Jump to content

SUBIECTE NOI
« 1 / 5 »
RSS
Vanzare apartament zona Dristor

La 22 de ani in Spania, Castelln

Catalin Tolontan dat afara si de ...

WEBASTO pt duster pe motorina
 One World Radio/TOMORROWLAND in R...

Upgrade memorie ram DDR4 la laptop?

Timberland sau Columbia

AMD, evolutie procesoare laptop
 Shazam pentru Parfumuri?

Transportul in comun in Bucuresti...

Recomandare - disjunctoare difere...

Puteti sa imi recomandati si mie ...
 Camerele de supraveghere dau uneo...

Haine de iarna

Junsun V1 pro Qashqai j11 probleme

Tinichigerie/vopsitorie in Consta...
 

Alerte!

- - - - -
  • This topic is locked This topic is locked
45 replies to this topic

#1
petman

petman

    Senior Member

  • Grup: Senior Members
  • Posts: 4,794
  • Înscris: 28.11.2001
In acest thread voi scrie cele mai importante anunturi legate de virusi! Va rog sa contribuiti cu informatiile pe care le considerati importante!


Alerta!

[ http://www.symantec.com/avcenter/graphics/ssrc/security_alert.jpg - Pentru incarcare in pagina (embed) Click aici ]

W32/Kriz (aka Kriz, W32.Kriz.3740, Win32.Kriz) este un virus foarte distructiv!
Se executa pe 25 decembrie si va sterge CMOS-ul, va incerca sa corupa BIOS-ul sistemului si va incerca sa inlocuiasca toate fisierele de pe hardisk-ul local cit si de pe retea cu gunoi distrugind in acest fel toate informatiile!!!
Daca bios-ul sistemului va fi corupt nu se va mai putea utiliza acel calculator si chip-ul de BIOS va trebui inlocuit!!

Scanare on-line: Scanare
Utilitar pentru inlaturarea virusului:Fixkriz
Cum se utilizeaza utilitarulul: Utilizare utilitar

#2
Monitoxus

Monitoxus

    Back!

  • Grup: Senior Members
  • Posts: 7,184
  • Înscris: 26.11.2001
"W32.Goner.A@mm" se pare ca este din ce in ce mai agresiv... este uhn Trojan scris in Visual Basic care ce poate face altceva decat sa trimita mail-uri in prostie  :(

Il puteti "contacta" :drac:  pe IRC, ICQ, si e-mail !

[img][url=http://securityresponse.symantec.com/avcenter/graphics/[email protected]%5b/img]]http://securityresponse.symantec.com/[email protected][/img][/url]

[ http://securityresponse.symantec.com/avcenter/graphics/[email protected] - Pentru incarcare in pagina (embed) Click aici ]


Cei de la Symantec au scos deja un antidot.. il puteti descarca de aici   ~ 415 Kb

Este recomandabil sa-l descarcati/rulati chiar daca banuiti ca NU sunteti infectati... :yeah baby

Detalii : AICI

Sursa : [img][url=http://securityresponse.symantec.com/images/navbar/us.logo.symantec.gif%5b/img]]http://securityresponse.symantec.com/image...antec.gif[/img][/url]

#3
petman

petman

    Senior Member

  • Grup: Senior Members
  • Posts: 4,794
  • Înscris: 28.11.2001
Monitorix, :OK: !
Acest virus se propaga dupa cum a spus si Monitorix prin mail, ICQ, Irc avand urmatoarele caracteristici:
  • subiectul mail-ului: Hi

  • Numele atasamentului: Gone.scr

  • Marimea atasamentului: 38,912 bytes

Virusul isi adauga o cheie in registri: C:%SYSTEM%gone.scr C:%SYSTEM%gone.scr in HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun. Odata ce aceasta cheie a fost scrisa in registri virusul va termina toate procesele legate de antivirusul instalat pe sistem. Lista proceselor:
  • APLICA32.EXE

  • AVCONSOL.EXE

  • AVP.EXE

  • AVP32.EXE

  • AVPCC.EXE

  • AVPM.EXE

  • CFIADMIN.EXE

  • CFIAUDIT.EXE

  • CFINET32.EXE

  • ESAFE.EXE

  • FRW.EXE

  • ICLOAD95.EXE

  • ICLOADNT.EXE

  • ICMON.EXE

  • ICSUPP95.EXE

  • ICSUPPNT.EXE

  • LOCKDOWN2000.EXE

  • NAVAPW32.EXE

  • NAVW32.EXE

  • PCFWallIcon.EXE

  • SAFEWEB.EXE

  • TDS2-98.EXE

  • TDS2-NT.EXE

  • VSECOMR.EXE

  • VSHWIN32.EXE

  • VSSTAT.EXE

  • WEBSCANX.EXE

  • ZONEALARM.EXE

  • _AVP32.EXE

  • _AVPCC.EXE

  • _AVPM.EXE
Daca un asemenea proces este gasit atunci virusul va sterge toate fisierele legate de acest proces!!! Daca fisierele sunt folosite si nu pot fi sterse atunci fisierul %SYSTEM%Wininit.ini este creat si acesta este folosit pentru stergerea fisierelor la restartarea calculatorului!
On Windows NT/2000/XP machines, the files are deleted by usage of the following registry key:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager

where the files to be deleted are present in the value

PendingFileRenameOperations
.  

In final virusul va arata un mesaj de eroare fals:
[ http://www.symantec.com/avcenter/graphics/[email protected] - Pentru incarcare in pagina (embed) Click aici ]

#4
petman

petman

    Senior Member

  • Grup: Senior Members
  • Posts: 4,794
  • Înscris: 28.11.2001
JS.Gigger.A@mm este un vierme scris in Javascript. Se foloseste de Outlook si de Mirc pentru a se raspandi. Incearca sa stearga toate fisierele de pe calculator si sa formateze partitia C daca computerul este restartat!

Wild:
  • Number of infections: 0 - 49

  • Number of sites: 0 - 2

  • Geographical distribution: Low

  • Threat containment: Easy

  • Removal: Easy
Damage:
   Payload:
  • Large scale e-mailing: Sends email to all Microsoft Outlook addresses

  • Deletes files: All files

  • Modifies files: Autoexec.bat to delete all files
Distribution:
  • Subject of email: Outlook Express Update

  • Name of attachment: mmsn_offline.htm
Technical description:
JS.Gigger.A@mm arrives as an email message that has the following characteristics:
  • Subject: Outlook Express Update

  • Message: MSNSofware Co.

  • Attachement: Mmsn_offline.htm

If the worm is executed, it does the following:
It drops the following files:
C:Bla.hta
C:B.htm
C:WindowsSamplesWshCharts.js
C:WindowsHelpMmsn_offline.htm

It infects .html  files.
It adds the line ECHO y|format c: to the Autoexec.bat file, so that if the computer is restarted, drive C is reformatted.
Next., it drops a Script.ini file to spread itself by mIRC. Norton AntiVirus (NAV) detects the infected Script.ini as IRC.Worm.gen.
The worm then creates the following registry keys:
HKEY_CURRENT_USERSoftwareMicrosoftWindows Scripting HostSettingsTimeout
HKEY_CURRENT_USERSoftwareTheGravebadUsersv2.0

and adds the value
NAV DefAlert
to the registry key
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
Next, if you are connected to a network, the worm searches network drives and copies itself as WindowsStart MenuProgramsStartUpMsoe.hta
Finally, it attempts to delete all files on the local hard drive.

Pentru a scapa de acest vierme, in cazul in care viermele a fost executat si nu va sters toate fisierele de pe calculator, urmati pasii de mai jos.
[list=1]

[*]editati Autoexec.bat; stergeti linia: ECHO y|format c:

[*]editati registrii; stergeti urmatoarele chei: HKEY_CURRENT_USERSoftwareMicrosoftWindows Scripting HostSettingsTimeout
HKEY_CURRENT_USERSoftwareTheGravebadUsersv2.0;
navigati la cheia HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun si stergeti inregistrarea NAV DefAlert!
[/list=1]

Daca viermele a fost executat si va sters toate fisierele atunci trebuie sa reinstalati sistemul de operare!

P.S. Folositi un antivirus! Va scuteste de multe dureri de cap!:ciocan:

#5
don_King

don_King

    Senior Member

  • Grup: Senior Members
  • Posts: 2,904
  • Înscris: 26.11.2001
umbla pe net (e-mail) un antivirus, deliciul celor care folosesc Outlook ;-)

in The Bat! se vede ceva de genul asta :

"Hello!

My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!


begin 666 www.myparty.yahoo.com
M35J0``,````$````__``+@`````````0```````````````````````````
M````````````````````@`````X?N@X`M`G-(;@!3,TA5&AI:drac:

#6
Mr_Woppit

Mr_Woppit

    the last of them..

  • Grup: Super Moderators
  • Posts: 17,834
  • Înscris: 26.11.2001
Nu stiu cat de vechi/nou este, dar ceea ce urmeaza mai jos am primit in NEWS de la Kaspersky

Quote

The worm appears on a target computer as a file attached to an
e-mail message. The file is a Windows application about 30Kb in length, it is written in Microsoft Visual C++, and is compressed in a UPX utility.

    An infected message appears as follows: Subject: new photos from my party! Body: Hello! My party... It was absolutely amazing! I have attached my web page with new photos! If you can please make color prints of my photos. Thanks! Attachment: www.myparty.yahoo.com


    As is apparent, the file carrier purposely poses as a Web-site
address. A user's trust is taken into account so that when
double-clicking on the enclosure, the said user ends up at some Internet address. However, what actually occurs is that a malicious program is activated upon enclosure opening.

"This occurrence once again confirms that not everything beginning with 'www' and ending in '.com' is a Web site."


    If the system date on a computer is 25-29 of January 2002, Myparty launches its installation and spreading routines. In addition to this, the worm checks for the presence of Russian-language support and if this is detected, the worm finishes its operation and exists a system.

    In order to maintain its presence in the memory, upon each
infected-computer start-up, the worm creates its copy in different disk directories and registers them in the Windows system registry of the program auto-start section.


    In order to send its copies via e-mail, the worm scans the Windows Address Book and DBX (also used in Outlook Express) databases and checks these with all found addresses. Following this, the worm installs a direct connection with a remote SMTP server and imperceptibly, supposedly in the name of the infected computer's user, sends its copies to these addresses. In order to confirm an infection, the worm also sends a blank e-mail to the [email protected] address.

    Myparty has some dangerous side effects. On computers with Windows NT/2000/XP, the worm installs a spy program for remote unauthorized control. In this way, a malefactor can gain total control over a victim's computer.

    In addition to this, depending on a number of conditions, Myparty opens the http://www.disney.com Web site in the current Internet browser window.

    Defense procedures thwarting Myparty have already been added to the Kaspersky Anti-Virus database.


    A more detailed description of this Internet worm can be found in the Kaspersky Virus Encyclopedia
http://www.viruslist....html?id=46966).

EndLess Point

#7
petman

petman

    Senior Member

  • Grup: Senior Members
  • Posts: 4,794
  • Înscris: 28.11.2001
W32.Yarner.A@mm is a mass-mailing worm written in the Delphi language. The worm sends itself to emails addresses found in the Microsoft Outlook address book and local files.

The worm uses the system configured or hard coded SMTP server to send messages with the subject Trojaner-Info Newsletter followed by the current date. The message body is in German and the attachment name is yawsetup.exe.

In addition, the worm may attempt to delete all files on the computer.

Wild:
  • Number of infections: 0 - 49

  • Number of sites: 0 - 2

  • Geographical distribution: Low

  • Threat containment: Easy

  • Removal: Moderate
Damage:
  • Payload Trigger: Random

  • Payload: Deletes all files

  • Large scale e-mailing: Mails everyone in the Outlook Address Book

  • Deletes files: Deletes all files on the drive containing Windows

  • Modifies files: Overwrites Notepad.exe
Distribution:

[/list]
[*]Subject of email: Trojaner-Info Newsletter [current date]

[*]Name of attachment: yawsetup.exe

[*]Size of attachment: 427 kb

[/list] Technical description:

When executed, the worm copies itself to:
%WinDir%notepad.exeoverwriting the Notepad application. The worm saves the original Notepad application as:
%WinDirnotedpad.exe
When executing Notepad, the worm executes itself and then attempts to launch the original Notepad application.

In addition, the worm copies itself to
%WinDir%[random characters].exeand adds the associated registry key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRunonce
[random characters] = [random characters].exe


The worm uses MAPI to send itself as yawsetup.exe to email addresses listed in the Microsoft Outlook address book and by searching files with the extension .php, .htm, .shtm, .cgi, and .pl The message has the following characteristics:

The infected messages have the original sender's e-mail address or fake sender address in the "From" field.
"True" e-mail: Trojaner-Info [%TrueEmail%]
Fake e-mail: Trojaner-Info [[email protected]]

Subject:
Trojaner-Info Newsletter [Current Date]

Message Body:
Hallo !

Willkomen zur neuesten Newsletter-Ausgabe der Webseite Trojaner-Info.de.
Hier die Themen im Ueberblick:

01. YAW 2.0 - Unser Dialerwarner in neuer Version

************************************
01. YAW 2.0 - Unser Dialerwarner in neuer Version

Viele haben ihn und viele moegen ihn - unseren Dialerwarner YAW. YAW ist
nun in einer brandneuen und stark erweiterten Version verfuegbar. Alle unsere
Newsletterleser bekommen ihn kostenlos zusammen mit diesem Newsletter.
Also einfach die angehaengte Datei starten und YAW 2.0 installieren. Bei Fragen
steht Ihnen der Programmierer des bislang einzigartigen Programmes Andreas Haak
unter [email protected] zur Verf
gung. Viel Spaß mit YAW!

<http://www.trojaner-...ialer/yaw.shtml>

************************************

Das war die heutige Ausgabe mit den aktuellsten Trojaner-Info News. Wir
bedanken uns fuer eure Aufmerksamkeit und wuenschen allen Lesern noch eine
angenehme Woche.

Mit freundlichem Gruss

Thomas Tietz & Andreas Ebert
<http://www.trojaner-info.de>

************************************
Anzahl der Subscriber: 5.966
Durchschnittliche Besuchzahl/Tag: 4.488
Diese Mail ist kein Spam ! Diesen Newsletter hast du erhalten, da du in unserer
Verteilerliste aufgenommen wurdest. Solltest du unseren Newsletter nicht selber
abonniert haben, sondern eine andere Person ohne dein Wissen, kannst du
diesen auf unseren Seiten wieder abbestellen. Oder sende uns einfach eine
entsprechende E-Mail.

************************************

The worm also creates the files:

%WinDir%kernei32.daa
%WinDir%kernei32.das

These files are not viral and instead store server and address information used by the virus. The worm pretends to be a new version of the YAW application released by Trojaner Info in Germany.

Finally, depending on a random counter, the worm may delete all files on the drive containing the Windows operating system installation.

Grad de risc [ http://securityresponse.symantec.com/avcenter/graphics/ssrc/writeups/category_3_on.gif - Pentru incarcare in pagina (embed) Click aici ]

#8
petman

petman

    Senior Member

  • Grup: Senior Members
  • Posts: 4,794
  • Înscris: 28.11.2001
W32.Alcarys.B@mm is a massmailing worm that will send to all recipients in an affected user's address book. It will also stall the machine such that the machine will only be usable once it is started in MS-DOS mode. It will also overwrite many System files.

Wild:
  • Number of infections: 0 - 49

  • Number of sites: 0 - 2

  • Geographical distribution: Low

  • Threat containment: Moderate

  • Removal: Difficult
Damage:
  • Payload Trigger: Execution of an infected file.
    Payload:

  • Large scale e-mailing: Will mass-mail itself to all reciepients in the affected user's address book

  • Deletes files: will overwrite all ".scr" and ".com" along with overwriting "regedit.exe", regsvr32.exe" and "scanregw.exe"

  • Modifies files: modifies script.ini so that mIRC will send the worm.

  • Degrades performance: Enters an infinite loop due to the overwrite of REGEDIT.EXE so the machine will quickly run out of resource and crash.

  • Causes system instability: Enters an infinite loop due to the overwrite of REGEDIT.EXE so the machine will quickly run out of resource and crash.
Distribution:
  • Subject of email: i've got cool stuffs here... or nice stuffs i got here... or check this out... or i want you to know how much i care for you... or hello! i'm your long, lost friend... or talk to me... tell me your name... or kindness is a virtue...

  • Name of attachment: 4 attachments whose names vary

  • Size of attachment: 16,384 bytes
Technical description:


W32.Alcarys.B@mm will copy itself to the following filenames:

"C:WINDOWSSYSTEMREGSVR32.EXE"
"C:WINDOWSDesktopwin.exe"
"C:WINDOWSDesktopTop Secretclickme.exe"
"C:WINDOWSSendToOceans11watchme.exe"
"C:WINDOWSFavoritesA Beautiful Mindwatchme.exe"
"C:WINDOWSregedit.exe"
"C:WINDOWSscanregw.exe"
"C:WINDOWStuneup.exe"
"C:WINDOWSrundll64.exe"
"C:WINDOWSwindows.exe"
"C:disney.scr"
"C:file1980.com"
"C:hacktool.co_"
"C:movie.exe"
"C:msmsgs.exe"
"C:porno.scr"
"C:screenxx.scr"
"C:windows.exe"
"C:windows.scr"
"C:winstart.com"
"C:Program FilesCurlySoftviewer.dll"
"C:Program FilesCurlySoftpornview.exe"
"C:Program FilesXXX Filesclickme.exe"
"C:Recycledalco.com"

It will also overwrite all ".SCR" files on the machine with itself. It will also create a directory "C:WINDOWSFILES" into which it will copy itself with a filename such as "file###.###.exe" where the # signs represent any number of numbers.

The worm will also overwrite all ".HTM" and ".HTML" files with an HTML file that will simply run the worm. It will also drop an html file "C:blank.html".

The worm will also attempt to download a file and execute that file from the virus-writer's homepage.

The worm will also overwrite all Microsoft Excel and Microsoft Word documents that it finds on the affected user's machine with files that it creates "C:XXXMOVIE.XLS" for Excel files and "C:WINDOWSNEWdocument.DOC". Both of these files will send e-mail to all recipients in the affected user's address book. These e-mail messages will have the following characteristics when sent from the Excel files:
Subject:Nice Embedded Object
Body:Check out the embedded object in the excel sheet...
Attachment: The attachment name will vary. Whichever file it has overwritten will be attached to the e-mail message.

and the following when sent from Word:
Subject: Nice Embedded Object
Body: Check out the embedded object in the word document...
Attachment: The attachment name will vary. Whichever file it has overwritten will be attached to the e-mail message.

The source to the macro components is first copied to the files "C:xls.wps", "C:doc.wps", and "C:nor.wps". It will also create the infected documents "C:porno.doc", "C:xxxmovie.xls", "C:windowsnewdocument.doc".

The worm also creates the files:
"C:v.vbs", a simple script file that will wait until a file has been downloaded and then it will send a key sequence to that application.
"C:v.reg", a registry file that will modify the registry.
"C:acs.acs", a simple text file that contains the text "another one bites the dust"
"C:Windowstmpdelis.bat", a simple batch file that will copy the file, "C:program filescurlysoftviewer.dll" to "c:program filescurlysoftrun.com". It will
also enter the data in "C:v.reg" into the registry. Finally it will execute the file "C:file1980.com"

The worm also creates the following shortcuts on the Desktop:
"New document.lnk" a shortcut to open "C:WINDOWSnewdocument.doc"
"Tips On How To Make Your Partner Wilder.lnk", a shorcut to open "C:xxxmovie.xls"
"Porn Viewer version 1.01.lnk", a shortcut to open "C:Program FilesCurlysoftpornview.exe"
"ExecuteMe.lnk", a shortcut to open "C:WINDOWSrundll64.exe"
and "mailme.lnk", a shortcut to send mail to the virus writer.

The worm will also modify the following registry keys:

add value:
"Rundll64" = "c:windowsrundll64.exe"
to the registry key:
"HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices"

add values:
"Windows Update" = "C:WINDOWSStart MenuProgramsWindows Updatefile###.###.exe"
"Regedit" = "C:windowsregedit.exe"
to registry key:
"HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun"

set the default value to:
"c:windowsscanregw.exe"
to registry key:
"HKEY_CLASSES_ROOTmp3fileshellopencommand"

set the default value to:
"c:windowssystemregsvr32.exe"
to the registry key:
"HKEY_CLASSES_ROOTVBSFileShellOpenCommand"

set the default value to:
"c:windowstuneup.exe"
to the registry key:
"HKEY_CLASSES_ROOTVBSFileShellOpen2Command"

set the default value to:
"c:windowssystemregsvr32.exe"
to the registry key:
"HKEY_CLASSES_ROOTmp3fileshellplaycommand"

set the default value to:
"c:windowsscanregw.exe"
to the registry key:
"HKEY_CLASSES_ROOTJSFileShellOpenCommand"

set the default value to:
"c:windowstuneup.exe"
to the registry key:
"HKEY_CLASSES_ROOTJSFileShellOpen2Command"

set the default value to:
"c:recycledalco.com"
to the registry key:
"HKEY_CLASSES_ROOTtxtfileshellopencommand"

add the values:
"*Windows" = "c:windowswindows.exe"
and
"MSMSGS" = "c:msmsgs.exe"
to the registry key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun"

The worm will also attempt to spread using mIRC by modifying the script.ini file for mIRC.

The worm itself will also send e-mail messages to all recipients in the affected user's Address Book. These e-mail messages will have the following characteristics:
One of the following Subjects:
i've got cool stuffs here...
nice stuffs i got here...
check this out...
i want you to know how much i care for you...
hello! i'm your long, lost friend...
talk to me... tell me your name...
kindness is a virtue...

One of the following Bodies:
three files for you to keep... always remember that i'm into deep... i don't know you but i think i'm in love...
sharing files is the essence of living... check this out...
hi, friend... here are some nice stuffs that i got from the internet... check it out...
hmmmn... i guess you've forgotten me... but anyways, i wanna make up... here are the files that made me like the internet more... see for yourself...
check this out...
one of the files is a virus... can you tell me which one is it? hehehe, i'm only joking... your friend, paul..

4 attachments (1 from each of the following sets of filenames):
chinese fu_k.mpg (movie.exe)
amateur porn film.mpg (movie.exe)
jenna jameson clip.mpg (movie.exe)
lord of the rings clip.mpg (movie.exe)
fu_k of the month.mpg (movie.exe)
britney exposed.mpg (movie.exe)

and universe.scr (screenxx.scr)
solarsystem.scr (screenxx.scr)
sh_t.scr (screenxx.scr)
donald and minnie sex.scr (screenxx.scr)
baby dancing.scr (screenxx.scr)
kamasutra screensaver.scr (screenxx.scr)

and credit card hacktool (file1980.com)
windows xp ultimate crack (file1980.com)
http://www.meditation.com (file1980.com)
patch1981.com (file1980.com)
hack mirc server (file1980.com)

and disney.scr

Removal instructions:

Delete all files detected as W32.Alcarys.B@mm

remove the value:
"Rundll64" = "c:windowsrundll64.exe"
from the registry key:
"HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices"

remove the values:
"Windows Update" = "C:WINDOWSStart MenuProgramsWindows Updatefile###.###.exe"
"Regedit" = "C:windowsregedit.exe"
from the registry key:
"HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun"

restore the default value for the registry keys:
"HKEY_CLASSES_ROOTmp3fileshellopencommand"
"HKEY_CLASSES_ROOTVBSFileShellOpenCommand"
"HKEY_CLASSES_ROOTVBSFileShellOpen2Command"
"HKEY_CLASSES_ROOTmp3fileshellplaycommand"
"HKEY_CLASSES_ROOTJSFileShellOpenCommand"
"HKEY_CLASSES_ROOTJSFileShellOpen2Command"
"HKEY_CLASSES_ROOTtxtfileshellopencommand"

remove the values:
"*Windows" = "c:windowswindows.exe"
and
"MSMSGS" = "c:msmsgs.exe"
from the registry key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun"

#9
petman

petman

    Senior Member

  • Grup: Senior Members
  • Posts: 4,794
  • Înscris: 28.11.2001
This is a dangerous, non-resident overwriting Win32 virus.

The virus itself is a Windows PE EXE file about 28 Kb in length, and it is written in Visual C++.

Depending on the internal counters, the virus searches recursively either for all files, or for files with the following extensions:


.exe
.avi
.mp3
.doc
.zip
.rar
.mpg
.mpg4

The virus searches for these files on the drives C:, D:, E:, F:, and overwrites their original contents with its body. These files can be restored only from a backup.

When the virus is launched, it searches for the file "neh.dll". If this file exists, the virus shows the following message and terminates:


-------------------------?
?Error                   ?
--------------------------
?Brak biblioteki: neh.dll?
--------------------------

After infecting files, the worm shows either the following message:


---------------------------------------------?
?WIN_KACZOR virus                            ?
----------------------------------------------
?I have just raped your drives...            ?
?I feel sorry, but my desires are stronger...?
----------------------------------------------

or two messages:


---------------------------------------------------?
?Kwa!                                              ?
---------------------------------------------------?
?Co chcia?oby sie uruchomic programik?             ?
?Nic z tego. Kaczor mowi: ZAGRAJ W SETTLERS IV!!!!!?
----------------------------------------------------
----------------------------------------------------?
?Kwa! Kwa!                                   ?
----------------------------------------------?
?WIN_KACZOR                                  ?
?by Nijamormoazazel                          ?
?JÕzefÕw POLSKA                              ?
?                                            ?
? And what Symantec? BloodHound doesn't work??
------------------------------------------------------------------

Grad de risc [ http://securityresponse.symantec.com/avcenter/graphics/ssrc/category_3_on.gif - Pentru incarcare in pagina (embed) Click aici ]

#10
petman

petman

    Senior Member

  • Grup: Senior Members
  • Posts: 4,794
  • Înscris: 28.11.2001
Atentie!!!

A new version of an old worm is set to trigger its destructive payload on March 6. Klez.E (w32.Klez.E@mm) is sometimes called the Twin Virus because the worm is used to spread an upgraded version of the ElKern virus (w32.elkern.B). The new version can now infect Windows 98, Me, 2000, and XP, attempting to corrupt files on these systems without changing their sizes. Klez.E is currently one of the fastest spreading worms on the Internet and now ranks 7 on the ZDNet Virus Meter.

How it works

Klez.E arrives by e-mail or can be spread by sharing infected files on a network. If it arrives by e-mail, the subject line is randomly chosen from the following list: How are you; Let's be friends; Darling; Don't drink too much; Your password; Honey; Some questions; Please try again; Welcome to my hometown; the Garden of Eden; introduction on ADSL; Meeting notice; Questionnaire; Congratulations; Sos!; japanese girl VS playboy; Look,my beautiful girl friend; Eager to see you; Spice girls' vocal concert; Japanese lass' sexy pictures.

The body text may be blank. The attached filename itself is random with either a PIF, SCR, EXE, or BAT extension.

Like several other recent worms, Klez.E also attempts to disable antivirus software installed on the infected computer. For more details regarding the original Klez worm, see this alert.

The big difference with Klez.E is that it drops an upgraded version of the ElKern virus into infected machines. ElKern.B (w32.elkern.B) now runs under Windows 98, Me, 2000, and XP. ElKern.B adds a hidden file, wqk.exe, to Registry entry HKLMSoftwareMicrosoftWindowsCurrentVersionRunWQK, which is in Windows 98 and Me. Under Windows 2000 and XP, it adds wqk.dll to Registry key HKLMSoftwareMicrosoftWindowsNTCurrentVersionWindowsAppInit_DLLs. These files are added so that ElKern.B runs anytime Windows is run. ElKern.B can corrupt files without changing the files' sizes.

Prevention

Klez.E uses a well-known vulnerability in Outlook Express that is included in versions of Internet Explorer 5.01 and 5.5. Microsoft has previously released a patch for this. Users who have not loaded the patch are encouraged to do so or to upgrade to Internet Explorer 6 using the full installation setting.

Removal

Most antivirus software companies have updated their signature files to include Klez.E. Updating these files will stop the infection upon contact and, in some cases, will remove an active infection from your system.

Mai multe detalii gasiti aici

#11
petman

petman

    Senior Member

  • Grup: Senior Members
  • Posts: 4,794
  • Înscris: 28.11.2001
Due to an increased rate of submissions Symantec Security Response has upgraded the threat rating of W32.Gibe@mm from Category 2 to Category 3 as of March 11, 2002. [ http://securityresponse.symantec.com/avcenter/graphics/ssrc/writeups/category_3_on.gif - Pentru incarcare in pagina (embed) Click aici ]

W32.Gibe@mm is a worm that uses Microsoft Outlook and its own SMTP engine to spread. This worm arrives in an email message--which is disguised as a Microsoft Internet Security Update--as the attachment Q216309.exe.

Wild:
  • Number of infections: 50 - 999

  • Number of sites: More than 10

  • Geographical distribution: Medium

  • Threat containment: Easy

  • Removal: Moderate
Damage:
  • Payload:

  • Large scale e-mailing: Sends to addresses found in Microsoft Outlook Address book and by searching of .htm, .html, .asp, and .php files.

  • Compromises security settings: Installs a Backdoor Trojan which allows remote access to the infected system
Distribution:
  • Subject of email: Internet Security Update

  • Name of attachment: Q216309.exe

  • Size of attachment: 122,880 bytes

  • Ports: 12378
Technical description:

The fake message, which is not from Microsoft, has the following characteristics:

From: Microsoft Corporation Security Center
Subject: Internet Security Update
Message:
Microsoft Customer,
this is the latest version of security update, the update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities
.
.
.
How to install
Run attached file q216309.exe
How to use
You don't need to do anything after installing this item.
.
.
.
Attachment: Q216309.exe

The attached file, Q216309.exe, is written in Visual Basic; it contains other worm components inside itself. When the attached file is executed, it does the following:

It creates the following files:

WindowsQ216309.exe (122,880 bytes). This is the whole package containing the worm.
WindowsVtnmsccd.dll (122,880 bytes). This file is the same as Q216309.exe.
WindowsBcTool.exe (32,768 bytes). This is the worm component that spreads using Microsoft Outlook and SMTP.
WindowsGfxAcc.exe (20,480 bytes). This is the Backdoor Trojan component of the worm that opens port 12378.
Windows2_N803.dat (size varies). This is the data file that the worm creates to store email addresses that it finds.
WindowsWinNetw.exe (20,480 bytes). This is the component that searches for email addresses and writes them to 02_N803.dat.

NOTE: Norton AntiVirus detects all of these files as W32.Gibe@mm except the 02_N803.dat. file, which contains only data.

Next, the worm then adds the following values:

LoadDBackUp C:WindowsBcTool.exe
3Dfx Acc C:WindowsGFXACC.exe

to the registry key

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

The worm also creates the key

HKEY_LOCAL_MACHINESoftwareAVTechSettings

and adds the following values to that key:

Installed ... by Begbie
Default Address
Default Server

Finally, BcTool.exe attempts to send the WindowsQ216309.exe file to email addresses in the Microsoft Outlook address book, and to addresses that it found in .htm, .html, .asp, and .php files and wrote to the 02_N803.dat file.


Removal instructions:

Delete files that are detected as W32.Gibe@mm, delete the 02_N803.dat file, and remove the key and values that the worm added to the registry.

#12
petman

petman

    Senior Member

  • Grup: Senior Members
  • Posts: 4,794
  • Înscris: 28.11.2001
W32.Delalot.B.Trojan is a Trojan horse that attempts to delete all files on all hard drives.


Wild:
  • Number of infections: 0 - 49

  • Number of sites: 0 - 2

  • Geographical distribution: Low

  • Threat containment: Easy

  • Removal: Easy
Damage:

Deletes files: All files on all hard drives.

Technical description:

If W32.Delalot.B.Trojan is executed, it first attempts to delete all files in all folders and subfolders on all hard drives. Then it drops the text file Piracy.txt into the root folder and displays the message:
[ http://securityresponse.symantec.com/avcenter/graphics/w32.delalot.b.trojan.1.gif - Pentru incarcare in pagina (embed) Click aici ]

#13
petman

petman

    Senior Member

  • Grup: Senior Members
  • Posts: 4,794
  • Înscris: 28.11.2001
Win32.Klez.H@mm

W32.Klez.H@mm is a modified variant of the worm W32.Klez.E@mm. This variant is capable of spreading by email and network shares. It is also capable of infecting files.


Wild:   
  • Number of infections: 0 - 49

  • Number of sites: 0 - 2

  • Geographical distribution: Medium

  • Threat containment: Moderate

  • Removal: Easy
Damage:   
  • Payload:  This worm infects executables by creating a hidden copy of the original host file and then overwriting the original file with itself. The hidden copy is encrypted, but contains no viral data. The name of the hidden file is the same as the original file, but with a random extension.

  • Large scale e-mailing:  This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment.

  • Releases confidential info:  Worm randomly chooses a file from the machine to send along with the worm to recipients. So files with the extensions: ".mp8" or ".txt" or ".htm" or ".html" or ".wab" or ".asp" or ".doc" or ".rtf" or ".xls" or ".jpg" or ".cpp" or ".pas" or ".mpg" or ".mpeg" or ".bak" or ".mp3" or ".pdf" would be attached to e-mail messages along with the viral attachment.
Distribution:   
  • Subject of email: Random

  • Name of attachment: Random

When this worm is executed, it does the following:

It copies itself to %System%Wink.exe .

NOTE:  %System% is a variable. The worm locates the Windows System folder (by default this is C:WindowsSystem or C:WinntSystem32) and copies itself to that location.

It adds the value

Wink %System%Wink.exe

to the registry key

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

or it creates the registry key

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWink[random characters]

and inserts a value in that subkey so that the worm is executed when you start Windows.

The worm attempts to disable on-access virus scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active processes. The worm removes the startup registry keys used by antivirus products and deletes checksum database files including:

Anti-Vir.dat
Chklist.dat
Chklist.ms
Chklist.cps
Chklist.tav
Ivb.ntz
Smartchk.ms
Smartchk.cps
Avgqt.dat
Aguard.dat

Local and Network Drive copying:
The worm copies itself to local, mapped, and network drives as:
  • A random file name that has a double extension. For example, Filename.txt.exe.

  • A .rar archive that has a double extension. For example, Filename.txt.rar.
Email:
This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers.

The subject line, message bodies, and attachment file names are random. The From address is randomly-chosen from email addresses that the worm finds on the infected computer.

The worm will search files that have the following extensions for email addresses:
mp8
.exe
.scr
.pif
.bat
.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.pas
.mpg
.mpeg
.bak
.mp3
.pdf

In addition to the worm attachment, the worm also may attach a random file from the computer.
The file will have one of the following extensions:
mp8
.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.pas
.mpg
.mpeg
.bak
.mp3
.pdf

As a result, the email message would have 2 attachments, the first being the worm and the second being the randomly-selected file.

The email message that this worms sends is composed of "random" strings.
The subject can be one of the following :

Undeliverable mail--"[Random word]"
Returned mail--"[Random word]"
a [Random word] [Random word] game
a [Random word] [Random word] tool
a [Random word] [Random word] website
a [Random word] [Random word] patch
[Random word] removal tools
how are you
let's be friends
darling
so cool a flash,enjoy it
your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
meeting notice
questionnaire
congratulations
sos!
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls' vocal concert
japanese lass' sexy pictures

The random word will be one of the following:
new
funny
nice
humour
excite
good
powful
WinXP
IE 6.0
W32.Elkern
W32.Klez.E
Symantec
Mcafee
F-Secure
Sophos
Trendmicro
Kaspersky

The body of the email message is random.

If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a patch are available at

http://www.microsoft...in/MS01-020.asp

Virus Insertion:
This worm inserts the virus W32.Elkern.4926 as a file with a random name in the %Program Files% folder and executes it.

NOTE: %Program Files% is a variable. The worm locates the Program Files folder (by default this is C:Program Files and copies the virus to that location.

Removal Instructions

Download utilitar anti-klez


Ps. Am sters thread-urile pentru ca am considerat ca nu mai sunt necesare.

#14
horatzica

horatzica

    Member

  • Grup: Members
  • Posts: 1,436
  • Înscris: 20.03.2002
W32.Maldal.K@mm is a variant of W32.Maldal@mm. It is a mass-mailing worm that is written in Visual Basic. The worm attempts to send itself to all contacts in the Microsoft Outlook address book and the MSN Messenger contact list. It also searches for email addresses in all .html files. It creates several registry keys and files on the system.

#15
petman

petman

    Senior Member

  • Grup: Senior Members
  • Posts: 4,794
  • Înscris: 28.11.2001
W32.Hedong.A@mm  is a mass mailing worm which makes use of its own SMTP engine. Depending upon the system time, the worm sends either Hello.exe or Hello.vbs. The worm copies itself to %System%Exporler.exe.

Also Known As:
  WORM_DONGHE.A, W32/Hedong@MM
Type:  Worm
Infection Length:  49,152 bytes or 2,301 bytes
Systems Affected:  Windows, Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

Wild:  
  • Number of infections: 0 - 49

  • Number of sites: 0 - 2

  • Geographical distribution: Low

  • Threat containment: Easy

  • Removal: Easy
Damage:   
  • Payload Trigger:  Execution of the VBS file

  • Payload:  The VBS file will delete all files with ".exe", ".dll", ".dat", ".doc", or ".mp3" extensions from the machine. The Win32 file will send itself to a randomly generated e-mail address.

  • Deletes files:  Hello.vbs will delete all files with ".exe", ".dll", ".dat", ".doc", or ".mp3" extensions from the machine.
Distribution:   
  • Subject of email:  varies

  • Name of attachment:  hello.exe or hello.vbs

  • Size of attachment:  49,152 bytes or 2,301bytes
Technical details
W32.Hedong.A@mm is a mass mailing worm which makes use of its own SMTP engine. When it is executed, it does the following:
  • It attempts to connect to one of the following servers:
              
    smtp.citiz.net
    smtp.china.com
    smtp.sina.com
    smtp.263.net
    smtp.sohu.com
    smtp.163.net
    smtp.163.com
                      

  • Next, it sends an email message which varies depending on the system time:
            
       If the system time is divisible by 3, it sends an email message with the attachment Hello.exe.
       If the system time is not divisible by 3 it sends the file Hello.vbs.
          

  • The worm generates all other email characteristics randomly:
                    
    The "From" address will contain randomly generated characters followed by "@" and then the string following the "smtp." from the smtp server it selected to use to send the email messages. For example, if it chose to use "smtp.163.net", the from address could be any set of random characters followed by "@163.net".
    The "To:" address is constructed in the same way. The subject will be constructed of a randomly chosen subject containing Chinese text.
                  

  • The worm also makes use of the Incorrect MIME Header exploit to allow automatic execution on unpatched computers.


  • The worm then copies itself to %System%Exporler.exe.
NOTE:   %System% is a variable. The worm locates the WindowsSystem folder (by default this is C:WindowsSystem or C:WinntSystem32) and copies itself to that location.

It configures that file to run every time that an executable file is run by changing the default value of the registry key

HKEY_LOCAL_MACHINESoftwareCLASSESexefile
shellopencommand

to

%System%Exporler.exe %1 %*

If the file that was executed was Hello.vbs, it performs the following additional actions:
  • It copies itself to %System%MSKernel.vbs and %Windows%Win32Dll.vbs.


  • It adds the value

    MSKernel32       %System%MSKernel32.vbs

    to the registry key

    HKEY_LOCAL_MACHINESoftwareMicrosoft
    WindowsCurrentVersionRun

    and the value

    Win32Dll        %Windows%Win32Dll.vbs

    to the registry key

    HKEY_LOCAL_MACHINESoftwareMicrosoft
    WindowsCurrentVersionRunServices


  • It also changes the Internet Explorer home page to http:/ /www.hziee.edu.cn.


  • Finally, Hello.vbs deletes from all local and mapped drives all files that it finds that have the .exe, .dll, .dat, .doc, and .mp3 extensions.

Removal instructions

#16
Smash

Smash

    Junior Member

  • Grup: Members
  • Posts: 97
  • Înscris: 15.08.2002
Worm.P2P.Kazmor



Kazmor is a P2P (peer to peer) and network worm with backdoor abilities. The worm itself is a Windows PE EXE file written in Delphi. Depending on the specific version the worm's size varies, however it is typically about 52KB or 56KB when it is compressed by the TeLock utility (the decompressed size is about 80-90KB).

This worm is very closely related to another worm - Worm.Win32.Apart.

Installing
While installing the Kazmor worm copies itself to the Windows system directory under either of these names:


"Kazmor.a": Windows.exe
"Kazmor.b": KERNEL32.VMM

It then sets "hidden" attributes for this file and registers it in the system registry auto-run key:

"Kazmor.a":


HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Windows = %WindowsDir%Windows.exe
"Kazmor.b":


HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Windows Kernel = %WindowsDir%KERNEL32.VMM
The Kazmor.a worm also hides itself in the system. It installs its own 'hooks' on Win32 API FindProcess/Modules functions and "skips" its process on these calls. Thus the worm's process is not visible in the active tasks list.

The Kazmor.b worm also creates the HKCR.vmm key that is associated with the "exefile" file type. Thus '.VMM' files will be executed as original '.EXE' files.

Spreading
At the request of the worm's master's (see "Backdoor" below) the worm spreads over a local network or infects P2P shared folders.

Local network infection: the Kazmor worm opens network drives that are available for full access and copies itself to the WINDOWSStart MenuProgramsStartUp directory under the name "REAL PLAYER.EXE".

P2P folders infection: Kazmor copies itself to the Kazaa and Morpheus folders with following names:



'violent preteen gang bang illegal.exe'
'teen tied up and raped.exe'
'teen raped in basement with dildo by 2 men.exe'
'14 year old on beach.exe'
'15 year old on beach.exe'
'16 year old on beach.exe'
'preteen sucking huge cock illegal.exe'
'illegal preteen porn anal fisting.exe'
'fetish bondage preteen porno.exe'
'jenna jameson sex scene huge dick blowjob.exe'
'nikki nova sex scene huge dick blowjob.exe'
'jenna jameson - built for speed.exe'
'cute girl giving head.exe'


'chubby girl fucked from all angles xxx.exe'
'[tmd]star wars episode 2 - attack of the clones [1of1].exe'
'[tmd]sum of all fears [1of1].exe'
'kill osama bin laden game.exe'
'caught on camera - man hit by car - faces of death.exe'
'CKY2K - Bam Margera.exe'
'CKY3 - Bam Margera.exe'
'chubby girl bukkake gang banged sucking cock.exe'
'brutal preteen porn xxx.exe'
'illegal porno - 15 year old raped by two men on boat.exe'
'windows xp key generator and cracker.exe'
'daniel pearl execution video gruesome and hardcore.exe'
'winzip key generator.exe'
'cat attacks child.exe'
'evil pranksters - light church on fire.exe'

'divx codec installer.exe'
'hot girl on the beach sucking cock and ••••••• guy.exe'
'devin in elevator sex.exe'
'microsoft office xp cracked.exe'
'microsoft visual studio 6.0.exe'
'microsoft .NET.exe'
'[DiVX] Lord of the rings.exe'
'[DiVX] Harry Potter and the sorcerors stone.exe'
'macromedia flash 5.0.exe'
'macromedia dreamweaver 4.0.exe'
'nuke afghanistan game.exe'
'Britney Spears Nude Cum.exe'
'Christina Agulera Nude Cum.exe'
'Christina Ricci Nude Cum.exe'
'AIM Password Stealer.exe'
'AIM Account Stealer.exe'
'AIM Account Hacker.exe'
'AIM Flooder.exe'
'MSN Password Hacker and Stealer.exe'
'MSN Flooder.exe'
'Hacking Tool Collection.exe'
'WinZip.exe'
'Windows XP.exe'
'Halflife Crack.exe.exe'
'Halflife Key Generator.exe.exe'
'Counterstrike Key Generator.exe.exe'
'Halflife and Counterstrike serial database.exe'
'DSL Modem Uncapper.exe'
'Cable Modem Uncapper.exe'
'T1 Modem Uncapper.exe'
'T3 Modem Uncapper.exe'
'DivX Install.exe'
'Two girls - Blonde and Brunette - Giving head.exe'
'How to hack.exe'
'How to hack websites.exe'
'Preteen Rape Sex Illegal - Jenny - 13 Years old.exe'
'Lolita preteen sex.exe'
'Bondage Fetish Foot Cum.exe'
'Blonde and Japanese girl bukkake.exe'
'Kill Osama Bin Ladin game.exe'
'Preteen lesbians.exe'
'Choke on cum (sodomy, rape).exe'
'Halflife and Counterstrike Cheating Death Hack!!!.exe'
'WebCam Voyeur Spy.exe.exe'
'FBI Spy Program.exe'
'XXX Porn Passwords.exe'
'Jenna Jameson Nude Gang Bang Forced Cum Blowjob.exe'
'CKY2K - Bam Margera Toy Machine.exe'
'CKY3 - Bam Margera World Industries Alien Workshop.exe'
'Chip and dale.exe'
'14 Year old webcam.exe
' '15 year old webcam.exe'
'16 year old webcam.exe'
'12 year old forced rape cum.exe'
'illgal incest preteen porn cum.exe'
'girls gone wild.exe'
'debby does dallas.exe'
'Devon - Elevator Scene.exe
' 'I Deep Throat - Kelly.exe'
'Another bang bus victim forced rape sex cum.exe'
'ZoneAlarm Firewall.exe'
'WinZip Key Generator and Crack.exe'
'How to be a terrorist - anarchist cookbook.exe'
'Government Secrets.exe'
'Nero Burning ROM [Cracked].exe'
'Internet and Computer Speed Booster.exe'
'Teen Violent Forced Gangbang.exe'
'PS1 Boot Disc.exe'
'Sony Play station boot disc.exe'
'PS2 Boot Disc.exe'
'Borland Delphi 5 Key Generator.exe'
'Borland Delphi 6 Key Generator.exe'

Backdoor
The backdoor routine allows a remote master to perform the following actions on victim computers:


send out detailed computer information: drivers description, local date and time, default language, computer name, CPU speed and number of processors, RAM size, Windows version e.t.c.
steal cached passwords, MSN account login and password, as well as .NET Messenger information.
Kazmor also performs the following routines, it:

- spreads over local networks and to P2P networks
- receives files or download files from a Web site
- executes a file
- performs DoS attacks on remote computers
- pings a remote computer
- scans ports and IP addresses
- redirects PC ports
- sends spam messages through AOL Instant Messenger and to a mIRC channel

#17
ravhen

ravhen

    Junior Member

  • Grup: Members
  • Posts: 62
  • Înscris: 02.08.2003
Backdoor.IRC.RPCBot.C

Type:  Trojan Horse
Infection Length:  varies
Systems Affected:  Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected:  Linux, Macintosh, OS/2, UNIX

Backdoor.IRC.RPCBot.C is a collection of batch files, script files, utilities, as well as hacktools. It is possible that the names and functions of the files may change. The information discussed in this writeup is based on the samples that Security Response has reviewed.

--------------------------------------------------------------------------------
Note: In the list of following files, the file sizes are in bytes (contained in parentheses).
--------------------------------------------------------------------------------

The files associated with Backdoor.IRC.RPCBot.C are:
Explorer.exe (638,976): A packed mIRC32 client. This file is not viral itself, and Symantec antivirus products do not detect it as such.
Mirc.ini (2,684): An mIRC initialization script. This file is not viral itself, and Symantec antivirus products do not detect it as such.
Remote.ini (80): A malicious mIRC script. This is detected as Backdoor.IRC.RPCBot.C.
Aliases.ini (11): An mIRC script. This file is not viral itself, and Symantec antivirus products do not detect it as such..
Dcom.exe (10,784): An executable that the Trojan uses to exploit the DCOM RPC vulnerability. It is detected as Backdoor.IRC.RPCBot.C.
Dcom.mrc (2,802): A malicious mIRC script. This is detected as Backdoor.IRC.RPCBot.C.
Hidden32.exe (29,696): A utility that is used to hide windows. This file is not viral itself, and Symantec antivirus products do not detect it as such.
Macros.txt (324): A script passed to Dcom.exe. It is detected as Backdoor.IRC.RPCBot.C.
Script.ini (920): A malicious mIRC script. It is detected as Backdoor.IRC.RPCBot.C.
Servers.ini (50): A list of IRC servers. This file is not viral itself, and Symantec antivirus products do not detect it as such..
Winhp32.exe (22,016): A utility that is used to hide windows. This file is not viral itself, and Symantec antivirus products do not detect it as such..

When Backdoor.IRC.RPCBot.C runs, it does the following:

Creates the folder, C:Program FilesCommon FilesMicrosoft SharedCDO, and drops the aforementioned files there.


Connects to a specific IRC channel on a specific IRC server to receive remote instructions from the Trojan's creator.

One such command is to exploit the DCOM RPC vulnerability: The Trojan connects to some randomly generated IP addresses to find computers that are listening at TCP port 135. It sends one of two types of data: Either to exploit Windows XP or Windows 2000. Once the computer is found, the Trojan sends specially formed data, which exploits the DCOM RPC vulnerability, to that computer.

If the exploit is successful, the Trojan will try to connect to an FTP server and download and execute the following two files:
Sdbot0b.exe (24,608 bytes): Detected as W32.HLLW.Moega.
Down.com: A utility that disables DCOM.

After execution, both files are deleted.
Download for Symantec products:

http://securityrespo...s.download.html

Have a nice day...:)

#18
ravhen

ravhen

    Junior Member

  • Grup: Members
  • Posts: 62
  • Înscris: 02.08.2003
W32.HLLW.Darby

Discovered on: August 29, 2003  
Last Updated on: August 31, 2003 10:09:45 PM

W32.HLLW.Darby is a worm which spreads through file-sharing networks such as Kazaa and Morpheus, and may also attempt to spread through email and IRC.
When executed, this worm displays a message box which says either "The file this total or partially damaged, impossible to open the file", or "El archivo esta total o parcialmente danado, imposible abrir el archivo".
This threat is written in Visual Basic and packed with UPX.
Also Known As:  W32/Bardiel
  
Type:  Worm
Infection Length:  108-109K

Details link: http://securityrespo...hllw.darby.html

Recommendations:

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

Removal Update: http://securityrespo...s.download.html

Have a nice day...:)

Anunturi

Neurochirurgie minim invazivă Neurochirurgie minim invazivă

"Primum non nocere" este ideea ce a deschis drumul medicinei spre minim invaziv.

Avansul tehnologic extraordinar din ultimele decenii a permis dezvoltarea tuturor domeniilor medicinei. Microscopul operator, neuronavigația, tehnicile anestezice avansate permit intervenții chirurgicale tot mai precise, tot mai sigure. Neurochirurgia minim invazivă, sau prin "gaura cheii", oferă pacienților posibilitatea de a se opera cu riscuri minime, fie ele neurologice, infecțioase, medicale sau estetice.

www.neurohope.ro

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Forumul Softpedia foloseste "cookies" pentru a imbunatati experienta utilizatorilor Accept
Pentru detalii si optiuni legate de cookies si datele personale, consultati Politica de utilizare cookies si Politica de confidentialitate