|
|
||||||
|
||||||
| Index Link To US Private Messages Archive FAQ RSS | ||||||
| Internet Security Discussion Forum This forum is for the discussion of security related issues. If you find a new Phishing scheme, spyware, virus or malicious site - let us know about it. If any of the above found you... here's where you ask for help. |
Share Thread: & Tags
|
||||
|
![]() |
|
|
LinkBack | Thread Tools | Display Modes |
|
||||
|
W32/Zafi.b@MM is a Medium Risk mass-mailing worm that
spreads via email and peer-to-peer applications. When spreading via email, the worm will both spoof the sender's From address and send itself out in different languages depending on the top level domain of the recipient's email address. For example, if the address ends in .COM, the virus's email body will appear in English. If the address ends in .DE, the email will appear in German. The worm also attempts to cripple anti-virus and firewall software installed on a user's system by locating and overwriting a user's security software with copies of itself. Furthermore, the worm will attempt to thwart manual detection by terminating key Windows processes. ------------------------------------------------------------ WHAT TO LOOK FOR: FROM: Varies (forged addresses taken from infected system). SUBJECT: Varies. Examples: - You've got 1 VoiceMessage! - Don't worry, be happy! - Check this out kid!!! BODY: Varies. Online Scan for W32/Zafi.b@MM: ==> http://us.mcafee.com/root/campaign.asp?cid=10564
__________________
Forum Rules "Cat washing IS a martial art." "Remember Today IS Yesterdays Tomorrow" |
|
||||
|
Virus: A computer program that replicates on computer systems by incorporating itself into shared programs. Viruses range from harmless pranks that merely display an annoying message to programs that can destroy files or disable a computer altogether. Whether they're considered malicious or malevolent, all viruses spread rapidly. For example, from one computer to millions of others around the world, infecting machines and causing them to crash. Some well-known examples include the "I Love You" virus, code red, and NIMDA.
Viruses are most commonly transmitted through e-mail; "strains" have appeared that use personal e-mail address books to propagate themselves from machine to machine. If you are connected to the Internet or any other network, it is important that you take precautions against viruses. Get a virus-scanning program (in fact, you can get one from this definition on NetLingo.com) and do not open any e-mail attachments from people you do not know. Virus Lists and Libraries: http://www.viruslist.com/eng/ http://virusall.com/downrem.html http://www.cexx.org/ http://us.mcafee.com/default.asp P.S. The information provided has been a WPW community effort. Thank you for the donation of time and information everyone who has contributed and everyone who will :)
__________________
Forum Rules "Cat washing IS a martial art." "Remember Today IS Yesterdays Tomorrow" |
|
|||
|
Quote:
K<o> |
|
||||
|
Just wanted to add something: ..
The browser's name is Mozilla Firefox .. (the eMail application is called Mozilla Thunderbird). I also recommend using MZ Thunderbird instead of MS Outlook Express, because it is faster and way safer to use imo. You can get Firefox at http://www.mozilla.org/products/firefox/ :) EDIT: ah, just came to realize that there is a Mozilla Browser called Firebird :D ... sorry, just didn't know it ;) |
|
||||
|
Quote:
That is what you said. In other words, it does not make any mail agent less prone than the other. The problem with viral attacks through email is usually due to human error and not the mail software. It is not any more than that, and not any less. If you want to be safe in Outlook Express, do not open any attachments ... plain and simple. If you have an itchy clicking finger, then do this in your options: Go to the menu Tools > Options .... This will open up a dialog box ... click on the Security Tab. Set it up just like I have in this image grab. ![]() Educate the people to do this very simple thing, and they can have all the safety (with due caution) as much as any other mail agent. |
|
|||
|
And on the 'READ' tab, there is a box you can select to 'show messages in plain text only' because way to many people think that if there is no virus attatched, it is safe.
This is how Hijackers get control these days, once you open a page in an 'html' viewer, or browser, script can run that redirects you to a page that downloads and isstall trojans - before you can blink twice. This is one area where OE is more vulnerable, but it won't last long anymore. Hackers/crackers/scammers/virus writers, they are starting to target everyone else. So, don't even open an email PERIOD in OE, unless you have it in text mode, or you are not trigger happy LOL |
|
||||
|
Quote:
|
|
||||
|
Like its predecessors, W32/Lovgate.ad@MM is a Medium Risk
mass-mailing worm hiding inside an email attachment. When run, the worm: 1. Drops a dangerous backdoor on an infected machine that can allow a remote hacker to steal information. 2. Infects executable programs. 3. Tries to disable anti-virus and security software. 4. Emails itself to a) stolen contacts or b) as replies to unread MS Outlook or Outlook Express messages on the infected machine, spoofing the "from: field". --> What should I look for? Subject (examples): hi, hello, Hello, Mail transaction Failed, mail delivery system Body (examples): Mail failed. For further assistance, please contact! The message contains Unicode characters and has been sent as a binary attachment. Attachment: Randomly constructed strings with the following extensions: .EXE, .PIF, .SCR, .ZIP --> How do I know if I've been infected? Presence of various .EXE,.DLL or .ZIP archive files on system. Modified System Registry.
__________________
Forum Rules "Cat washing IS a martial art." "Remember Today IS Yesterdays Tomorrow" |
|
|||
|
Thank god for Liveupdate thats what I say. :P
|
|
||||
|
--> What are they?
W32/Beagle.ag@MM and W32/Beagle.ai@MM are Medium risk mass-mailing worms that try to open a backdoor on your PC, giving a hacker remote access. Like their predecessors, these worms spread by emailing themselves to stolen contacts and via popular file-sharing programs such as KaZaa, Bearshare and Limewire. They also try to terminate anti-virus and other security software operation. --> What should I look for? FROM: Varies (spoofed) SUBJECT: Examples: Re:, Password: %s, Pass - %s, Key - %s BODY: Examples: >foto3 and MP3, >fotogalary and Music, >fotoinfo. May also be blank. ATTACHMENT: Examples: MP3, Music_MP3, New_MP3_Player foto3, foto2, foto1 (may include extensions such as .EXE, .SCR, .COM, .ZIP, .CPL). Password-protected ZIP files may also contain a second, randomly named file (with extensions such as .ini, .cfg, .txt, .vxd, .def, .dll). --> How do I know if I've been infected? Outgoing messages with noted subject lines, attachments. This alert is being posted a couple of days late due to email malfunction. But hey, better late then never ;)
__________________
Forum Rules "Cat washing IS a martial art." "Remember Today IS Yesterdays Tomorrow" |
|
||||
|
--> What is it?
W32/Mydoom.o@MM is a Medium-On-Watch risk mass-mailing worm that tries to open a hacker backdoor on your PC. Often pretending to be a bounced email alert, the worm arrives inside an attachment then spreads by sending itself to stolen contacts and via peer-to-peer programs. --> What should I look for? FROM: Varies. Examples: "Bounced mail," "MAILER-DAEMON," "Mail Administrator". Often spoofed. SUBJECT: Varies. Examples: delivery failed, Message could not be delivered, Mail System Error - Returned Mail BODY: Example: We have received reports that your account was used to send a large amount of junk email messages during the last week. ATTACHMENT: Examples: README, INSTRUCTION, TRANSCRIPT --> How do I know if I've been infected? The worm installs itself as JAVA.EXE in an infected computer's Windows directory. TCP Port 1034 open.
__________________
Forum Rules "Cat washing IS a martial art." "Remember Today IS Yesterdays Tomorrow" |
|
||||
|
W32/Rbot-EW -- Another bot Trojan that exploits network shares
with weak passwords to spread between machines. It installs itself as "UPDATE_W.EXE" in the Windows System directory and allows backdoor access via IRC. (Sophos) W32/Rbot-FC -- This Rbot variant is similar to EW above, except it uses the infected file of "WINSYST32.EXE" and adds the twist of a file logger and CD key stealer. (Sophos) W32/Rbot-DE -- Another Rbot variant. It uses "WINSYS32.EXE" as its infection point and tries to kill certain network share connections. (Sophos) W32/Sdbot-KU -- A bot that spreads by exploiting machines infected with MyDoom or without the Windows DCOM patch. It installs itself as "PEREMPTION.EXE" and allows backdoor access via IRC. It can be used to launch SYN flood attacks against remote sites and also attempts to steal CD keys for popular games. (Sophos) W32/Tompai-A -- A backdoor Trojan that spreads via network shares and uses a variety of filename combinations to install itself in the Windows System folder. The virus has the text "phantompain" embedded in the code. (Sophos) W32/Agobot-KM -- Yet another bot that uses weakly protected network shares to spread between machines. This infects "MSVSRV32.EXE" in the Windows System directory, allows backdoor access via IRC, and modifies the Windows HOSTS file to block access to anti-virus sites. (Sophos)
__________________
Forum Rules "Cat washing IS a martial art." "Remember Today IS Yesterdays Tomorrow" |
|
||||
|
W32/MyDoom-O -- Another MyDoom variant that uses e-mail to
spread and search engines to dig for more potential targets. Doesn't seem to have the same impact as MyDoom-M. (Sophos) W32/Stewon-A -- A peer-to-peer virus that spreads via the likes of Kazaa using a compressed .zip file. The virus installs itself as "genoxial.exe" in the Windows System folder. (Sophos) Troj/CmjSpy-Z -- A keylogging Trojan that installs itself as "hpserver.exe" in the Windows system folder and records its captured info in "hlicense.vxd". No word on how it spreads. (Sophos) W32/Agobot-LM -- Another Agobot variant that spreads via network shares, which allows backdoor access via IRC and kills security applications as well as access to related sites. It installs itself as "LSAS.EXE". (Sophos) W32/Agobot-LL -- Hey, another Agobot variant. Similar to Agobot-LM above, except that infects the file "SVCSYS32.EXE" in the Windows System folder. This one could also be used in a DoS attack against third-party sites. (Sophos) W32/Scaner-A -- A virus that tries to attempt the Windows LSASS vulnerability, for which there's been a patch available for a few months. The virus attempts to report back its findings via an HTTP POST. (Sophos) W32/Febelneck-A -- This virus spreads via a .zip file. It tries to change the name of the infected machine to "Nebelfleck" and delete certain files on the affected system. (Sophos)
__________________
Forum Rules "Cat washing IS a martial art." "Remember Today IS Yesterdays Tomorrow" |
|
||||
|
VIRUS ADVISORY: W32/Bagle.aq@MM
--> What is it? W32/Bagle.aq@MM is a Medium Risk mass-mailing worm that tries to open a hacker backdoor on your PC. Launched by code hidden inside a ZIP attachment, the virus spreads by emailing itself to stolen contacts and via popular file-sharing programs such as KaZaa, Bearshare and Limewire. It also tries to terminate anti-virus and other security software operation. Up-to-date McAfee VirusScan users with DAT 4384 are protected from this threat. Note: To fortify anti-virus defense against viruses that carry backdoor payloads, we recommend installing McAfee Personal Firewall Plus: http://us.mcafee.com/root/campaign.asp?cid=11276 --> What should I look for? FROM: Varies (spoofed) SUBJECT: Blank BODY: Examples: new price, The password is, Password: ATTACHMENT: Examples: price.zip, price2.zip, price_new.zip --> How do I know if I've been infected? Communication Port 80 (TCP) open. Outgoing messages with noted body content and ZIP attachments.
__________________
Forum Rules "Cat washing IS a martial art." "Remember Today IS Yesterdays Tomorrow" |
|
||||
|
This mass-mailing virus appears to contain photos but actually attempts to install a backdoor Trojan horse.
A variation of the MyDoom virus appears to be e-mail containing photographs. MyDoom.s (w32.MyDoom.s@mm, also known as MyDoom.m (Norman), MyDoom.q (Symantec), MyDoom.r (Panda), and Ratos (Trend Micro)) is a mass-mailing worm that uses its own SMTP engine to send out copies of itself to addresses harvested from the infected PC. It spoofs the return address, making it hard to trace infected machines, and attempts to download a backdoor Trojan horse from one of two sites on the Internet. MyDoom.s does not affect Linux, Mac, or Unix systems. Because MyDoom.s spreads via e-mail, opens a remote access backdoor on infected PCs, and could damage system files, this worm rates a 6 on the CNET/ZDNet Virus Meter. How it works MyDoom.s arrives as an attachment with the following characteristics: Subject : photos Body : LOL!;)))) Attachment : photos_arc.exe If the attachment is opened, MyDoom.s adds the file rasor38a.dll to the Windows folder and the file winpsd.exe to the system directory. It also makes the following system Registry changes: Explorer\ComDlg32 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ Explorer\ComDlg32 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ Run "winpsd" = C:\WINDOWS\System32\winpsd.exe Once executed, MyDoom.s attempts to download a backdoor Trojan horse from either www.richcolour.com or zenandjuice.com. Prevention If you receive MyDoom.s, do not open the attached file. The best way to prevent infection is to make sure that your antivirus signature files are current. Also, a personal firewall will prevent the virus author from gaining remote access to your PC. Removal A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.
__________________
Forum Rules "Cat washing IS a martial art." "Remember Today IS Yesterdays Tomorrow" |
|
||||
|
WORM_SDBOT.VQ is a memory-resident worm that spreads via network shares, and exploits specific vulnerabilities to propogate across networks. It also gathers available lists of names and passwords, and uses this gathered information to locate and list shared folders where it drops a copy of itself. This worm has backdoor capabilities and attempts to connect to an Internet Relay Chat (IRC) server to allow a remote user to access the infected system and perform malicious commands. WORM_SDBOT.VQ runs on Windows NT, 2000, and XP.
Upon execution, this memory-resident worm drops a copy of itself in the Windows System directory as EXPLORER32.EXE. It adds registry entries to enable this dropped copy to run at every Windows startup. It then creates several threads to be used for sniffing, keylogging, and other backdoor capabilities. It also attempts to send copies of itself to other systems as BLING.EXE. This worm spreads via network shares. It gathers available lists of names and passwords, and uses this gathered information to locate and list shared folders where it drops a copy of itself. It then attempts to access systems with weak passwords to drop a copy of itself. You may view the list of usernames and passwords in the Technical Details section of this virus description at http://www.trendmicro.com/vinfo/viru...BOT.VQ&VSect=T This worm takes advantage of the following Windows vulnerabilities: IIS5/WEBDAV Buffer Overflow vulnerability Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability Buffer Overflow in SQL Server 2000 Windows LSASS Vulnerability This worm attempts to connect to the Internet Relay Chat (IRC) server, irc.t3musso.net, which allows a remote user to access the infected system and perform the following commands: Update malware from HTTP and FTP URL Steal CD keys of game applications Execute a file Download from HTTP and FTP URL Open a command shell Open files Display the driver list Get screen capture Capture pictures and video clips Display netinfo Make a bot join a channel Stop and start a thread List all running process Rename a file Generate a random nickname Perform different kinds of ddos attacks Retrieve and clear log files Terminate the bot Disconnect the bot from IRC Send a message to the IRC server Let the bot perform mode change Change BOT ID Display connection type, local IP address and other net information Log in and log out the user Issue ping attack on to a target computer Display the following system information: -CPU speed -Amount of Memory -Windows platform, build version, and product ID -Malware uptime -User name It also checks for the following strings, and then attempts to steal Windows product ID and CD keys for several game applications: :.login :,login :!login :@login :$login :%login login :&login :*login :-login :+login :/login :\login :=login :?login :'login login :~login : login :.auth :,auth :!auth :@auth :$auth :%auth :&auth :*auth :-auth :+auth :/auth :\auth :=auth :?auth :'auth :~auth : auth :.hashin :!hashin :$hashin :%hashin :.secure :!secure :.syn :!syn :$syn :%syn paypal PAYPAL paypal.com PAYPAL.COM The remote malicious user can also issue commands to allow the bot to log user keystrokes.
__________________
Forum Rules "Cat washing IS a martial art." "Remember Today IS Yesterdays Tomorrow" |
|
||||
|
WORM_MEXER.E is a memory-resident worm that propagates via peer-to-peer (P2P) file-sharing networks, particularly Kazaa and Imesh, and by mailing copies of itself via Simple Mail Transfer Protocol (SMTP). This worm creates a folder and drops several copies of itself into this folder, using filenames that pertain to software, moviews, or games. It gathers email addresses from the infected system by scanning certain files for email addresses it can send to. WORM_MEXER.E is currently spreading in-the-wild and infecting systems running Windows 95, 98, ME, NT, 2000, and XP.
Upon execution, this memory-resident worm displays a message box. It then adds a registry entry that allows it to automatically execute at every system startup. To propagate via peer-to-peer file-sharing networks - specifically Kazaa and Imesh - the worm creates three more registry entries. This worm then creates a folder, named sysnet, in the root folder and drops 42 files in it. It also drops another set of randomly named files in this same folder. The filenames are formed using a combination of 70 different naming strings comprised of the titles or names of popular software, movies, and games. These filenames are meant to entice P2P network users to download and execute them. Read the Technical Details section of the Virus Description on Trend Micro's Web site for the full list of naming strings: http://www.trendmicro.com/vinfo/viru...EXER.E&VSect=T This worm also searches for the following files: C:\*.DBX C:\*.DOC C:\*.HTM C:\*.RTF C:\*.SHT C:\*.TXT C:\*.WAB If found, the worm scans these files for email addresses and sends email to these addresses. It skips email addresses with the following strings: admi host kasp micr newv root supp viru webm It sends email via Simple Mail Transfer Protocol (SMTP) with any of the following details: Subject: EBAY Information Message body: EBAY Installer... Attachment: <files from the sysnet folder> Subject: VISA Information Message body: Security Tool... Attachment: <files from the sysnet folder> Subject: Provider Information Message body: New account data... Attachment: <files from the sysnet folder> Subject: Your Crack1 Message body: Here is your crack! Attachment: <files from the sysnet folder> Subject: Internet Information Message body: New account data... Attachment: <files from the sysnet folder>
__________________
Forum Rules "Cat washing IS a martial art." "Remember Today IS Yesterdays Tomorrow" |
|
||||
|
--> What is it?
The latest variant of the original W32/Netsky.MM virus, W32/Netsky.ag@MM is a Medium Risk mass-mailing worm that arrives inside an email with a subject line, body content and attachment file name in Portuguese. Like its predecessors, W32/Netsky.ag@MM steals email addresses from an infected machine, then forwards itself to those contacts, often faking the "from: field". --> What should I look for? FROM: Varies (forged addresses taken from infected system). SUBJECT: Varies. Examples: 0123456789, Abra rapido isso!!!!, acrdito que em voce!!! BODY: Varies. Examples: PizzaVeneza!, preenche ai ta bom, encontro voce! ATTACHMENT. Varies. Examples: agradou, agua!, AIDS! --> How do I know if I've been infected? When run, the worm displays a message box with the warning "File corrupted replace this!". The worm copies itself to folders with the string "share" or sharing", network shares and P2P shared folders, using file names like aninha gatinha!.zip.scr, barrio.scr and cafe!!.zip.scr. --> How do I find out more? View details about W32/Netsky.ag@MM here. http://us.mcafee.com/root/campaign.asp?cid=12198
__________________
Forum Rules "Cat washing IS a martial art." "Remember Today IS Yesterdays Tomorrow" |
|
||||
|
WORM_FILI.A is a non-destructive worm that propagates via peer-to-peer applications by dropping copies of itself in default shared folders. It also propagates via email and Internet Relay Chat (IRC). It can disable the Windows Task Manager, thereby preventing an infected user from terminating its process. It also displays the Windows Shut Down menu (the window that pops out when CTRL+ALT+DEL keys are pressed) every few seconds to annoy the user. This worm is currently spreading in-the-wild, and infecting systems running Windows 95, 98, ME, NT, 2000, and XP.
Upon execution, this worm drops a copy of itself in the Windows system folder as the file PILIF.EXE. It creates a registry entry that allows it automatically execute at every system startup. This worm drops copies of itself in the following folders found in the Program Files directory, which are default-shared folders of popular peer-to-peer (P2P) applications: \BearShare\Shared \BearShare\Shared\ \Edonkey2000\Incoming \Edonkey2000\Incoming\ \Grokster\My Grokster \Grokster\My Grokster\ \icq\shared files\ \Kazaa\My Shared Folder \Kazaa\My Shared Folder\ \KMD\Shared Folder \limewire\Shared \limewire\Shared\ \Morpheus\My Shared Folder \Morpheus\My Shared Folder\ \Shareaza\downloads \WinMX\my shared folder\ Shareaza\downloads It uses any of the following file names for its dropped copy, followed by an .EXE, .SCR, .PIF, .BAT, or .CMD extension: Anti-hacker Utility Cracks mega warez collection Dark Coderz Alliance Easy credit card validation Free porn sites accounts Kasperky AV Universal Key Norton 2004 crack Sex - totally free porn Webmail official hacker Yahoo hacker This worm searches for email addresses on .HTM and .HTML files found on the affected system. It then sends email messages to these addresses using MAPI. It sends email with the following details: Message body: (any of the following) Important legal notice! Do not delete this message. Analyse attachement and reply as soon as possible with manifesto details. Thank you! ------------------- Please help us to save the right of freedom of expression! All details will be displayed in small attached file. Good luck and thank you. ------------------- You personal manifesto details are attached. Take good care of them! ------------------- Help us gather online votes for our anti-censore manifesto We need you help now! Attachement will automatically send a vote to our online database once you run it and will be redirected to our webpage! Thank you! ------------------- Its curious, its scandalous... dont be so furious! Life is bitch so dont take it serious. ------------------- Please help us be free! We need the basic right of expression. Enable an online vote for our manifesto with the help of the attachement. Many thanks! ------------------- Music is beeing censored, journalists are afraid, law has not been respected for long time. Why? Because of corruption and lack of right of expression. Help us! Enable the attachement and our voting system will track and record you help. Many thanks! ------------------- Parazitii need your help for the anti-censore campaign! See all details in the attachement. Thank you! ------------------- Its just hip-hop. Nothing else. Enjoy! Oh yeah! one more thing: its a censore-related manifesto :) ------------------- This is my manifesto. You can stop this individual, but you can't stop us all...after all,we're all alike. ------------------- Attachment: (any one of the following, followed by an .EXE, .SCR, .PIF, .BAT, or .CMD extension) · attachement · details · freedom · Freedom of expression · Goverment issue · JOS CeNzurA · manifesto · Manifesto anti pilif · Manifesto details · Parazitii · pilif · Simple solution · stolen rights · sustain cause This worm drops a modified SCRIPT.INI file in the following folders: C:\mirc\ C:\mirc32\ C:\mirc\32 %Program Files%\mirc\ %Program Files%\mirc32\ This modified IRC script sends a copy of the worm to every user who enters the same chatroom as the infected user. It displays the following message upon file transfer: DCA are fighting for free speech. Get their manifesto now! It then sends out the following file: Manifesto Anti Censore Pilif.txt.exe *Information via Trend Micro Newsletter
__________________
Forum Rules "Cat washing IS a martial art." "Remember Today IS Yesterdays Tomorrow" |
|
||||
|
I know trend had pc-cillian updates avaible for it on the 15th. I haven't checked any of the others, yet. I'm a bit behind on everything these days :(
__________________
Forum Rules "Cat washing IS a martial art." "Remember Today IS Yesterdays Tomorrow" |
|
||||
|
WORM_WOOTBOT.BJ is a non-destructive worm that takes advantage of the Windows LSASS vulnerability in order to propagate. It drops a copy of itself into default shared folders of unpatched machines. It steals the CD keys of popular game applications, Microsoft Windows Product IDs, and Yahoo Messenger IDs. It updates itself by creating the file 1.BAT and executing it afterwards. This batch file downloads a copy of the worm from the Internet and then executes it on the compromised system. This worm is currently spreading in-the-wild and infecting systems that are running on Windows 95, 98, ME, NT, 2000, and XP.
Upon execution, this worm drops a copy of itself as SERVICED.EXE in the Windows system folder. It executes its dropped copy and then deletes itself afterwards. It then adds several registry entries, that allow it to run automatically at every system startup. This worm copies and executes itself on vulnerable systems and searches for the following default network shares: ADMIN$ C$ D$ IPC$ It steals Microsoft Windows Product IDs and Yahoo Messenger IDs, as well as the CD keys of the following popular games: Battlefield 1942 Battlefield 1942: Secret Weapons Of WWII Battlefield 1942: The Road To Rome Battlefield 1942: Vietnam Black and White Command and Conquer: Generals Command and Conquer: Generals: Zero Hour Command and Conquer: Red Alert2 Command and Conquer: Tiberian Sun Counter-Strike FIFA 2002 FIFA 2003 Freedom Force Global Operations Gunman Chronicles Half-Life Hidden and Dangerous 2 IGI2: Covert Strike Industry Giant 2 James Bond 007: Nightfire Medal of Honor: Allied Assault Medal of Honor: Allied Assault: Breakthrough Medal of Honor: Allied Assault: Spearhead Nascar Racing 2002 Nascar Racing 2003 Need For Speed: Hot Pursuit 2 Need For Speed: Underground Neverwinter Nights NHL 2002 NHL 2003 Ravenshield Shogun: Total War: Warlord Edition Soldier Of Fortune 2 Soldiers Of Anarchy The Gladiators Unreal Tournament 2003 Unreal Tournament 2004 This worm appears to possess backdoor capabilities. It updates itself by creating and executing the file 1.BAT. which downloads a copy of the worm from the Internet and then executes it on the compromised system.
__________________
Forum Rules "Cat washing IS a martial art." "Remember Today IS Yesterdays Tomorrow" |
|
||||
|
As of October 29, 2004, 2:07 AM (-7:00; Daylight Saving Time), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_BAGLE.AT. TrendLabs has received several infection reports indicating that this malware is spreading in Japan, Sweden, China and Germany.
This worm uses its own SMTP engine to propagate via email. It arrives as either of the following attachments: . PRICE.CPL . PRICE.COM . PRICE.EXE . PRICE.SCR . JOKE.CPL . JOKE.COM . JOKE.EXE This worm searches the drive for folders with names containing the string "shared". It then drops itself in these shared folders using certain file names.
__________________
Forum Rules "Cat washing IS a martial art." "Remember Today IS Yesterdays Tomorrow" |
|
||||
|
Quote:
I never open email attatchments from anyone & use a top tier anti-virus scan for both incoming & outgoing email. I also have daily auto-update from the anti-virus software vendor. What further precautions do you advise I take, in terms of malware, spyware & virus protection for my pc? Cheers! Max |
|
||||
|
I always recommend two anti-viruses - AVG is the main one I recommend. And then Spybot S & D, Ad-aware, and learn how to use HiJackThis. Know your start up programs, check your host file and about 100 other things. :)
Definately have AVG, spybot and adaware, and learn HijackThis.
__________________
Forum Rules "Cat washing IS a martial art." "Remember Today IS Yesterdays Tomorrow" |
|
||||
|
As of October 29, 2004 9:40 AM (GMT -7:00; Daylight Saving Time), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_BAGLE.AU. TrendLabs has received several infection reports indicating that this malware is spreading in US, Japan, Sweden, Germany, Mexico, France, Argentina, Chile, Brazil, and Canada.
Like other BAGLE variants, the success of this worm may be attributed to its plain and brief email messages that bear the following details: From:<spoofed> Subject any of the following . Re: . Re: Hello . Re: Hi . Re: Thank you! . Re: Thanks :) Message body: any of the following . :) . :)) Attachment: any of the following . PRICE . JOKE with the following extension names . COM . CPL . EXE . SCR This worm scans an infected system for files with certain extension names to acquire its target recipients. It then uses its own SMTP engine and the domain servers of its harvested email addresses for its mailing routine. Unsuspecting users may then receive email messages from trusted acquaintances and readily execute the attachment, thus launching this worm. When run, it proceeds to drop copies of itself in folders with names containing the text string shar, or in shared folders. It also uses file names that appear legitimate and attractive. This enables this worm to propagate through the network as other users may accidentally download a copy of this worm thinking it is a normal application or a text file. This worm also compromises system security by terminating several antivirus and security-related applications if found active on a system. It also connects to a list of Web sites where it may download components. It also opens port 81 possibly for its backdoor activities. Continuing a notable BAGLE routine, it attacks another worm family known as NETSKY. It deletes several registry entries and file names associated with NETSKY. It also creates several mutexes that prevent the execution of NETSKY variants on the infected machine. It runs on Windows 95, 98, ME, NT, 2000, and XP.
__________________
Forum Rules "Cat washing IS a martial art." "Remember Today IS Yesterdays Tomorrow" |
|
||||
|
--> What are they?
W32/Bagle.bb@MM and W32/Bagle.bd@MM are Medium Risk mass-mailing worms that try to open up a hacker backdoor on your computer. Carried inside an email attachment, the viruses spread by forwarding themselves to e-mail addresses stolen from an infected PC. Like their predecessors, they also try to terminate anti-virus and other security software protection. --> What should I look for? FROM: Varies (spoofed) SUBJECT: Re:, Re: Hello, Re: Thank you!, Re: Thanks :), Re: Hi BODY: :), :)) ATTACHMENT: Price, price, Joke (with an extension of .exe, .scr, .com or .cpl) --> How do I know if I've been infected? Presence of wingo.exe file in Windows system directory. Outgoing messages and attachments as described above. How do I find out more? W32/Bagle.bb@MM: http://us.mcafee.com/root/campaign.asp?cid=12534 W32/Bagle.bd@MM: http://us.mcafee.com/root/campaign.asp?cid=12535
__________________
Forum Rules "Cat washing IS a martial art." "Remember Today IS Yesterdays Tomorrow" |
|
||||
|
--> What is it?
W32/Mydoom.ah@MM is a Medium Risk mass-mailing worm that exploits a "buffer overflow vulnerability" in Microsoft Internet Explorer to spread from computer to computer using stolen email addresses. Web links (e.g., "see my homepage") in the spam messages point to infected systems, which then download the virus onto new victims' machines. Unlike earlier Mydoom variants, W32/Mydoom.ah@MM forwards no attachments. --> What should I look for? FROM: Spoofed. SUBJECT: Varies. Examples: hi!, hey!, Confirmation BODY: Varies. Examples: - Congratulations! PayPal has successfully charged $175 to your credit card. To see details please click this link. - Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos! ATTACHMENT: None. --> How do I know if I've been infected? When run, the virus creates a file in the WINDOWS SYSTEM (%WinDir%\system32) directory with a random filename that ends in 32.exe. Suggested Reading
__________________
Forum Rules "Cat washing IS a martial art." "Remember Today IS Yesterdays Tomorrow" |
|
|||
|
Quote:
and not a constant parasiteware/malware infested pain in the neck. |
|
|||
|
I wanted to say we've got a new virus feed on SecurityProNews.
The feed comes from Sophos. Please check it out and also the Sophos site for great information regarding all the socially transmitted diseases floating through your computer. |
|
|||
|
basically the file is in use so nortons cannot repair it. So what you do is boot in safe mode where only a small amount of the operating system is used, allowing nortons to repair it
you could boot in safe mode then run your nortons or do what I paste below. Norton live Safe Mode virus scan 1. Go to this link, below, and save it in your favourites. Save it up at the top of your favourites drop down list, otherwise you may not be able to see it in safe mode. (drag it to the top) Close the window 2. Turn off popup blocker on your browser or software. 3. Turn off system restore as long as you are confident you don’t need it. Right click my computer icon >properties >system restore tab > turn off. This will delete all restore points. (System restore can harbour virus) 4. Boot in safe mode with networking by tapping f8 key in the first few seconds of turning the computer on. 5. Using your browser in safe mode with networking. open your browser and go to the link, choose antivirus scan, it will take quite a time to install but stick with it. It will ask to install active x controls which also take a while to install. Don’t interfere, just wait a while. Run the scan when it asks. You can also run the antivirus checker afterwards all while in safe mode. 6. Reboot normally, turn on system restore and create a restore point. |
|
||||
|
They also use a percentage of your computer's memory which
increases each year-- infected systems eventually begin running a deficit and use the hard drive as virtual memory. Any attempt to clean this virus, or trim its memory requirements, results in error messages from each of the units explaining why this would cause the computer to break down. |
|
|||
|
my computer always be infected by virus like trojan..
could someone explain to me where is it comes from? Is it when I was surf the internet? And my control panel can't open, is it because of this?? need help |
|
||||
|
One of my clients happened to be infected by Conficker.AA and luckily managed to restore the PC back in health.
Here are some info about the Conficker.AA Win32/Conficker.AA Short description Win32/Conficker.AA is a worm that spreads via shared folders and on removable media. It connects to remote machines in attempt to exploit the Server Service vulnerability. Installation When executed, the worm copies itself in some of the the following locations: %system%\%variable%.dll %program files%\Internet Explorer\%variable%.dll %program files%\Movie Maker\%variable%.dll %appdata%\%variable%.dll %temp%\%variable%.dll A string with variable content is used instead of %variable% . The worm loads and injects the %variable%.dll library into the following processes: explorer.exe services.exe svchost.exe In order to be executed on every system start, the worm sets the following Registry entry: [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\ Run] "%variable_name%" = "rundll32.exe "%system%\%variable%.dll", %random_string%" The following Registry entries are set: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\%random service name%\Parameters] "ServiceDll" = "%system%\%variable%.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\%random service name%] "Image Path" = "%System Root%\system32\svchost.exe -k netsvcs" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\%random service name%\Parameters] "ServiceDll" = "%system%\%variable%.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\%random service name%] "Image Path" = "%System Root%\system32\svchost.exe -k netsvcs" "DisplayName" = "random service name%" "Type" = 32 "Start" = 2 "ErrorControl" = 0 "ObjectName" = "LocalSystem" "Description" = "%variable_name%" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\ Parameters] "TcpNumConnections" = 16777214 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\explorer\Advanced\Folder\Hidden\SHO WALL] "CheckedValue" = 0 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\ Applets] "gip" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Applets] "gip" = 0 under... A string with variable content is used instead of %random service name% . The following Registry entries are deleted: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\explorer\ShellServiceObjects\ {FD6905CE-952F-41F1-9A6F-135D9C6622CC}] "wscsvc" = "%filepath%" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run] "Windows Defender" = "%filepath%" Spreading The worm starts a HTTP server on a random port. It connects to remote machines to port TCP 139, 445 in attempt to exploit the Server Service vulnerability. If successful, the remote computer may attempt to connect to the infected computer and download the copy of the worm . This vulnerability is described in Microsoft Security Bulletin MS08-067 . Spreading via shared folders The worm tries to copy itself into shared folders of machines on a local network. The following usernames are used: %username% The following passwords are used: 123 1234 12345 123456 1234567 If successful the following filename is used: \\%hostname%\ADMIN$\System32\%variable%.dll The worm schedules a task that causes the following file to be executed daily: rundll32.exe %variable%.dll, %random_string% Spreading on removable media The worm copies itself into existing folders of removable drives. If successful the following filename is used: %drive%\RECYCLER\S-%variable1%\%variable2%.%variable3% A string with variable content is used instead of %variable1-3% . The worm creates the following file: %drive%\autorun.inf Thus, the worm ensures it is started each time infected media is inserted into the computer. Other information The following services are disabled: Windows Security Center Service (wscsvc) Windows Automatic Update Service (wuauserv) Background Intelligent Transfer Service (BITS) Windows Defender Service (WinDefend) Windows Error Reporting Service (ERSvc) Windows Error Reporting Service (WerSvc) The worm launches the following processes: netsh interface tcp set global autotuning=disabled The worm blocks access to any domains that contain any of the following strings in their name: ahnlab arcabit avast avira castlecops If the current system date and time matches the condition the worm will attempt to download several files from the Internet. The worm runs only encrypted and properly signed files. The file is stored into the following folder: %temp% If successful the following filename is used: %variable%.tmp A string with variable content is used instead of %variable% . The worm may set the following Registry entries: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ SharedAccess\Parameters\FirewallPolicy\StandardPro file\ GloballyOpenPorts\List] "%port number%:TCP" = "%port number%:TCP:*:Enabled:%variable%" The performed data entry creates an exception in the Windows Firewall program. |
|
||||
|
Quote:
|
![]() |
|
| Thread Tools | |
| Display Modes | |
|
|
|
WebProWorld |
Advertise |
Contact Us |
About |
Forum Rules |
MVP's |
Archive |
Newsletter Archive |
Top |
WebProNews
WebProWorld is an iEntry, Inc. ® site - © 2009 All Rights Reserved Privacy Policy and Legal iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509 |