"Y2Kcount" or "Count2K" E-mail virus alert

The following warning is from http://www.techweb.com/wire/story/TWB19990915S0018.

Additional information can be found at the McAfee.com Virus Information Library site.

Beware Of Virus-Riddled Y2K E-Mail

          (09/15/99, 3:36 p.m. ET)
          By Lee Kimber, Special To TechWeb, TechWeb
          
          Antivirus experts are urging computer users
          not to open a year 2000 countdown program
          that comes in the form of an e-mail sent by
          Microsoft on Tuesday.
          
          The e-mail was not sent by Microsoft, and the
          enclosed attachment is not a Y2K countdown
          program, but rather a Trojan virus. If users attempt to
          open the alleged program, the virus can install itself
          onto the user's computer and then is capable of
          sending data and information from that system
          across the Internet.
          
          Microsoft did not return calls by publishing deadline
          time.
          
          Antivirus experts at Star Internet, a U.K.-based ISP,
          along with Network Associates and Sophos, are
          analyzing the e-mail attachment, called
          "Y2Kcount.exe." Star has confirmed that the virus,
          which has been named Count2K, originated in
          Bulgaria and has also identified some key warning
          signs.
          
          "It makes a lot of socket communications calls," said
          Star antivirusprogrammer Alex Shipp. "There's also a
          lot of file handle calls and keyboard handling calls."
          
          Shipp said similar to the ExploreZip virus that
          decimated corporate e-mail systems several months
          ago, Count2K appears to have the ability to take files
          from users' systems and send them across the Net.
          The destination of the files or data has not yet been
          determined by Star's virus experts. On Wednesday,
          Network Associates antivirus experts confirmed
          Shipp's findings.
          
          Shipp's analysis has determined -- that like the
          ExploreZip Trojan virus -- both are written in Pascal.
          He also said the internal programming of two viruses
          are very similar.
          
          Users who simply open the e-mail but do not attempt
          to load the Y2K program are in no danger from the
          virus. Users who try to install the program will see a
          message saying the Y2K counter was unable to
          install. It says: "Error!..Password protection error or
          invalid CRC32!."
          
          However, analysis of the program's installation
          routine shows it already has connected to internal
          Windows files by the time it displays the error
          message, Shipp said.
          
          "If you see that [message], you think it failed," said
          Shipp. "By then, it has installed itself."
          
          The message first raised eyebrows because of
          awkward wording that didn't seem like it would come
          from Microsoft. The accompanying message headers
          also suggested that the e-mail passed through
          CompuServe's e-mail system. No valid e-mail from
          Microsoft should route through CompuServe.
          
          Antivirus experts said they are working quickly to
          develop a Count2K fix. Network Associates
          confirmed that programmers in their antivirus labs
          are working on a patch. Sophos has posted a
          warning on its website alerting users that it is working
          on a patch. Star Internet has already protected its
          1,000 U.K. business customers from the Trojan by
          installing a scanner on its e-mail servers. The
          scanner looks for the Trojan's unique signature.