feedback


©1995-2009 Symantec Corporation.
All rights reserved.

Legal Notices
Privacy Policy
security updates

W95.Fix2001

Category 2

W95.Fix2001 is an Internet worm that secretly steals dial-up information (including the password from memory) and sends the information out via email. Users that have accidentally run this worm are advised to change their password on all dial-up connections immediately.

The worm arrives via email as a MIME-encoded attachment named Fix2001.exe. The subject of the email is

    "Internet problem year 2000". It is sent by a person named "Administrator".

Also Known As: W32/Fix2001 [Sophos], I-Worm.Fix2001 [Kaspersky], W32/Fix.12288@M [McAfee], WORM_FIX2001.A [Trend], Win95.Fix2001.12288 [Computer Associates]
Type: Worm
Infection Length: 12,288 bytes
Systems Affected: Windows 95, Windows 98, Windows Me
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x

protection
  • Virus Definitions (LiveUpdate™ Weekly)

    • September 16, 1999

  • Virus Definitions (Intelligent Updater)

    • September 16, 1999

    threat assessment

    Wild

    Threat Metrics
    Low High Medium

    Wild:
    Low

    Damage:
    High

    Distribution:
    Medium

    Damage

    Distribution

    technical details

    The worm arrives through email as a MIME-encoded attachment named Fix2001.exe. The subject of the email is "Internet problem year 2000". It is sent by a person named "Administrator". The body of the message contains the following text:

      Estimado Cliente:

      Rogamos actualizar y/o verificar
      su Sistema Operativo para el correcto
      funcionamiento de Internet a partir del
      A_o 2000. Si Ud. es usuario de Windows
      95 / 98 puede hacerlo mediante el
      Software provisto por Microsoft (C)
      llamado-Fix2001- que se encuentra
      adjunto en este E-Mail o bien puede ser
      descargado del sitio WEB de Microsoft
      (C) HTTP://WWW.MICROSOFT.COM Si Ud. es
      usuario de otros Sistemas Operativos,
      por favor, no deje de consultar con sus
      respectivos soportes tecnicos.

      Muchas Gracias.

      Administrador.

    Translated to English:
      Internet Customer:

      We will be glad if you verify your
      Operative System(s) before Year 2000 to
      avoid problems with your Internet
      Connections. If you are aWindows 95 / 98
      user, you can check your system using
      the Fix2001 application that is attached
      to this E-Mail or downloading it from
      Microsoft (C) WEB Site:
      HTTP://WWW.MICROSOFT.COM
      If you are using another Operative System,
      please don't wait until Year 2000, ask your
      OS Technical Support.

      Thanks.

      Administrator

    When initially executed, the worm installs itself on the local machine's ..\windows\system directory with the same name. It adds the worm to the registry key

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run

    so that will execute each time Windows starts. When executed the first time, it displays the following message:
      Y2K Ready!!

      Your Internet Connection
      is already Y2K, you don't
      need to upgrade it.

    The worm checks if a window callback function with the name "AMORE_TE_AMO" exists. This window callback function has been created by the worm in order to send itself to other locations in the background.

    Instead of modifying system DLL files, the worm hooks APIs to itself in memory by patching the process address space. This way, it executes each time Internet activity occurs on the local machine.

    When RNAAPP.EXE (Dial-up Networking) is not running, the worm starts it with the -l parameter. RNAAPP.EXE has an import to RASAPI32.DLL. The worm places a hook routine to the "DialEngineRequest" API in RASAPI32.DLL when RNAAPP.EXE is loaded. It puts a jump to its hook routine to the entry point of this API, and patches its short code right after the import address table of RASAPI32.DLL. Similarly, Fix2001 also hooks the "send" and "connect" APIs of WSOCK32.DLL, which is loaded by Internet applications such as Internet Explorer or Outlook Express. Once RNAAPP.EXE is patched, the worm hides it from the task list by registering it as a service process. The worm itself is registered as a service process and does not appear on the task list.

    The hook routine on the "send" API looks for the "RCPT" field of the mail header during postings. The worm sends its message with the Fix2001.exe attachment to the very same place right after the original message.
    Fix2001 is the first Windows 95 worm which is hooking DLLs of other processes "on the fly" in memory.

    The payload of the worm is activated after the worm has already posted itself to another location and an active connection exists. Then the routine performs a checksum on the last detected email address. If a particular email address encounters a checksum match, the worm will delete C:\COMMAND.COM, and it will create another 16-bit COM program also named COMMAND.COM that is 137 bytes long. This file is a trojan horse that NAV detects as Trojan.Fixed.

    The trojan horse executes the next time the computer is started. If the trojanized COMMAND.COM is executed, it destroys the hard disk data (overwrites it by using I/O port commands) whenever the hard disk is an IDE drive.

    recommendations

    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
    • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
    • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
    • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
    • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

    removal instructions

    1. Using Windows Explorer delete the following file:

      C:\WINDOWS\SYSTEM\FIX2001.EXE
    2. Using regedit delete the following registry key:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Fix2001"="FIX2001.EXE"


    Write-up by: Peter Szor