Virus Alerts/Updates

[wenwilder]

--> What are they?

W32/Bagle.bb@MM and W32/Bagle.bd@MM are Medium Risk
mass-mailing worms that try to open up a hacker backdoor on
your computer. Carried inside an email attachment, the
viruses spread by forwarding themselves to e-mail addresses
stolen from an infected PC. Like their predecessors, they
also try to terminate anti-virus and other security software
protection.

--> What should I look for?

FROM: Varies (spoofed)
SUBJECT: Re:, Re: Hello, Re: Thank you!, Re: Thanks :),
Re: Hi
BODY: :), :))
ATTACHMENT: Price, price, Joke (with an extension of .exe,
.scr, .com or .cpl)

--> How do I know if I've been infected?

Presence of wingo.exe file in Windows system directory.
Outgoing messages and attachments as described above.

How do I find out more?

W32/Bagle.bb@MM:
http://us.mcafee.com/root/campaign.asp?cid=12534

W32/Bagle.bd@MM:
http://us.mcafee.com/root/campaign.asp?cid=12535

[wenwilder]

--> What is it?

W32/Mydoom.ah@MM is a Medium Risk mass-mailing worm that
exploits a "buffer overflow vulnerability" in Microsoft
Internet Explorer to spread from computer to computer using
stolen email addresses. Web links (e.g., "see my homepage")
in the spam messages point to infected systems, which then
download the virus onto new victims' machines. Unlike earlier
Mydoom variants, W32/Mydoom.ah@MM forwards no attachments.

--> What should I look for?

FROM: Spoofed.
SUBJECT: Varies. Examples: hi!, hey!, Confirmation
BODY: Varies. Examples:
- Congratulations! PayPal has successfully charged $175 to
your credit card. To see details please click this link.
- Hi! I am looking for new friends. I am from Miami, FL. You
can see my homepage with my last webcam photos!
ATTACHMENT: None.

--> How do I know if I've been infected?

When run, the virus creates a file in the WINDOWS SYSTEM
(%WinDir%\system32) directory with a random filename that
ends in 32.exe.


Suggested Reading

[RadarCat]

I have found some virus' difficult to delete but I haven't found one yet that you can't defeat by booting into DOS. So far anyway. But the best cure is to avoid them.

Ah, good old DOS from the days when computers were FUN
and not a constant parasiteware/malware infested pain in the neck.

I wanted to say we've got a new virus feed on SecurityProNews.

The feed comes from Sophos.

Please check it out and also the Sophos site for great information regarding all the socially transmitted diseases floating through your computer.

[rose77mary77]

Very good tips again from WenWider and others also gave some use full tips, we must have concentrate to avorid viruses and updates viruses.................

[cathy_girl69]

basically the file is in use so nortons cannot repair it. So what you do is boot in safe mode where only a small amount of the operating system is used, allowing nortons to repair it
you could boot in safe mode then run your nortons or do what I paste below.
Norton live Safe Mode virus scan
1. Go to this link, below, and save it in your favourites. Save it up at the top of your favourites drop down list, otherwise you may not be able to see it in safe mode. (drag it to the top)
Close the window
2. Turn off popup blocker on your browser or software.
3. Turn off system restore as long as you are confident you don’t need it.
Right click my computer icon >properties >system restore tab > turn off.
This will delete all restore points. (System restore can harbour virus)
4. Boot in safe mode with networking by tapping f8 key in the first few seconds of turning the computer on.
5. Using your browser in safe mode with networking. open your browser and go to the link, choose antivirus scan, it will take quite a time to install but stick with it. It will ask to install active x controls which also take a while to install. Don’t interfere, just wait a while. Run the scan when it asks. You can also run the antivirus checker afterwards all while in safe mode.
6. Reboot normally, turn on system restore and create a restore point.

[sushil]

They also use a percentage of your computer's memory which
increases each year-- infected systems eventually begin running a
deficit and use the hard drive as virtual memory. Any attempt to
clean this virus, or trim its memory requirements, results in error
messages from each of the units explaining why this would cause the
computer to break down.

[joyblogs]

my computer always be infected by virus like trojan..
could someone explain to me where is it comes from?
Is it when I was surf the internet?

And my control panel can't open, is it because of this??

need help

[edhan]

One of my clients happened to be infected by Conficker.AA and luckily managed to restore the PC back in health.

Here are some info about the Conficker.AA

Win32/Conficker.AA

Short description
Win32/Conficker.AA is a worm that spreads via shared folders and on removable media. It connects to remote machines in attempt to exploit the Server Service vulnerability.

Installation
When executed, the worm copies itself in some of the the following locations:
%system%\%variable%.dll

%program files%\Internet Explorer\%variable%.dll

%program files%\Movie Maker\%variable%.dll

%appdata%\%variable%.dll

%temp%\%variable%.dll

A string with variable content is used instead of %variable% .

The worm loads and injects the %variable%.dll library into the following processes:

explorer.exe
services.exe
svchost.exe

In order to be executed on every system start, the worm sets the following Registry entry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\
Run]

"%variable_name%" = "rundll32.exe "%system%\%variable%.dll",
%random_string%"

The following Registry entries are set:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\%random
service name%\Parameters]
"ServiceDll" = "%system%\%variable%.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\%random
service name%]
"Image Path" = "%System Root%\system32\svchost.exe -k netsvcs"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\%random
service name%\Parameters]
"ServiceDll" = "%system%\%variable%.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\%random
service name%]
"Image Path" = "%System Root%\system32\svchost.exe -k netsvcs"
"DisplayName" = "random service name%"
"Type" = 32
"Start" = 2
"ErrorControl" = 0
"ObjectName" = "LocalSystem"
"Description" = "%variable_name%"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\
Parameters]
"TcpNumConnections" = 16777214

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\explorer\Advanced\Folder\Hidden\SHO WALL]
"CheckedValue" = 0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\
Applets]
"gip" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Applets]
"gip" = 0

under...
A string with variable content is used instead of %random service name% .

The following Registry entries are deleted:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\explorer\ShellServiceObjects\
{FD6905CE-952F-41F1-9A6F-135D9C6622CC}]
"wscsvc" = "%filepath%"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"Windows Defender" = "%filepath%"

Spreading
The worm starts a HTTP server on a random port.

It connects to remote machines to port TCP 139, 445 in attempt to exploit the Server Service vulnerability.

If successful, the remote computer may attempt to connect to the infected computer and download the copy of the worm .

This vulnerability is described in Microsoft Security Bulletin MS08-067 .

Spreading via shared folders
The worm tries to copy itself into shared folders of machines on a local network.

The following usernames are used:
%username%

The following passwords are used:
123

1234

12345

123456

1234567

If successful the following filename is used:
\\%hostname%\ADMIN$\System32\%variable%.dll

The worm schedules a task that causes the following file to be executed daily:
rundll32.exe %variable%.dll, %random_string%

Spreading on removable media
The worm copies itself into existing folders of removable drives.

If successful the following filename is used:
%drive%\RECYCLER\S-%variable1%\%variable2%.%variable3%

A string with variable content is used instead of %variable1-3% .

The worm creates the following file:
%drive%\autorun.inf



Thus, the worm ensures it is started each time infected media is inserted into the computer.
Other information
The following services are disabled:
Windows Security Center Service (wscsvc)

Windows Automatic Update Service (wuauserv)

Background Intelligent Transfer Service (BITS)

Windows Defender Service (WinDefend)

Windows Error Reporting Service (ERSvc)

Windows Error Reporting Service (WerSvc)

The worm launches the following processes:
netsh interface tcp set global autotuning=disabled

The worm blocks access to any domains that contain any of the following strings in their name:
ahnlab

arcabit

avast

avira

castlecops

If the current system date and time matches the condition the worm will attempt to download several files from the Internet.

The worm runs only encrypted and properly signed files.

The file is stored into the following folder:
%temp%

If successful the following filename is used:
%variable%.tmp



A string with variable content is used instead of %variable% .

The worm may set the following Registry entries:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\
SharedAccess\Parameters\FirewallPolicy\StandardPro file\
GloballyOpenPorts\List]

"%port number%:TCP" = "%port number%:TCP:*:Enabled:%variable%"

The performed data entry creates an exception in the Windows Firewall program.

[kgun]

Spreading
The worm starts a HTTP server on a random port.

It connects to remote machines to port TCP 139, 445 in attempt to exploit the Server Service vulnerability.

If successful, the remote computer may attempt to connect to the infected computer and download the copy of the worm .

This vulnerability is described in Microsoft Security Bulletin MS08-067 .

Interesting information.