Thanks for the advice. I know about the configuration options, and I guess that you're right about educating people to prohibit the software from executing nasty scripts and all the other harmful stuff ...
geg
Submit Your Article
Forum Rules
Thanks for the advice. I know about the configuration options, and I guess that you're right about educating people to prohibit the software from executing nasty scripts and all the other harmful stuff ...
geg
Like its predecessors, W32/Lovgate.ad@MM is a Medium Risk
mass-mailing worm hiding inside an email attachment. When
run, the worm:
1. Drops a dangerous backdoor on an infected machine that
can allow a remote hacker to steal information.
2. Infects executable programs.
3. Tries to disable anti-virus and security software.
4. Emails itself to a) stolen contacts or b) as replies
to unread MS Outlook or Outlook Express messages on the
infected machine, spoofing the "from: field".
--> What should I look for?
Subject (examples): hi, hello, Hello, Mail transaction
Failed, mail delivery system
Body (examples): Mail failed. For further assistance,
please contact! The message contains Unicode characters
and has been sent as a binary attachment.
Attachment: Randomly constructed strings with the
following extensions: .EXE, .PIF, .SCR, .ZIP
--> How do I know if I've been infected?
Presence of various .EXE,.DLL or .ZIP archive files on
system. Modified System Registry.
Thank god for Liveupdate thats what I say. :P
--> What are they?
W32/Beagle.ag@MM and W32/Beagle.ai@MM are Medium risk
mass-mailing worms that try to open a backdoor on your PC,
giving a hacker remote access. Like their predecessors,
these worms spread by emailing themselves to stolen contacts
and via popular file-sharing programs such as KaZaa,
Bearshare and Limewire. They also try to terminate
anti-virus and other security software operation.
--> What should I look for?
FROM: Varies (spoofed)
SUBJECT: Examples: Re:, Password: %s, Pass - %s, Key - %s
BODY: Examples: >foto3 and MP3, >fotogalary and Music,
>fotoinfo. May also be blank.
ATTACHMENT: Examples: MP3, Music_MP3, New_MP3_Player foto3,
foto2, foto1 (may include extensions such as .EXE, .SCR,
.COM, .ZIP, .CPL). Password-protected ZIP files may also
contain a second, randomly named file (with extensions such
as .ini, .cfg, .txt, .vxd, .def, .dll).
--> How do I know if I've been infected?
Outgoing messages with noted subject lines, attachments.
This alert is being posted a couple of days late due to email malfunction. But hey, better late then never ;)
--> What is it?
W32/Mydoom.o@MM is a Medium-On-Watch risk mass-mailing worm
that tries to open a hacker backdoor on your PC. Often
pretending to be a bounced email alert, the worm arrives
inside an attachment then spreads by sending itself to stolen
contacts and via peer-to-peer programs.
--> What should I look for?
FROM: Varies. Examples: "Bounced mail," "MAILER-DAEMON,"
"Mail Administrator". Often spoofed.
SUBJECT: Varies. Examples: delivery failed, Message could not be
delivered, Mail System Error - Returned Mail
BODY: Example: We have received reports that your account was used to
send a large amount of junk email messages during the last week.
ATTACHMENT: Examples: README, INSTRUCTION, TRANSCRIPT
--> How do I know if I've been infected?
The worm installs itself as JAVA.EXE in an infected
computer's Windows directory. TCP Port 1034 open.
W32/Rbot-EW -- Another bot Trojan that exploits network shares
with weak passwords to spread between machines. It installs
itself as "UPDATE_W.EXE" in the Windows System directory and
allows backdoor access via IRC. (Sophos)
W32/Rbot-FC -- This Rbot variant is similar to EW above, except
it uses the infected file of "WINSYST32.EXE" and adds the twist
of a file logger and CD key stealer. (Sophos)
W32/Rbot-DE -- Another Rbot variant. It uses "WINSYS32.EXE" as
its infection point and tries to kill certain network share
connections. (Sophos)
W32/Sdbot-KU -- A bot that spreads by exploiting machines
infected with MyDoom or without the Windows DCOM patch. It
installs itself as "PEREMPTION.EXE" and allows backdoor access
via IRC. It can be used to launch SYN flood attacks against
remote sites and also attempts to steal CD keys for popular
games. (Sophos)
W32/Tompai-A -- A backdoor Trojan that spreads via network
shares and uses a variety of filename combinations to install
itself in the Windows System folder. The virus has the text
"phantompain" embedded in the code. (Sophos)
W32/Agobot-KM -- Yet another bot that uses weakly protected
network shares to spread between machines. This infects
"MSVSRV32.EXE" in the Windows System directory, allows backdoor
access via IRC, and modifies the Windows HOSTS file to block
access to anti-virus sites. (Sophos)
W32/MyDoom-O -- Another MyDoom variant that uses e-mail to
spread and search engines to dig for more potential targets.
Doesn't seem to have the same impact as MyDoom-M. (Sophos)
W32/Stewon-A -- A peer-to-peer virus that spreads via the likes
of Kazaa using a compressed .zip file. The virus installs itself
as "genoxial.exe" in the Windows System folder. (Sophos)
Troj/CmjSpy-Z -- A keylogging Trojan that installs itself as
"hpserver.exe" in the Windows system folder and records its
captured info in "hlicense.vxd". No word on how it spreads.
(Sophos)
W32/Agobot-LM -- Another Agobot variant that spreads via network
shares, which allows backdoor access via IRC and kills security
applications as well as access to related sites. It installs
itself as "LSAS.EXE". (Sophos)
W32/Agobot-LL -- Hey, another Agobot variant. Similar to
Agobot-LM above, except that infects the file "SVCSYS32.EXE" in
the Windows System folder. This one could also be used in a DoS
attack against third-party sites. (Sophos)
W32/Scaner-A -- A virus that tries to attempt the Windows LSASS
vulnerability, for which there's been a patch available for a
few months. The virus attempts to report back its findings via
an HTTP POST. (Sophos)
W32/Febelneck-A -- This virus spreads via a .zip file. It tries
to change the name of the infected machine to "Nebelfleck" and
delete certain files on the affected system. (Sophos)
VIRUS ADVISORY: W32/Bagle.aq@MM
--> What is it?
W32/Bagle.aq@MM is a Medium Risk mass-mailing worm that tries
to open a hacker backdoor on your PC. Launched by code hidden
inside a ZIP attachment, the virus spreads by emailing itself
to stolen contacts and via popular file-sharing programs such
as KaZaa, Bearshare and Limewire. It also tries to terminate
anti-virus and other security software operation.
Up-to-date McAfee VirusScan users with DAT 4384 are
protected from this threat. Note: To fortify anti-virus
defense against viruses that carry backdoor payloads, we
recommend installing McAfee Personal Firewall Plus:
http://us.mcafee.com/root/campaign.asp?cid=11276
--> What should I look for?
FROM: Varies (spoofed)
SUBJECT: Blank
BODY: Examples: new price, The password is, Password:
ATTACHMENT: Examples: price.zip, price2.zip, price_new.zip
--> How do I know if I've been infected?
Communication Port 80 (TCP) open. Outgoing messages with noted
body content and ZIP attachments.
This mass-mailing virus appears to contain photos but actually attempts to install a backdoor Trojan horse.
A variation of the MyDoom virus appears to be e-mail containing photographs. MyDoom.s (w32.MyDoom.s@mm, also known as MyDoom.m (Norman), MyDoom.q (Symantec), MyDoom.r (Panda), and Ratos (Trend Micro)) is a mass-mailing worm that uses its own SMTP engine to send out copies of itself to addresses harvested from the infected PC. It spoofs the return address, making it hard to trace infected machines, and attempts to download a backdoor Trojan horse from one of two sites on the Internet. MyDoom.s does not affect Linux, Mac, or Unix systems. Because MyDoom.s spreads via e-mail, opens a remote access backdoor on infected PCs, and could damage system files, this worm rates a 6 on the CNET/ZDNet Virus Meter.
How it works
MyDoom.s arrives as an attachment with the following characteristics:
Subject : photos
Body : LOL!;))))
Attachment : photos_arc.exe
If the attachment is opened, MyDoom.s adds the file rasor38a.dll to the Windows folder and the file winpsd.exe to the system directory. It also makes the following system Registry changes:
Explorer\ComDlg32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ Explorer\ComDlg32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ Run "winpsd" = C:\WINDOWS\System32\winpsd.exe
Once executed, MyDoom.s attempts to download a backdoor Trojan horse from either www.richcolour.com or zenandjuice.com.
Prevention
If you receive MyDoom.s, do not open the attached file. The best way to prevent infection is to make sure that your antivirus signature files are current. Also, a personal firewall will prevent the virus author from gaining remote access to your PC.
Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.
WORM_SDBOT.VQ is a memory-resident worm that spreads via network shares, and exploits specific vulnerabilities to propogate across networks. It also gathers available lists of names and passwords, and uses this gathered information to locate and list shared folders where it drops a copy of itself. This worm has backdoor capabilities and attempts to connect to an Internet Relay Chat (IRC) server to allow a remote user to access the infected system and perform malicious commands. WORM_SDBOT.VQ runs on Windows NT, 2000, and XP.
Upon execution, this memory-resident worm drops a copy of itself in the Windows System directory as EXPLORER32.EXE. It adds registry entries to enable this dropped copy to run at every Windows startup. It then creates several threads to be used for sniffing, keylogging, and other backdoor capabilities. It also attempts to send copies of itself to other systems as BLING.EXE.
This worm spreads via network shares. It gathers available lists of names and passwords, and uses this gathered information to locate and list shared folders where it drops a copy of itself. It then attempts to access systems with weak passwords to drop a copy of itself. You may view the list of usernames and passwords in the Technical Details section of this virus description at http://www.trendmicro.com/vinfo/viru...BOT.VQ&VSect=T
This worm takes advantage of the following Windows vulnerabilities:
IIS5/WEBDAV Buffer Overflow vulnerability
Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
Buffer Overflow in SQL Server 2000
Windows LSASS Vulnerability
This worm attempts to connect to the Internet Relay Chat (IRC) server, irc.t3musso.net, which allows a remote user to access the infected system and perform the following commands:
Update malware from HTTP and FTP URL
Steal CD keys of game applications
Execute a file
Download from HTTP and FTP URL
Open a command shell
Open files
Display the driver list
Get screen capture
Capture pictures and video clips
Display netinfo
Make a bot join a channel
Stop and start a thread
List all running process
Rename a file
Generate a random nickname
Perform different kinds of ddos attacks
Retrieve and clear log files
Terminate the bot
Disconnect the bot from IRC
Send a message to the IRC server
Let the bot perform mode change
Change BOT ID
Display connection type, local IP address and other net information
Log in and log out the user
Issue ping attack on to a target computer
Display the following system information:
-CPU speed
-Amount of Memory
-Windows platform, build version, and product ID
-Malware uptime
-User name
It also checks for the following strings, and then attempts to steal Windows product ID and CD keys for several game applications:
:.login
:,login
:!login
:@login
:$login
:%login
login
:&login
:*login
:-login
:+login
:/login
:\login
:=login
:?login
:'login
login
:~login
: login
:.auth
:,auth
:!auth
:@auth
:$auth
:%auth
:&auth
:*auth
:-auth
:+auth
:/auth
:\auth
:=auth
:?auth
:'auth
:~auth
: auth
:.hashin
:!hashin
:$hashin
:%hashin
:.secure
:!secure
:.syn
:!syn
:$syn
:%syn
paypal
PAYPAL
paypal.com
PAYPAL.COM
The remote malicious user can also issue commands to allow the bot to log user keystrokes.
Posting Permissions
Reply With Quote