Chirurgia spinală minim invazivă
Chirurgia spinală minim invazivă oferă pacienților oportunitatea unui tratament eficient, permițându-le o recuperare ultra rapidă și nu în ultimul rând minimizând leziunile induse chirurgical. Echipa noastră utilizează un spectru larg de tehnici minim invazive, din care enumerăm câteva: endoscopia cu variantele ei (transnazală, transtoracică, transmusculară, etc), microscopul operator, abordurile trans tubulare și nu în ultimul rând infiltrațiile la toate nivelurile coloanei vertebrale. www.neurohope.ro |
Alerte!
Last Updated: Mar 06 2005 23:56, Started by
petman
, Dec 02 2001 13:31
·
0
#1
Posted 02 December 2001 - 13:31
In acest thread voi scrie cele mai importante anunturi legate de virusi! Va rog sa contribuiti cu informatiile pe care le considerati importante!
Alerta! [ http://www.symantec.com/avcenter/graphics/ssrc/security_alert.jpg - Pentru incarcare in pagina (embed) Click aici ] W32/Kriz (aka Kriz, W32.Kriz.3740, Win32.Kriz) este un virus foarte distructiv! Se executa pe 25 decembrie si va sterge CMOS-ul, va incerca sa corupa BIOS-ul sistemului si va incerca sa inlocuiasca toate fisierele de pe hardisk-ul local cit si de pe retea cu gunoi distrugind in acest fel toate informatiile!!! Daca bios-ul sistemului va fi corupt nu se va mai putea utiliza acel calculator si chip-ul de BIOS va trebui inlocuit!! Scanare on-line: Scanare Utilitar pentru inlaturarea virusului:Fixkriz Cum se utilizeaza utilitarulul: Utilizare utilitar |
#2
Posted 05 December 2001 - 14:55
"W32.Goner.A@mm" se pare ca este din ce in ce mai agresiv... este uhn Trojan scris in Visual Basic care ce poate face altceva decat sa trimita mail-uri in prostie
Il puteti "contacta" pe IRC, ICQ, si e-mail ! [img][url=http://securityresponse.symantec.com/avcenter/graphics/[email protected]%5b/img]]http://securityresponse.symantec.com/[email protected][/img][/url] [ http://securityresponse.symantec.com/avcenter/graphics/[email protected] - Pentru incarcare in pagina (embed) Click aici ] Cei de la Symantec au scos deja un antidot.. il puteti descarca de aici ~ 415 Kb Este recomandabil sa-l descarcati/rulati chiar daca banuiti ca NU sunteti infectati... :yeah baby Detalii : AICI Sursa : [img][url=http://securityresponse.symantec.com/images/navbar/us.logo.symantec.gif%5b/img]]http://securityresponse.symantec.com/image...antec.gif[/img][/url] |
#3
Posted 05 December 2001 - 20:02
Monitorix, !
Acest virus se propaga dupa cum a spus si Monitorix prin mail, ICQ, Irc avand urmatoarele caracteristici:
Virusul isi adauga o cheie in registri: C:%SYSTEM%gone.scr C:%SYSTEM%gone.scr in HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun. Odata ce aceasta cheie a fost scrisa in registri virusul va termina toate procesele legate de antivirusul instalat pe sistem. Lista proceselor:
On Windows NT/2000/XP machines, the files are deleted by usage of the following registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager where the files to be deleted are present in the value PendingFileRenameOperations. In final virusul va arata un mesaj de eroare fals: [ http://www.symantec.com/avcenter/graphics/[email protected] - Pentru incarcare in pagina (embed) Click aici ] |
#4
Posted 11 January 2002 - 12:33
JS.Gigger.A@mm este un vierme scris in Javascript. Se foloseste de Outlook si de Mirc pentru a se raspandi. Incearca sa stearga toate fisierele de pe calculator si sa formateze partitia C daca computerul este restartat!
Wild:
Payload:
JS.Gigger.A@mm arrives as an email message that has the following characteristics:
If the worm is executed, it does the following: It drops the following files: C:Bla.hta C:B.htm C:WindowsSamplesWshCharts.js C:WindowsHelpMmsn_offline.htm It infects .html files. It adds the line ECHO y|format c: to the Autoexec.bat file, so that if the computer is restarted, drive C is reformatted. Next., it drops a Script.ini file to spread itself by mIRC. Norton AntiVirus (NAV) detects the infected Script.ini as IRC.Worm.gen. The worm then creates the following registry keys: HKEY_CURRENT_USERSoftwareMicrosoftWindows Scripting HostSettingsTimeout HKEY_CURRENT_USERSoftwareTheGravebadUsersv2.0 and adds the value NAV DefAlert to the registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Next, if you are connected to a network, the worm searches network drives and copies itself as WindowsStart MenuProgramsStartUpMsoe.hta Finally, it attempts to delete all files on the local hard drive. Pentru a scapa de acest vierme, in cazul in care viermele a fost executat si nu va sters toate fisierele de pe calculator, urmati pasii de mai jos. [list=1] [*]editati Autoexec.bat; stergeti linia: ECHO y|format c: [*]editati registrii; stergeti urmatoarele chei: HKEY_CURRENT_USERSoftwareMicrosoftWindows Scripting HostSettingsTimeout HKEY_CURRENT_USERSoftwareTheGravebadUsersv2.0; navigati la cheia HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun si stergeti inregistrarea NAV DefAlert! [/list=1] Daca viermele a fost executat si va sters toate fisierele atunci trebuie sa reinstalati sistemul de operare! P.S. Folositi un antivirus! Va scuteste de multe dureri de cap! |
#5
Posted 29 January 2002 - 12:20
umbla pe net (e-mail) un antivirus, deliciul celor care folosesc Outlook ;-)
in The Bat! se vede ceva de genul asta : "Hello! My party... It was absolutely amazing! I have attached my web page with new photos! If you can please make color prints of my photos. Thanks! begin 666 www.myparty.yahoo.com M35J0``,````$````__``+@`````````0``````````````````````````` M````````````````````@`````X?N@X`M`G-(;@!3,TA5&AI:drac: |
#6
Posted 29 January 2002 - 23:59
Nu stiu cat de vechi/nou este, dar ceea ce urmeaza mai jos am primit in NEWS de la Kaspersky
Quote The worm appears on a target computer as a file attached to an e-mail message. The file is a Windows application about 30Kb in length, it is written in Microsoft Visual C++, and is compressed in a UPX utility. An infected message appears as follows: Subject: new photos from my party! Body: Hello! My party... It was absolutely amazing! I have attached my web page with new photos! If you can please make color prints of my photos. Thanks! Attachment: www.myparty.yahoo.com As is apparent, the file carrier purposely poses as a Web-site address. A user's trust is taken into account so that when double-clicking on the enclosure, the said user ends up at some Internet address. However, what actually occurs is that a malicious program is activated upon enclosure opening. "This occurrence once again confirms that not everything beginning with 'www' and ending in '.com' is a Web site." If the system date on a computer is 25-29 of January 2002, Myparty launches its installation and spreading routines. In addition to this, the worm checks for the presence of Russian-language support and if this is detected, the worm finishes its operation and exists a system. In order to maintain its presence in the memory, upon each infected-computer start-up, the worm creates its copy in different disk directories and registers them in the Windows system registry of the program auto-start section. In order to send its copies via e-mail, the worm scans the Windows Address Book and DBX (also used in Outlook Express) databases and checks these with all found addresses. Following this, the worm installs a direct connection with a remote SMTP server and imperceptibly, supposedly in the name of the infected computer's user, sends its copies to these addresses. In order to confirm an infection, the worm also sends a blank e-mail to the [email protected] address. Myparty has some dangerous side effects. On computers with Windows NT/2000/XP, the worm installs a spy program for remote unauthorized control. In this way, a malefactor can gain total control over a victim's computer. In addition to this, depending on a number of conditions, Myparty opens the http://www.disney.com Web site in the current Internet browser window. Defense procedures thwarting Myparty have already been added to the Kaspersky Anti-Virus database. A more detailed description of this Internet worm can be found in the Kaspersky Virus Encyclopedia http://www.viruslist....html?id=46966). EndLess Point |
#7
Posted 19 February 2002 - 20:06
W32.Yarner.A@mm is a mass-mailing worm written in the Delphi language. The worm sends itself to emails addresses found in the Microsoft Outlook address book and local files.
The worm uses the system configured or hard coded SMTP server to send messages with the subject Trojaner-Info Newsletter followed by the current date. The message body is in German and the attachment name is yawsetup.exe. In addition, the worm may attempt to delete all files on the computer. Wild:
[/list] [*]Subject of email: Trojaner-Info Newsletter [current date] [*]Name of attachment: yawsetup.exe [*]Size of attachment: 427 kb [/list] Technical description: When executed, the worm copies itself to: %WinDir%notepad.exeoverwriting the Notepad application. The worm saves the original Notepad application as: %WinDirnotedpad.exe When executing Notepad, the worm executes itself and then attempts to launch the original Notepad application. In addition, the worm copies itself to %WinDir%[random characters].exeand adds the associated registry key: HKCUSoftwareMicrosoftWindowsCurrentVersionRunonce [random characters] = [random characters].exe The worm uses MAPI to send itself as yawsetup.exe to email addresses listed in the Microsoft Outlook address book and by searching files with the extension .php, .htm, .shtm, .cgi, and .pl The message has the following characteristics: The infected messages have the original sender's e-mail address or fake sender address in the "From" field. "True" e-mail: Trojaner-Info [%TrueEmail%] Fake e-mail: Trojaner-Info [[email protected]] Subject: Trojaner-Info Newsletter [Current Date] Message Body: Hallo ! Willkomen zur neuesten Newsletter-Ausgabe der Webseite Trojaner-Info.de. Hier die Themen im Ueberblick: 01. YAW 2.0 - Unser Dialerwarner in neuer Version ************************************ 01. YAW 2.0 - Unser Dialerwarner in neuer Version Viele haben ihn und viele moegen ihn - unseren Dialerwarner YAW. YAW ist nun in einer brandneuen und stark erweiterten Version verfuegbar. Alle unsere Newsletterleser bekommen ihn kostenlos zusammen mit diesem Newsletter. Also einfach die angehaengte Datei starten und YAW 2.0 installieren. Bei Fragen steht Ihnen der Programmierer des bislang einzigartigen Programmes Andreas Haak unter [email protected] zur Verf gung. Viel Spaß mit YAW! <http://www.trojaner-...ialer/yaw.shtml> ************************************ Das war die heutige Ausgabe mit den aktuellsten Trojaner-Info News. Wir bedanken uns fuer eure Aufmerksamkeit und wuenschen allen Lesern noch eine angenehme Woche. Mit freundlichem Gruss Thomas Tietz & Andreas Ebert <http://www.trojaner-info.de> ************************************ Anzahl der Subscriber: 5.966 Durchschnittliche Besuchzahl/Tag: 4.488 Diese Mail ist kein Spam ! Diesen Newsletter hast du erhalten, da du in unserer Verteilerliste aufgenommen wurdest. Solltest du unseren Newsletter nicht selber abonniert haben, sondern eine andere Person ohne dein Wissen, kannst du diesen auf unseren Seiten wieder abbestellen. Oder sende uns einfach eine entsprechende E-Mail. ************************************ The worm also creates the files: %WinDir%kernei32.daa %WinDir%kernei32.das These files are not viral and instead store server and address information used by the virus. The worm pretends to be a new version of the YAW application released by Trojaner Info in Germany. Finally, depending on a random counter, the worm may delete all files on the drive containing the Windows operating system installation. Grad de risc [ http://securityresponse.symantec.com/avcenter/graphics/ssrc/writeups/category_3_on.gif - Pentru incarcare in pagina (embed) Click aici ] |
#8
Posted 25 February 2002 - 12:31
W32.Alcarys.B@mm is a massmailing worm that will send to all recipients in an affected user's address book. It will also stall the machine such that the machine will only be usable once it is started in MS-DOS mode. It will also overwrite many System files.
Wild:
W32.Alcarys.B@mm will copy itself to the following filenames: "C:WINDOWSSYSTEMREGSVR32.EXE" "C:WINDOWSDesktopwin.exe" "C:WINDOWSDesktopTop Secretclickme.exe" "C:WINDOWSSendToOceans11watchme.exe" "C:WINDOWSFavoritesA Beautiful Mindwatchme.exe" "C:WINDOWSregedit.exe" "C:WINDOWSscanregw.exe" "C:WINDOWStuneup.exe" "C:WINDOWSrundll64.exe" "C:WINDOWSwindows.exe" "C:disney.scr" "C:file1980.com" "C:hacktool.co_" "C:movie.exe" "C:msmsgs.exe" "C:porno.scr" "C:screenxx.scr" "C:windows.exe" "C:windows.scr" "C:winstart.com" "C:Program FilesCurlySoftviewer.dll" "C:Program FilesCurlySoftpornview.exe" "C:Program FilesXXX Filesclickme.exe" "C:Recycledalco.com" It will also overwrite all ".SCR" files on the machine with itself. It will also create a directory "C:WINDOWSFILES" into which it will copy itself with a filename such as "file###.###.exe" where the # signs represent any number of numbers. The worm will also overwrite all ".HTM" and ".HTML" files with an HTML file that will simply run the worm. It will also drop an html file "C:blank.html". The worm will also attempt to download a file and execute that file from the virus-writer's homepage. The worm will also overwrite all Microsoft Excel and Microsoft Word documents that it finds on the affected user's machine with files that it creates "C:XXXMOVIE.XLS" for Excel files and "C:WINDOWSNEWdocument.DOC". Both of these files will send e-mail to all recipients in the affected user's address book. These e-mail messages will have the following characteristics when sent from the Excel files: Subject:Nice Embedded Object Body:Check out the embedded object in the excel sheet... Attachment: The attachment name will vary. Whichever file it has overwritten will be attached to the e-mail message. and the following when sent from Word: Subject: Nice Embedded Object Body: Check out the embedded object in the word document... Attachment: The attachment name will vary. Whichever file it has overwritten will be attached to the e-mail message. The source to the macro components is first copied to the files "C:xls.wps", "C:doc.wps", and "C:nor.wps". It will also create the infected documents "C:porno.doc", "C:xxxmovie.xls", "C:windowsnewdocument.doc". The worm also creates the files: "C:v.vbs", a simple script file that will wait until a file has been downloaded and then it will send a key sequence to that application. "C:v.reg", a registry file that will modify the registry. "C:acs.acs", a simple text file that contains the text "another one bites the dust" "C:Windowstmpdelis.bat", a simple batch file that will copy the file, "C:program filescurlysoftviewer.dll" to "c:program filescurlysoftrun.com". It will also enter the data in "C:v.reg" into the registry. Finally it will execute the file "C:file1980.com" The worm also creates the following shortcuts on the Desktop: "New document.lnk" a shortcut to open "C:WINDOWSnewdocument.doc" "Tips On How To Make Your Partner Wilder.lnk", a shorcut to open "C:xxxmovie.xls" "Porn Viewer version 1.01.lnk", a shortcut to open "C:Program FilesCurlysoftpornview.exe" "ExecuteMe.lnk", a shortcut to open "C:WINDOWSrundll64.exe" and "mailme.lnk", a shortcut to send mail to the virus writer. The worm will also modify the following registry keys: add value: "Rundll64" = "c:windowsrundll64.exe" to the registry key: "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices" add values: "Windows Update" = "C:WINDOWSStart MenuProgramsWindows Updatefile###.###.exe" "Regedit" = "C:windowsregedit.exe" to registry key: "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun" set the default value to: "c:windowsscanregw.exe" to registry key: "HKEY_CLASSES_ROOTmp3fileshellopencommand" set the default value to: "c:windowssystemregsvr32.exe" to the registry key: "HKEY_CLASSES_ROOTVBSFileShellOpenCommand" set the default value to: "c:windowstuneup.exe" to the registry key: "HKEY_CLASSES_ROOTVBSFileShellOpen2Command" set the default value to: "c:windowssystemregsvr32.exe" to the registry key: "HKEY_CLASSES_ROOTmp3fileshellplaycommand" set the default value to: "c:windowsscanregw.exe" to the registry key: "HKEY_CLASSES_ROOTJSFileShellOpenCommand" set the default value to: "c:windowstuneup.exe" to the registry key: "HKEY_CLASSES_ROOTJSFileShellOpen2Command" set the default value to: "c:recycledalco.com" to the registry key: "HKEY_CLASSES_ROOTtxtfileshellopencommand" add the values: "*Windows" = "c:windowswindows.exe" and "MSMSGS" = "c:msmsgs.exe" to the registry key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun" The worm will also attempt to spread using mIRC by modifying the script.ini file for mIRC. The worm itself will also send e-mail messages to all recipients in the affected user's Address Book. These e-mail messages will have the following characteristics: One of the following Subjects: i've got cool stuffs here... nice stuffs i got here... check this out... i want you to know how much i care for you... hello! i'm your long, lost friend... talk to me... tell me your name... kindness is a virtue... One of the following Bodies: three files for you to keep... always remember that i'm into deep... i don't know you but i think i'm in love... sharing files is the essence of living... check this out... hi, friend... here are some nice stuffs that i got from the internet... check it out... hmmmn... i guess you've forgotten me... but anyways, i wanna make up... here are the files that made me like the internet more... see for yourself... check this out... one of the files is a virus... can you tell me which one is it? hehehe, i'm only joking... your friend, paul.. 4 attachments (1 from each of the following sets of filenames): chinese fu_k.mpg (movie.exe) amateur porn film.mpg (movie.exe) jenna jameson clip.mpg (movie.exe) lord of the rings clip.mpg (movie.exe) fu_k of the month.mpg (movie.exe) britney exposed.mpg (movie.exe) and universe.scr (screenxx.scr) solarsystem.scr (screenxx.scr) sh_t.scr (screenxx.scr) donald and minnie sex.scr (screenxx.scr) baby dancing.scr (screenxx.scr) kamasutra screensaver.scr (screenxx.scr) and credit card hacktool (file1980.com) windows xp ultimate crack (file1980.com) http://www.meditation.com (file1980.com) patch1981.com (file1980.com) hack mirc server (file1980.com) and disney.scr Removal instructions: Delete all files detected as W32.Alcarys.B@mm remove the value: "Rundll64" = "c:windowsrundll64.exe" from the registry key: "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices" remove the values: "Windows Update" = "C:WINDOWSStart MenuProgramsWindows Updatefile###.###.exe" "Regedit" = "C:windowsregedit.exe" from the registry key: "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun" restore the default value for the registry keys: "HKEY_CLASSES_ROOTmp3fileshellopencommand" "HKEY_CLASSES_ROOTVBSFileShellOpenCommand" "HKEY_CLASSES_ROOTVBSFileShellOpen2Command" "HKEY_CLASSES_ROOTmp3fileshellplaycommand" "HKEY_CLASSES_ROOTJSFileShellOpenCommand" "HKEY_CLASSES_ROOTJSFileShellOpen2Command" "HKEY_CLASSES_ROOTtxtfileshellopencommand" remove the values: "*Windows" = "c:windowswindows.exe" and "MSMSGS" = "c:msmsgs.exe" from the registry key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun" |
#9
Posted 25 February 2002 - 23:07
This is a dangerous, non-resident overwriting Win32 virus.
The virus itself is a Windows PE EXE file about 28 Kb in length, and it is written in Visual C++. Depending on the internal counters, the virus searches recursively either for all files, or for files with the following extensions: .exe .avi .mp3 .doc .zip .rar .mpg .mpg4 The virus searches for these files on the drives C:, D:, E:, F:, and overwrites their original contents with its body. These files can be restored only from a backup. When the virus is launched, it searches for the file "neh.dll". If this file exists, the virus shows the following message and terminates: -------------------------? ?Error ? -------------------------- ?Brak biblioteki: neh.dll? -------------------------- After infecting files, the worm shows either the following message: ---------------------------------------------? ?WIN_KACZOR virus ? ---------------------------------------------- ?I have just raped your drives... ? ?I feel sorry, but my desires are stronger...? ---------------------------------------------- or two messages: ---------------------------------------------------? ?Kwa! ? ---------------------------------------------------? ?Co chcia?oby sie uruchomic programik? ? ?Nic z tego. Kaczor mowi: ZAGRAJ W SETTLERS IV!!!!!? ---------------------------------------------------- ----------------------------------------------------? ?Kwa! Kwa! ? ----------------------------------------------? ?WIN_KACZOR ? ?by Nijamormoazazel ? ?JÕzefÕw POLSKA ? ? ? ? And what Symantec? BloodHound doesn't work?? ------------------------------------------------------------------ Grad de risc [ http://securityresponse.symantec.com/avcenter/graphics/ssrc/category_3_on.gif - Pentru incarcare in pagina (embed) Click aici ] |
#10
Posted 06 March 2002 - 13:01
Atentie!!!
A new version of an old worm is set to trigger its destructive payload on March 6. Klez.E (w32.Klez.E@mm) is sometimes called the Twin Virus because the worm is used to spread an upgraded version of the ElKern virus (w32.elkern.. The new version can now infect Windows 98, Me, 2000, and XP, attempting to corrupt files on these systems without changing their sizes. Klez.E is currently one of the fastest spreading worms on the Internet and now ranks 7 on the ZDNet Virus Meter. How it works Klez.E arrives by e-mail or can be spread by sharing infected files on a network. If it arrives by e-mail, the subject line is randomly chosen from the following list: How are you; Let's be friends; Darling; Don't drink too much; Your password; Honey; Some questions; Please try again; Welcome to my hometown; the Garden of Eden; introduction on ADSL; Meeting notice; Questionnaire; Congratulations; Sos!; japanese girl VS playboy; Look,my beautiful girl friend; Eager to see you; Spice girls' vocal concert; Japanese lass' sexy pictures. The body text may be blank. The attached filename itself is random with either a PIF, SCR, EXE, or BAT extension. Like several other recent worms, Klez.E also attempts to disable antivirus software installed on the infected computer. For more details regarding the original Klez worm, see this alert. The big difference with Klez.E is that it drops an upgraded version of the ElKern virus into infected machines. ElKern.B (w32.elkern. now runs under Windows 98, Me, 2000, and XP. ElKern.B adds a hidden file, wqk.exe, to Registry entry HKLMSoftwareMicrosoftWindowsCurrentVersionRunWQK, which is in Windows 98 and Me. Under Windows 2000 and XP, it adds wqk.dll to Registry key HKLMSoftwareMicrosoftWindowsNTCurrentVersionWindowsAppInit_DLLs. These files are added so that ElKern.B runs anytime Windows is run. ElKern.B can corrupt files without changing the files' sizes. Prevention Klez.E uses a well-known vulnerability in Outlook Express that is included in versions of Internet Explorer 5.01 and 5.5. Microsoft has previously released a patch for this. Users who have not loaded the patch are encouraged to do so or to upgrade to Internet Explorer 6 using the full installation setting. Removal Most antivirus software companies have updated their signature files to include Klez.E. Updating these files will stop the infection upon contact and, in some cases, will remove an active infection from your system. Mai multe detalii gasiti aici |
|
#11
Posted 12 March 2002 - 08:29
Due to an increased rate of submissions Symantec Security Response has upgraded the threat rating of W32.Gibe@mm from Category 2 to Category 3 as of March 11, 2002. [ http://securityresponse.symantec.com/avcenter/graphics/ssrc/writeups/category_3_on.gif - Pentru incarcare in pagina (embed) Click aici ]
W32.Gibe@mm is a worm that uses Microsoft Outlook and its own SMTP engine to spread. This worm arrives in an email message--which is disguised as a Microsoft Internet Security Update--as the attachment Q216309.exe. Wild:
The fake message, which is not from Microsoft, has the following characteristics: From: Microsoft Corporation Security Center Subject: Internet Security Update Message: Microsoft Customer, this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities . . . How to install Run attached file q216309.exe How to use You don't need to do anything after installing this item. . . . Attachment: Q216309.exe The attached file, Q216309.exe, is written in Visual Basic; it contains other worm components inside itself. When the attached file is executed, it does the following: It creates the following files: WindowsQ216309.exe (122,880 bytes). This is the whole package containing the worm. WindowsVtnmsccd.dll (122,880 bytes). This file is the same as Q216309.exe. WindowsBcTool.exe (32,768 bytes). This is the worm component that spreads using Microsoft Outlook and SMTP. WindowsGfxAcc.exe (20,480 bytes). This is the Backdoor Trojan component of the worm that opens port 12378. Windows 2_N803.dat (size varies). This is the data file that the worm creates to store email addresses that it finds. WindowsWinNetw.exe (20,480 bytes). This is the component that searches for email addresses and writes them to 02_N803.dat. NOTE: Norton AntiVirus detects all of these files as W32.Gibe@mm except the 02_N803.dat. file, which contains only data. Next, the worm then adds the following values: LoadDBackUp C:WindowsBcTool.exe 3Dfx Acc C:WindowsGFXACC.exe to the registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun The worm also creates the key HKEY_LOCAL_MACHINESoftwareAVTechSettings and adds the following values to that key: Installed ... by Begbie Default Address Default Server Finally, BcTool.exe attempts to send the WindowsQ216309.exe file to email addresses in the Microsoft Outlook address book, and to addresses that it found in .htm, .html, .asp, and .php files and wrote to the 02_N803.dat file. Removal instructions: Delete files that are detected as W32.Gibe@mm, delete the 02_N803.dat file, and remove the key and values that the worm added to the registry. |
#12
Posted 21 March 2002 - 23:07
W32.Delalot.B.Trojan is a Trojan horse that attempts to delete all files on all hard drives.
Wild:
Deletes files: All files on all hard drives. Technical description: If W32.Delalot.B.Trojan is executed, it first attempts to delete all files in all folders and subfolders on all hard drives. Then it drops the text file Piracy.txt into the root folder and displays the message: [ http://securityresponse.symantec.com/avcenter/graphics/w32.delalot.b.trojan.1.gif - Pentru incarcare in pagina (embed) Click aici ] |
#13
Posted 18 April 2002 - 19:42
Win32.Klez.H@mm
W32.Klez.H@mm is a modified variant of the worm W32.Klez.E@mm. This variant is capable of spreading by email and network shares. It is also capable of infecting files. Wild:
When this worm is executed, it does the following: It copies itself to %System%Wink NOTE: %System% is a variable. The worm locates the Windows System folder (by default this is C:WindowsSystem or C:WinntSystem32) and copies itself to that location. It adds the value Wink to the registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun or it creates the registry key HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWink[random characters] and inserts a value in that subkey so that the worm is executed when you start Windows. The worm attempts to disable on-access virus scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active processes. The worm removes the startup registry keys used by antivirus products and deletes checksum database files including: Anti-Vir.dat Chklist.dat Chklist.ms Chklist.cps Chklist.tav Ivb.ntz Smartchk.ms Smartchk.cps Avgqt.dat Aguard.dat Local and Network Drive copying: The worm copies itself to local, mapped, and network drives as:
This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers. The subject line, message bodies, and attachment file names are random. The From address is randomly-chosen from email addresses that the worm finds on the infected computer. The worm will search files that have the following extensions for email addresses: mp8 .exe .scr .pif .bat .txt .htm .html .wab .asp .doc .rtf .xls .jpg .cpp .pas .mpg .mpeg .bak .mp3 In addition to the worm attachment, the worm also may attach a random file from the computer. The file will have one of the following extensions: mp8 .txt .htm .html .wab .asp .doc .rtf .xls .jpg .cpp .pas .mpg .mpeg .bak .mp3 As a result, the email message would have 2 attachments, the first being the worm and the second being the randomly-selected file. The email message that this worms sends is composed of "random" strings. The subject can be one of the following : Undeliverable mail--"[Random word]" Returned mail--"[Random word]" a [Random word] [Random word] game a [Random word] [Random word] tool a [Random word] [Random word] website a [Random word] [Random word] patch [Random word] removal tools how are you let's be friends darling so cool a flash,enjoy it your password honey some questions please try again welcome to my hometown the Garden of Eden introduction on ADSL meeting notice questionnaire congratulations sos! japanese girl VS playboy look,my beautiful girl friend eager to see you spice girls' vocal concert japanese lass' sexy pictures The random word will be one of the following: new funny nice humour excite good powful WinXP IE 6.0 W32.Elkern W32.Klez.E Symantec Mcafee F-Secure Sophos Trendmicro Kaspersky The body of the email message is random. If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a patch are available at http://www.microsoft...in/MS01-020.asp Virus Insertion: This worm inserts the virus W32.Elkern.4926 as a file with a random name in the %Program Files% folder and executes it. NOTE: %Program Files% is a variable. The worm locates the Program Files folder (by default this is C:Program Files and copies the virus to that location. Removal Instructions Download utilitar anti-klez Ps. Am sters thread-urile pentru ca am considerat ca nu mai sunt necesare. |
#14
Posted 25 April 2002 - 12:17
W32.Maldal.K@mm is a variant of W32.Maldal@mm. It is a mass-mailing worm that is written in Visual Basic. The worm attempts to send itself to all contacts in the Microsoft Outlook address book and the MSN Messenger contact list. It also searches for email addresses in all .html files. It creates several registry keys and files on the system.
|
#15
Posted 20 May 2002 - 10:20
W32.Hedong.A@mm is a mass mailing worm which makes use of its own SMTP engine. Depending upon the system time, the worm sends either Hello.exe or Hello.vbs. The worm copies itself to %System%Exporler.exe.
Also Known As: WORM_DONGHE.A, W32/Hedong@MM Type: Worm Infection Length: 49,152 bytes or 2,301 bytes Systems Affected: Windows, Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Wild:
W32.Hedong.A@mm is a mass mailing worm which makes use of its own SMTP engine. When it is executed, it does the following:
It configures that file to run every time that an executable file is run by changing the default value of the registry key HKEY_LOCAL_MACHINESoftwareCLASSESexefile shellopencommand to %System%Exporler.exe %1 %* If the file that was executed was Hello.vbs, it performs the following additional actions:
Removal instructions |
|
#16
Posted 08 September 2002 - 22:25
Worm.P2P.Kazmor
Kazmor is a P2P (peer to peer) and network worm with backdoor abilities. The worm itself is a Windows PE EXE file written in Delphi. Depending on the specific version the worm's size varies, however it is typically about 52KB or 56KB when it is compressed by the TeLock utility (the decompressed size is about 80-90KB). This worm is very closely related to another worm - Worm.Win32.Apart. Installing While installing the Kazmor worm copies itself to the Windows system directory under either of these names: "Kazmor.a": Windows.exe "Kazmor.b": KERNEL32.VMM It then sets "hidden" attributes for this file and registers it in the system registry auto-run key: "Kazmor.a": HKLMSoftwareMicrosoftWindowsCurrentVersionRun Windows = %WindowsDir%Windows.exe "Kazmor.b": HKLMSoftwareMicrosoftWindowsCurrentVersionRun Windows Kernel = %WindowsDir%KERNEL32.VMM The Kazmor.a worm also hides itself in the system. It installs its own 'hooks' on Win32 API FindProcess/Modules functions and "skips" its process on these calls. Thus the worm's process is not visible in the active tasks list. The Kazmor.b worm also creates the HKCR.vmm key that is associated with the "exefile" file type. Thus '.VMM' files will be executed as original '.EXE' files. Spreading At the request of the worm's master's (see "Backdoor" below) the worm spreads over a local network or infects P2P shared folders. Local network infection: the Kazmor worm opens network drives that are available for full access and copies itself to the WINDOWSStart MenuProgramsStartUp directory under the name "REAL PLAYER.EXE". P2P folders infection: Kazmor copies itself to the Kazaa and Morpheus folders with following names: 'violent preteen gang bang illegal.exe' 'teen tied up and raped.exe' 'teen raped in basement with dildo by 2 men.exe' '14 year old on beach.exe' '15 year old on beach.exe' '16 year old on beach.exe' 'preteen sucking huge cock illegal.exe' 'illegal preteen porn anal fisting.exe' 'fetish bondage preteen porno.exe' 'jenna jameson sex scene huge dick blowjob.exe' 'nikki nova sex scene huge dick blowjob.exe' 'jenna jameson - built for speed.exe' 'cute girl giving head.exe' 'chubby girl fucked from all angles xxx.exe' '[tmd]star wars episode 2 - attack of the clones [1of1].exe' '[tmd]sum of all fears [1of1].exe' 'kill osama bin laden game.exe' 'caught on camera - man hit by car - faces of death.exe' 'CKY2K - Bam Margera.exe' 'CKY3 - Bam Margera.exe' 'chubby girl bukkake gang banged sucking cock.exe' 'brutal preteen porn xxx.exe' 'illegal porno - 15 year old raped by two men on boat.exe' 'windows xp key generator and cracker.exe' 'daniel pearl execution video gruesome and hardcore.exe' 'winzip key generator.exe' 'cat attacks child.exe' 'evil pranksters - light church on fire.exe' 'divx codec installer.exe' 'hot girl on the beach sucking cock and ••••••• guy.exe' 'devin in elevator sex.exe' 'microsoft office xp cracked.exe' 'microsoft visual studio 6.0.exe' 'microsoft .NET.exe' '[DiVX] Lord of the rings.exe' '[DiVX] Harry Potter and the sorcerors stone.exe' 'macromedia flash 5.0.exe' 'macromedia dreamweaver 4.0.exe' 'nuke afghanistan game.exe' 'Britney Spears Nude Cum.exe' 'Christina Agulera Nude Cum.exe' 'Christina Ricci Nude Cum.exe' 'AIM Password Stealer.exe' 'AIM Account Stealer.exe' 'AIM Account Hacker.exe' 'AIM Flooder.exe' 'MSN Password Hacker and Stealer.exe' 'MSN Flooder.exe' 'Hacking Tool Collection.exe' 'WinZip.exe' 'Windows XP.exe' 'Halflife Crack.exe.exe' 'Halflife Key Generator.exe.exe' 'Counterstrike Key Generator.exe.exe' 'Halflife and Counterstrike serial database.exe' 'DSL Modem Uncapper.exe' 'Cable Modem Uncapper.exe' 'T1 Modem Uncapper.exe' 'T3 Modem Uncapper.exe' 'DivX Install.exe' 'Two girls - Blonde and Brunette - Giving head.exe' 'How to hack.exe' 'How to hack websites.exe' 'Preteen Rape Sex Illegal - Jenny - 13 Years old.exe' 'Lolita preteen sex.exe' 'Bondage Fetish Foot Cum.exe' 'Blonde and Japanese girl bukkake.exe' 'Kill Osama Bin Ladin game.exe' 'Preteen lesbians.exe' 'Choke on cum (sodomy, rape).exe' 'Halflife and Counterstrike Cheating Death Hack!!!.exe' 'WebCam Voyeur Spy.exe.exe' 'FBI Spy Program.exe' 'XXX Porn Passwords.exe' 'Jenna Jameson Nude Gang Bang Forced Cum Blowjob.exe' 'CKY2K - Bam Margera Toy Machine.exe' 'CKY3 - Bam Margera World Industries Alien Workshop.exe' 'Chip and dale.exe' '14 Year old webcam.exe ' '15 year old webcam.exe' '16 year old webcam.exe' '12 year old forced rape cum.exe' 'illgal incest preteen porn cum.exe' 'girls gone wild.exe' 'debby does dallas.exe' 'Devon - Elevator Scene.exe ' 'I Deep Throat - Kelly.exe' 'Another bang bus victim forced rape sex cum.exe' 'ZoneAlarm Firewall.exe' 'WinZip Key Generator and Crack.exe' 'How to be a terrorist - anarchist cookbook.exe' 'Government Secrets.exe' 'Nero Burning ROM [Cracked].exe' 'Internet and Computer Speed Booster.exe' 'Teen Violent Forced Gangbang.exe' 'PS1 Boot Disc.exe' 'Sony Play station boot disc.exe' 'PS2 Boot Disc.exe' 'Borland Delphi 5 Key Generator.exe' 'Borland Delphi 6 Key Generator.exe' Backdoor The backdoor routine allows a remote master to perform the following actions on victim computers: send out detailed computer information: drivers description, local date and time, default language, computer name, CPU speed and number of processors, RAM size, Windows version e.t.c. steal cached passwords, MSN account login and password, as well as .NET Messenger information. Kazmor also performs the following routines, it: - spreads over local networks and to P2P networks - receives files or download files from a Web site - executes a file - performs DoS attacks on remote computers - pings a remote computer - scans ports and IP addresses - redirects PC ports - sends spam messages through AOL Instant Messenger and to a mIRC channel |
#17
Posted 31 August 2003 - 02:34
Backdoor.IRC.RPCBot.C
Type: Trojan Horse Infection Length: varies Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP Systems Not Affected: Linux, Macintosh, OS/2, UNIX Backdoor.IRC.RPCBot.C is a collection of batch files, script files, utilities, as well as hacktools. It is possible that the names and functions of the files may change. The information discussed in this writeup is based on the samples that Security Response has reviewed. -------------------------------------------------------------------------------- Note: In the list of following files, the file sizes are in bytes (contained in parentheses). -------------------------------------------------------------------------------- The files associated with Backdoor.IRC.RPCBot.C are: Explorer.exe (638,976): A packed mIRC32 client. This file is not viral itself, and Symantec antivirus products do not detect it as such. Mirc.ini (2,684): An mIRC initialization script. This file is not viral itself, and Symantec antivirus products do not detect it as such. Remote.ini (80): A malicious mIRC script. This is detected as Backdoor.IRC.RPCBot.C. Aliases.ini (11): An mIRC script. This file is not viral itself, and Symantec antivirus products do not detect it as such.. Dcom.exe (10,784): An executable that the Trojan uses to exploit the DCOM RPC vulnerability. It is detected as Backdoor.IRC.RPCBot.C. Dcom.mrc (2,802): A malicious mIRC script. This is detected as Backdoor.IRC.RPCBot.C. Hidden32.exe (29,696): A utility that is used to hide windows. This file is not viral itself, and Symantec antivirus products do not detect it as such. Macros.txt (324): A script passed to Dcom.exe. It is detected as Backdoor.IRC.RPCBot.C. Script.ini (920): A malicious mIRC script. It is detected as Backdoor.IRC.RPCBot.C. Servers.ini (50): A list of IRC servers. This file is not viral itself, and Symantec antivirus products do not detect it as such.. Winhp32.exe (22,016): A utility that is used to hide windows. This file is not viral itself, and Symantec antivirus products do not detect it as such.. When Backdoor.IRC.RPCBot.C runs, it does the following: Creates the folder, C:Program FilesCommon FilesMicrosoft SharedCDO, and drops the aforementioned files there. Connects to a specific IRC channel on a specific IRC server to receive remote instructions from the Trojan's creator. One such command is to exploit the DCOM RPC vulnerability: The Trojan connects to some randomly generated IP addresses to find computers that are listening at TCP port 135. It sends one of two types of data: Either to exploit Windows XP or Windows 2000. Once the computer is found, the Trojan sends specially formed data, which exploits the DCOM RPC vulnerability, to that computer. If the exploit is successful, the Trojan will try to connect to an FTP server and download and execute the following two files: Sdbot0b.exe (24,608 bytes): Detected as W32.HLLW.Moega. Down.com: A utility that disables DCOM. After execution, both files are deleted. Download for Symantec products: http://securityrespo...s.download.html Have a nice day... |
#18
Posted 01 September 2003 - 14:36
W32.HLLW.Darby
Discovered on: August 29, 2003 Last Updated on: August 31, 2003 10:09:45 PM W32.HLLW.Darby is a worm which spreads through file-sharing networks such as Kazaa and Morpheus, and may also attempt to spread through email and IRC. When executed, this worm displays a message box which says either "The file this total or partially damaged, impossible to open the file", or "El archivo esta total o parcialmente danado, imposible abrir el archivo". This threat is written in Visual Basic and packed with UPX. Also Known As: W32/Bardiel Type: Worm Infection Length: 108-109K Details link: http://securityrespo...hllw.darby.html Recommendations: Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates. Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files. Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media. Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched. Removal Update: http://securityrespo...s.download.html Have a nice day... |
Anunturi
▶ 0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users