Submit Your Article Forum Rules

Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 40

Thread: Virus Alerts/Updates

  1. #11
    Thanks for the advice. I know about the configuration options, and I guess that you're right about educating people to prohibit the software from executing nasty scripts and all the other harmful stuff ...

    geg

  2. #12
    WebProWorld MVP wenwilder's Avatar
    Join Date
    Jul 2003
    Posts
    933

    VIRUS ADVISORY | W32/Lovgate.ad@MM | Medium Risk

    Like its predecessors, W32/Lovgate.ad@MM is a Medium Risk
    mass-mailing worm hiding inside an email attachment. When
    run, the worm:

    1. Drops a dangerous backdoor on an infected machine that
    can allow a remote hacker to steal information.
    2. Infects executable programs.
    3. Tries to disable anti-virus and security software.
    4. Emails itself to a) stolen contacts or b) as replies
    to unread MS Outlook or Outlook Express messages on the
    infected machine, spoofing the "from: field".

    --> What should I look for?

    Subject (examples): hi, hello, Hello, Mail transaction
    Failed, mail delivery system

    Body (examples): Mail failed. For further assistance,
    please contact! The message contains Unicode characters
    and has been sent as a binary attachment.

    Attachment: Randomly constructed strings with the
    following extensions: .EXE, .PIF, .SCR, .ZIP

    --> How do I know if I've been infected?

    Presence of various .EXE,.DLL or .ZIP archive files on
    system. Modified System Registry.
    Hidden Content
    Hidden Content
    "Cat washing IS a martial art."

  3. #13
    Senior Member
    Join Date
    May 2004
    Posts
    544
    Thank god for Liveupdate thats what I say. :P
    Regards, Peter
    Hidden Content - Hidden Content

  4. #14
    WebProWorld MVP wenwilder's Avatar
    Join Date
    Jul 2003
    Posts
    933

    VIRUS ALERT: W32/Bagle.ag@MM, W32/Bagle.ai@MM - Medium Risk

    --> What are they?

    W32/Beagle.ag@MM and W32/Beagle.ai@MM are Medium risk
    mass-mailing worms that try to open a backdoor on your PC,
    giving a hacker remote access. Like their predecessors,
    these worms spread by emailing themselves to stolen contacts
    and via popular file-sharing programs such as KaZaa,
    Bearshare and Limewire. They also try to terminate
    anti-virus and other security software operation.

    --> What should I look for?

    FROM: Varies (spoofed)
    SUBJECT: Examples: Re:, Password: %s, Pass - %s, Key - %s
    BODY: Examples: >foto3 and MP3, >fotogalary and Music,
    >fotoinfo. May also be blank.
    ATTACHMENT: Examples: MP3, Music_MP3, New_MP3_Player foto3,
    foto2, foto1 (may include extensions such as .EXE, .SCR,
    .COM, .ZIP, .CPL). Password-protected ZIP files may also
    contain a second, randomly named file (with extensions such
    as .ini, .cfg, .txt, .vxd, .def, .dll).

    --> How do I know if I've been infected?

    Outgoing messages with noted subject lines, attachments.


    This alert is being posted a couple of days late due to email malfunction. But hey, better late then never ;)
    Hidden Content
    Hidden Content
    "Cat washing IS a martial art."

  5. #15
    WebProWorld MVP wenwilder's Avatar
    Join Date
    Jul 2003
    Posts
    933

    W32/Mydoom.o@MM - Medium-On-Watch

    --> What is it?

    W32/Mydoom.o@MM is a Medium-On-Watch risk mass-mailing worm
    that tries to open a hacker backdoor on your PC. Often
    pretending to be a bounced email alert, the worm arrives
    inside an attachment then spreads by sending itself to stolen
    contacts and via peer-to-peer programs.

    --> What should I look for?

    FROM: Varies. Examples: "Bounced mail," "MAILER-DAEMON,"
    "Mail Administrator". Often spoofed.
    SUBJECT: Varies. Examples: delivery failed, Message could not be
    delivered, Mail System Error - Returned Mail
    BODY: Example: We have received reports that your account was used to
    send a large amount of junk email messages during the last week.
    ATTACHMENT: Examples: README, INSTRUCTION, TRANSCRIPT

    --> How do I know if I've been infected?

    The worm installs itself as JAVA.EXE in an infected
    computer's Windows directory. TCP Port 1034 open.
    Hidden Content
    Hidden Content
    "Cat washing IS a martial art."

  6. #16
    WebProWorld MVP wenwilder's Avatar
    Join Date
    Jul 2003
    Posts
    933
    W32/Rbot-EW -- Another bot Trojan that exploits network shares
    with weak passwords to spread between machines. It installs
    itself as "UPDATE_W.EXE" in the Windows System directory and
    allows backdoor access via IRC. (Sophos)

    W32/Rbot-FC -- This Rbot variant is similar to EW above, except
    it uses the infected file of "WINSYST32.EXE" and adds the twist
    of a file logger and CD key stealer. (Sophos)

    W32/Rbot-DE -- Another Rbot variant. It uses "WINSYS32.EXE" as
    its infection point and tries to kill certain network share
    connections. (Sophos)

    W32/Sdbot-KU -- A bot that spreads by exploiting machines
    infected with MyDoom or without the Windows DCOM patch. It
    installs itself as "PEREMPTION.EXE" and allows backdoor access
    via IRC. It can be used to launch SYN flood attacks against
    remote sites and also attempts to steal CD keys for popular
    games. (Sophos)

    W32/Tompai-A -- A backdoor Trojan that spreads via network
    shares and uses a variety of filename combinations to install
    itself in the Windows System folder. The virus has the text
    "phantompain" embedded in the code. (Sophos)

    W32/Agobot-KM -- Yet another bot that uses weakly protected
    network shares to spread between machines. This infects
    "MSVSRV32.EXE" in the Windows System directory, allows backdoor
    access via IRC, and modifies the Windows HOSTS file to block
    access to anti-virus sites. (Sophos)
    Hidden Content
    Hidden Content
    "Cat washing IS a martial art."

  7. #17
    WebProWorld MVP wenwilder's Avatar
    Join Date
    Jul 2003
    Posts
    933
    W32/MyDoom-O -- Another MyDoom variant that uses e-mail to
    spread and search engines to dig for more potential targets.
    Doesn't seem to have the same impact as MyDoom-M. (Sophos)

    W32/Stewon-A -- A peer-to-peer virus that spreads via the likes
    of Kazaa using a compressed .zip file. The virus installs itself
    as "genoxial.exe" in the Windows System folder. (Sophos)

    Troj/CmjSpy-Z -- A keylogging Trojan that installs itself as
    "hpserver.exe" in the Windows system folder and records its
    captured info in "hlicense.vxd". No word on how it spreads.
    (Sophos)

    W32/Agobot-LM -- Another Agobot variant that spreads via network
    shares, which allows backdoor access via IRC and kills security
    applications as well as access to related sites. It installs
    itself as "LSAS.EXE". (Sophos)

    W32/Agobot-LL -- Hey, another Agobot variant. Similar to
    Agobot-LM above, except that infects the file "SVCSYS32.EXE" in
    the Windows System folder. This one could also be used in a DoS
    attack against third-party sites. (Sophos)

    W32/Scaner-A -- A virus that tries to attempt the Windows LSASS
    vulnerability, for which there's been a patch available for a
    few months. The virus attempts to report back its findings via
    an HTTP POST. (Sophos)

    W32/Febelneck-A -- This virus spreads via a .zip file. It tries
    to change the name of the infected machine to "Nebelfleck" and
    delete certain files on the affected system. (Sophos)
    Hidden Content
    Hidden Content
    "Cat washing IS a martial art."

  8. #18
    WebProWorld MVP wenwilder's Avatar
    Join Date
    Jul 2003
    Posts
    933

    VIRUS ADVISORY: W32/Bagle.aq@MM

    VIRUS ADVISORY: W32/Bagle.aq@MM

    --> What is it?

    W32/Bagle.aq@MM is a Medium Risk mass-mailing worm that tries
    to open a hacker backdoor on your PC. Launched by code hidden
    inside a ZIP attachment, the virus spreads by emailing itself
    to stolen contacts and via popular file-sharing programs such
    as KaZaa, Bearshare and Limewire. It also tries to terminate
    anti-virus and other security software operation.

    Up-to-date McAfee VirusScan users with DAT 4384 are
    protected from this threat. Note: To fortify anti-virus
    defense against viruses that carry backdoor payloads, we
    recommend installing McAfee Personal Firewall Plus:
    http://us.mcafee.com/root/campaign.asp?cid=11276

    --> What should I look for?

    FROM: Varies (spoofed)
    SUBJECT: Blank
    BODY: Examples: new price, The password is, Password:
    ATTACHMENT: Examples: price.zip, price2.zip, price_new.zip

    --> How do I know if I've been infected?

    Communication Port 80 (TCP) open. Outgoing messages with noted
    body content and ZIP attachments.
    Hidden Content
    Hidden Content
    "Cat washing IS a martial art."

  9. #19
    WebProWorld MVP wenwilder's Avatar
    Join Date
    Jul 2003
    Posts
    933

    MyDoom.s prevention and cure

    This mass-mailing virus appears to contain photos but actually attempts to install a backdoor Trojan horse.

    A variation of the MyDoom virus appears to be e-mail containing photographs. MyDoom.s (w32.MyDoom.s@mm, also known as MyDoom.m (Norman), MyDoom.q (Symantec), MyDoom.r (Panda), and Ratos (Trend Micro)) is a mass-mailing worm that uses its own SMTP engine to send out copies of itself to addresses harvested from the infected PC. It spoofs the return address, making it hard to trace infected machines, and attempts to download a backdoor Trojan horse from one of two sites on the Internet. MyDoom.s does not affect Linux, Mac, or Unix systems. Because MyDoom.s spreads via e-mail, opens a remote access backdoor on infected PCs, and could damage system files, this worm rates a 6 on the CNET/ZDNet Virus Meter.

    How it works
    MyDoom.s arrives as an attachment with the following characteristics:

    Subject : photos
    Body : LOL!;))))
    Attachment : photos_arc.exe

    If the attachment is opened, MyDoom.s adds the file rasor38a.dll to the Windows folder and the file winpsd.exe to the system directory. It also makes the following system Registry changes:

    Explorer\ComDlg32
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ Explorer\ComDlg32
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ Run "winpsd" = C:\WINDOWS\System32\winpsd.exe

    Once executed, MyDoom.s attempts to download a backdoor Trojan horse from either www.richcolour.com or zenandjuice.com.

    Prevention
    If you receive MyDoom.s, do not open the attached file. The best way to prevent infection is to make sure that your antivirus signature files are current. Also, a personal firewall will prevent the virus author from gaining remote access to your PC.

    Removal
    A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.
    Hidden Content
    Hidden Content
    "Cat washing IS a martial art."

  10. #20
    WebProWorld MVP wenwilder's Avatar
    Join Date
    Jul 2003
    Posts
    933

    Bad Bot - WORM_SDBOT.VQ

    WORM_SDBOT.VQ is a memory-resident worm that spreads via network shares, and exploits specific vulnerabilities to propogate across networks. It also gathers available lists of names and passwords, and uses this gathered information to locate and list shared folders where it drops a copy of itself. This worm has backdoor capabilities and attempts to connect to an Internet Relay Chat (IRC) server to allow a remote user to access the infected system and perform malicious commands. WORM_SDBOT.VQ runs on Windows NT, 2000, and XP.

    Upon execution, this memory-resident worm drops a copy of itself in the Windows System directory as EXPLORER32.EXE. It adds registry entries to enable this dropped copy to run at every Windows startup. It then creates several threads to be used for sniffing, keylogging, and other backdoor capabilities. It also attempts to send copies of itself to other systems as BLING.EXE.

    This worm spreads via network shares. It gathers available lists of names and passwords, and uses this gathered information to locate and list shared folders where it drops a copy of itself. It then attempts to access systems with weak passwords to drop a copy of itself. You may view the list of usernames and passwords in the Technical Details section of this virus description at http://www.trendmicro.com/vinfo/viru...BOT.VQ&VSect=T

    This worm takes advantage of the following Windows vulnerabilities:

    IIS5/WEBDAV Buffer Overflow vulnerability
    Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
    Buffer Overflow in SQL Server 2000
    Windows LSASS Vulnerability

    This worm attempts to connect to the Internet Relay Chat (IRC) server, irc.t3musso.net, which allows a remote user to access the infected system and perform the following commands:

    Update malware from HTTP and FTP URL
    Steal CD keys of game applications
    Execute a file
    Download from HTTP and FTP URL
    Open a command shell
    Open files
    Display the driver list
    Get screen capture
    Capture pictures and video clips
    Display netinfo
    Make a bot join a channel
    Stop and start a thread
    List all running process
    Rename a file
    Generate a random nickname
    Perform different kinds of ddos attacks
    Retrieve and clear log files
    Terminate the bot
    Disconnect the bot from IRC
    Send a message to the IRC server
    Let the bot perform mode change
    Change BOT ID
    Display connection type, local IP address and other net information
    Log in and log out the user
    Issue ping attack on to a target computer
    Display the following system information:
    -CPU speed
    -Amount of Memory
    -Windows platform, build version, and product ID
    -Malware uptime
    -User name

    It also checks for the following strings, and then attempts to steal Windows product ID and CD keys for several game applications:

    :.login
    :,login
    :!login
    :@login
    :$login
    :%login
    login
    :&login
    :*login
    :-login
    :+login
    :/login
    :\login
    :=login
    :?login
    :'login
    login
    :~login
    : login
    :.auth
    :,auth
    :!auth
    :@auth
    :$auth
    :%auth
    :&auth
    :*auth
    :-auth
    :+auth
    :/auth
    :\auth
    :=auth
    :?auth
    :'auth
    :~auth
    : auth
    :.hashin
    :!hashin
    :$hashin
    :%hashin
    :.secure
    :!secure
    :.syn
    :!syn
    :$syn
    :%syn
    paypal
    PAYPAL
    paypal.com
    PAYPAL.COM

    The remote malicious user can also issue commands to allow the bot to log user keystrokes.
    Hidden Content
    Hidden Content
    "Cat washing IS a martial art."

Similar Threads

  1. U.K. to issue public virus alerts
    By WPW_Feedbot in forum IT Discussion Forum
    Replies: 0
    Last Post: 02-24-2005, 12:30 PM
  2. McAfee plans daily virus updates
    By WPW_Feedbot in forum IT Discussion Forum
    Replies: 0
    Last Post: 02-14-2005, 05:00 PM
  3. Web Alerts
    By DriWashSolutions in forum Google Discussion Forum
    Replies: 9
    Last Post: 10-06-2004, 03:15 PM
  4. Why doesn't my anti-virus software pick up the virus
    By John Currie in forum Internet Security Discussion Forum
    Replies: 7
    Last Post: 08-09-2004, 03:24 PM
  5. Google Web Alerts
    By cbp in forum Google Discussion Forum
    Replies: 4
    Last Post: 03-30-2004, 05:56 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •