Announcement

Collapse
No announcement yet.

Virus Alert !

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Virus Alert !

    VBS.Krim
    VBS.Krim. is a mass-mailing worm that sends itself to contacts in the Microsoft Outlook address book and propagates through IRC. It also attempts to format the infected computer's C: drive, if the worm does not find a file that it creates
    Systems Affected-Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


    Details
    VBS.Krim arrives as an attachment to an email with the following characteristics:

    Subject: SYMANTEC NORTON ANTIVIRUS
    Body: REMOVE VIRUS SASSER
    Attachment: mirko.bat


    If the worm locates an mIRC installation, it creates a script.ini file to send itself to other IRC users.


    If the C:\autoexec.bat file exists, but C:\mirko.bat does not exist, the worm attempts to add a format command to C:\autoexec.bat.


    Displays the following message:

    Hello %username%


    Launches C:\mirko.vbs and sends itself to all email addresses in the Outlook address book.

    #2
    W32.Erkez.B@mm

    Creates the mutex "_Hazafibb," which allows only one instance of the worm to run in memory.


    Copies itself to the %System% folder as:
    An eight-character, random file name with a .exe extension
    An eight-character, random file name with a .dll extension.

    Uses its own SMTP engine to send itself to the email addresses that it finds.

    The email has the following characteristics:

    From: The "From:" field of the email is spoofed.

    The rest of the email will be one of the following:


    To: Claudia
    Subject: Importante!
    Attachment: "link.informacion.phpV23.text.message.pif"
    Message:
    Informacion importante que debes conocer, -


    To: Katya
    Subject: oKatya
    Attachment: "view.link.index.image.phpV23.sexHdg21.pif"


    To: Eva
    Subject: E-Kort!
    Attachment: "link.ekort.index.phpV7ab4.kort.pif"
    Message: Mit hjerte banker for dig!


    To: Marica
    Subject: Ecard!
    Attachment: "link.showcard.index.phpAv23.ritm.pif"
    Message:
    De cand te-am cunoscut inima mea are un nou ritm!


    To: Anna
    Subject: E-vykort!
    Attachment: "link.vykort.showcard.index.phpBn23.pif"
    Message: Till min Alskade...


    To: Erica
    Subject: E-Postkort!
    Attachment: "link.postkort.showcard.index.phpAe67.pif"
    Message: Vakre roser jeg sammenligner med deg...


    To: Katarina
    Subject: E-postikorti!
    Attachment: "link.postikorti.showcard.index.phpGz42.pif"
    Message: Iloista kesaa!


    To: Magdolina
    Subject: Atviruka!
    Attachment: "link.atviruka.showcard.index.phpGz42.pif"
    Message: Linksmo gimtadieno! ha


    To: Beate
    Subject: E-Kartki!
    Attachment: "link.kartki.showcard.index.phpVg42.pif"
    Message: W Dniu imienin...


    To: Eva
    Subject: Cartoe Virtuais!
    Attachment: "link.cartoe.viewcard.index.phpYj39.pif"
    Message: Content: Te amo... ,


    To: Alice
    Subject: Flashcard fuer Dich!
    Attachment: "link.flashcard.de.viewcard34.php.2672aB.pif"
    Message:
    Hallo!
    hat dir eine elektronische Flashcard geschickt.
    Um die Flashcard ansehen zu koennen, benutze in deinem Browser
    einfach den nun folgenden link:
    http://flashcard.de/interaktiv/viewc...card=267BSwr34
    Viel Spass beim Lesen wuenscht Ihnen ihr...


    To: Eva
    Subject: Er staat een eCard voor u klaar!
    Attachment: "postkaarten.nl.link.viewcard.index.phpG4a62.pif"
    Message:
    Hallo!
    heeft u een eCard gestuurd via de website nederlandse
    taal in het basisonderwijs...
    U kunt de kaart ophalen door de volgende url aan te klikken of te
    kopiren in uw browser link:
    http://postkaarten.nl/viewcard.show53.index=04abD1
    Met vriendelijke groet,
    De redactie taalsite primair onderwijs...


    To: Hanka
    Subject: Elektronicka pohlednice!
    Attachment: "link.seznam.cz.pohlednice.index.php2Avf3.pif"
    Message:
    Ahoj!
    Elektronick pohlednice ze serveru http://www.seznam.


    To: Claudine
    Subject: E-carte!
    Attachment: "link.zdnet.fr.ecarte.index.php34b31.pif"
    Message:
    vous a envoye une E-carte partir du site zdnet.fr
    Vous la trouverez, l'adresse suivante link:
    http://zdnet.fr/showcard.index.php34bs42
    www.zdnet.fr, plus de 3500 cartes virtuelles, vos pages web
    en 5 minutes, du dialogue en direct...


    To: Francesca
    Subject: Ti e stata inviata una Cartolina Virtuale!
    Attachment: "link.cartoline.it.viewcard.index.4g345a.pif"
    Message:
    Ciao!
    ha visitato il nostro sito, cartolina.it e ha creato una
    cartolina virtuale per te! Per vederla devi fare click
    sul link sottostante: http://cartolina.it/asp.viewcard=index4g345a
    Attenzione, la cartolina sara visibile sui nostri server per
    2 giorni e poi verra rimossa automaticamente.


    To: Jennifer
    Subject: You`ve got 1 VoiceMessage!
    Attachment: "link.voicemessage.com.listen.index.php1Ab2c.pif"
    Message:
    Dear Customer!
    You`ve got 1 VoiceMessage from voicemessage.com website!
    Sender:
    You can listen your Virtual VoiceMessage at the following link:
    http://virt.voicemessage.com/index.listen.php2=35affv
    or by clicking the attached link.
    Send VoiceMessage! Try our new virtual VoiceMessage Empire!
    Best regards: SNAF.Team (R).


    To: Anita
    Subject: Tessek mosolyogni!!!
    Attachment: "meztelen csajok fociznak.flash.jpg.pif"
    Message:
    Ha ez a k=E9p sem tud felviditani, akkor feladom!
    Sok puszi:


    To: Anita
    Subject: Soxor Csok!
    Attachment: "anita.image043.jpg.pif"
    Message:
    Szia!
    Aranyos vagy, j=F3 volt dumcsizni veled a neten!
    Rem=E9lem tetszem, =E9s szeretn=E9m ha te is k=FClden=E9l k=E9pet
    magadr=F3l, addig is cs=F3k:


    To: Jennifer
    Subject: Don`t worry, be happy!
    Attachment: "www.ecard.com.funny.picture.index.nude.php356.pif"
    Message:
    Hi Honey!
    I`m in hurry, but i still love ya...
    (as you can see on the picture)
    Bye - Bye:


    To: David
    Subject: Check this out kid!!!
    Attachment: "jennifer the wild girl xxx07.jpg.pif"
    Message:
    Send me back bro, when you`ll be done...(if you know what i mean...)
    See ya,

    Comment


      #3
      I think I'll relax a bit today! :):):)
      "Always laugh when you can. It is a cheap medicine"
      Lord Byron

      Take a photo tour of Cape Cod and the Islands!
      www.capecodphotoalbum.com

      Comment


        #4
        Originally posted by hcjilson
        I think I'll relax a bit today! :):):)
        I'm gonna have to get me a bumper sticker that reads something like................."My OptiBoard Mentor Uses a Mac....... Do You?" :bbg:

        Comment


          #5
          W32.Korgo.O

          When W32.Korgo.O is executed, it performs the following actions:
          Deletes the file, ftpupd.exe, from the folder in which the worm was executed.
          Creates the following mutexes to ensure that only one instance of the worm is executed on the computer:

          u8
          u9
          u10
          u11
          u12
          u13
          u14
          uterm14
          Creates the event object "u13x".
          Opens the following event objects:

          u10x
          u11x
          u12x


          Deletes values:

          "Windows Security Manager"
          "Disk Defragmenter"
          "System Restore Service"
          "Bot Loader"
          "SysTray"
          "WinUpdate"
          "Windows Update Service"
          "avserve.exe"
          "avserve2.exeUpdate Service"
          "MS Config v13"

          from the registry key:

          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run


          Copies itself as %System%\<random filename>.exe.
          Adds the values:

          "Client"="1"
          "ID"="<random value>"

          to the registry key:

          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless


          Adds the value:

          "Windows Update"="%System%\<random filename>.exe"

          to the registry key:

          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run


          Attempts to inject a function into Explorer.exe as a thread.

          If successful, this threat will continue to run in the Explorer.exe process. All the actions described in the next step will appear to be done by Explorer.exe, and the worm will not show when viewing the process list in the Windows Task Manager.

          If unsuccessful, the worm will continue to run as its own process.


          Creates additional threads and does the following:


          Note: While the worm creates these threads, it prevents the computer from shutting down or restarting.

          Opens TCP ports 113, 5111, and a random port between 256 and 8191, which the worm uses to send itself out.


          Attempts to connect and update itself from one of the following HTTP servers:

          adult-empire.com
          asechka.r
          citi-bank.ru
          color-bank.ru
          crutop.nu
          cvv.ru
          fethard.biz
          filesearch.ru
          f***.ru
          goldensand.ru
          hackers.lv
          kavkaz.ru
          kidos-bank.ru
          konfiskat.org
          lovingod.host.sk
          master-x.com
          mazafaka.ru
          padonki.org
          parex-bank.ru
          trojan.ru
          xware.cjb.net

          Attempts to exploit the LSASS Windows vulnerability on TCP port 445 (described in Microsoft Security Bulletin MS04-011), against random IP addresses. If the worm successfully finds a vulnerable computer, the computer will attempt to reconnect to the infected computer to download the worm.:(

          Comment


            #6
            New Trojan....................

            New Trojan Steals Banking Information
            A new Trojan virus is posing a threat to online banking customers.
            The carrier of the threat, "img1big.gif," poses as an image file,
            The file is not an image at all, but a file-dropper Trojan composed of a pair of Win32 executable programs compressed together using the Open Source executable compressor UPX.
            The trojan installs a Browser Helper Object (BHO) on Internet Explorer version 4.X and higher. One of the two sets of code performs the initial install, the other performs the BHO install. Once the BHO is up, it looks for secure access to the URLs of several dozen banking and financial sites around the globe and "grabs any outbound POST/GET data from within IE before it is encrypted by SSL
            The outbound data--including user names and passwords--is sent over an HTTP connection created by the Trojan to the address http://www.refestltd.com/cgi-bin/yes.pl.

            Comment


              #7
              Windows CE

              First Virus for Windows Mobile Pocket PC
              WinCE4.Dust is the first known Windows CE virus to run on ARM based devices running Windows Mobile Pocket PC.
              This is a live, working proof of concept virus that infects all .EXE files in the root directory of the Pocket PC device.
              WinCE4.Dust does no serious or permanent damage to the infected device, with the exception of infecting .exe files in the root directory. Infected files will run the viral code on execution and will then continue to operate as normal.

              It first determines if the listed .exe file is the currently executed program, and then makes sure the target .exe is not already infected. If the file has been infected, it will be marked with the word “atar” at the offset 0x11C. This is used during the infection process to see if the file was already infected. The virus will keep re-infecting files over and over until the device runs out of memory.

              Comment


                #8
                Yet Another Bagle Variant Spreads
                Network administrators returning to work after the weekend can enjoy a fresh Bagle with their coffee--and no, it's not that kind of bagel. Antivirus companies are warning of another virulent new version of the Bagle e-mail worm, dubbed Bagle.AG.
                E-mail messages generated by the worm used forged (or "spoofed") sender addresses and vague subject lines such as "Re:," "fotogalary," "Lovely animals," and "Screen." Worm-infected file attachments might be in.zip,.exe.,.scr, or other common formats and also have nonspecific names like "Moreinfo," "Details," or "Readme
                Infected file attachments use one of a short list of names including "Foto3," "Secret," "Doll," and "Cat."


                The worm can also send copies of itself as a password-protected compressed file with a.zip extension.
                The compressed files are used to shrink one or more larger files, often for transmission on disk or over the Internet. Recipients must decompress or "unzip" the attachments to view the worm file, which they must open to become infected.


                When run, Bagle.AG harvests e-mail addresses from files stored on the infected computer's hard drive and installs its own SMTP engine, which is used to send out large volumes of infected e-mail messages from machines infected by the worm.

                Like earlier versions of Bagle, the AG variant also copies itself to Windows folders that could be used by file sharing programs, using a long list of names to disguise the worm file as popular downloads on peer to peer file sharing networks like Adobe Systems' Photoshop image editing program, the Matrix Revolutions film and pornography.

                Comment


                  #9
                  A little more info on this.............

                  This is a mass-mailing worm that opens a backdoor on TCP port 1042 and uses its own SMTP engine to spread through email. The worm’s potential impact includes clogged mail servers or degraded network performance. It also spreads via file sharing / peer-to-peer. It is a new variant of the W32.Beagle family of worms, is functionally similar to W32.Beagle.x
                  The email message from address will be spoofed. The subject, body and file attachment of the message vary. :(

                  Comment


                    #10
                    W32.Mydoom.M@mm mass-mailing worm:

                    The W32.Mydoom.M@mm mass-mailing worm:

                    - Uses its own SMTP engine to send itself to all the email addresses that it finds from an infected system.
                    - The email has an attachment with a .bat, .cmd, .com, .exe, .pif, .scr, or .zip extension.
                    - The attachment name may contain a randomly selected domain, which was found on the sender's system.

                    For example, the attachment name could contain fakedomain.com if the address x@fakedomain.com was harvested.

                    - The From field of the email is spoofed.
                    - Downloads and executes a backdoor, which is detected as Backdoor.Zincite.A, on port 1034/tcp.
                    - Is packed by UPX.

                    Comment


                      #11
                      W32.Bugbros.C@mm

                      This is a mass-mailing worm that sends itself to all of the addresses in the Microsoft Outlook Address Book. The email has the following characteristics:

                      Subject: New products
                      Attachment: Twunk_64.exe
                      Message:

                      "Hi,
                      Update your Windows PC with Microsoft Windows Panel.This tool is free and provided by Microsoft. For more info read the disclaimer when you run the program.
                      bye"

                      Attachment: Twunk_64.exe

                      Sends the message to all the addresses in the Microsoft Outlook Address Book.

                      Comment


                        #12
                        W32.Korgo.AB

                        W32.Korgo.AB

                        W32.Korgo.AB is a worm that attempts to spread by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability, described in Microsoft Security Bulletin MS04-011, on TCP port 445.
                        W32.Korgo.AB is a worm that uses a dll file to spread to remote computers.
                        Once W32.Korgo.AB is executed, it performs the following actions:


                        Adds the value:

                        "SQL"= "[12 randomly chosen ASCII characters]"

                        to the registry key:

                        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataAccess


                        Sends itself to the remote systems that it successfully exploited.


                        Attempts to contact a PHP script at one of the following domains, sending information about the compromised host:

                        citi-bank.ru
                        color-bank.ru
                        kidos-bank.ru
                        parex-bank.ru
                        www.redline.ru


                        Attempts to download and execute a file from a specified remote host.


                        Sends HTTP requests to the following domains:
                        adult-empire.com
                        bankofny.com
                        citi-bank.ru
                        citibank.com
                        crutop.nu
                        cvv.ru
                        fethard.biz
                        filesearch.ru
                        kaspersky.com
                        konfiskat.org
                        master-x.com
                        prodexteam.net
                        roboxchange.com
                        www.kaspersky.com
                        www.pandasoftware.com
                        www.riaa.com
                        www.sophos.com
                        www.symantec.com
                        www.trendmicro.com
                        xware.cjb.net

                        Comment


                          #13
                          Hacktool.JPEGDownload

                          Hacktool.JPEGDownload is a program that can be used to generate .jpg files that exploit the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (described in the Microsoft Security Bulletin MS04-028). The .jpg files that this Trojan generates can download a URL hardcoded in the .jpg file.
                          When Hacktool.JPEGDownload runs, it performs the following actions:


                          Displays a message box with the title "JPEG Downloader by [ATmaCA]".


                          Invites the user to enter a URL that will be downloaded by the .jpg file generated by the Trojan.


                          Generates a .jpg file when the user clicks "Make". This .jpg file exploits the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (described in the Microsoft Security Bulletin MS04-028) and downloads a URL hardcoded into the .jpg file.
                          Displays information about the program when the user clicks "About".

                          Comment


                            #14
                            Worm Crawls Through MSN Messenger

                            Security researchers are warning of a new worm, dubbed "Funner," targeting Microsoft's MSN Messenger instant messaging application.

                            The worm propagates by sending a copy of itself, disguised as "funny.exe," to contacts found through MSN Messenger.


                            The worm then makes registry modifications and overwrites entries in the Hosts file, a list used to map IP (Internet Protocol) addresses to Web sites.

                            Comment


                              #15
                              PWSteal.Bancos.O

                              PWSteal.Bancos.O is a Trojan horse program that logs keystrokes and steals information entered into certain banking Web sites. It also steals all passwords stored in the Microsoft Outlook account manager.

                              Monitors active Internet Explorer windows. The Trojan logs keystrokes and other user actions when the user visits a URL that contains one of the following substrings:
                              adelaidebank.com.au
                              bankone.com.au
                              banksa.com.au/default.asp?msrc=/code/internet_banking
                              bankwest.com.au
                              benbank.com.au
                              bendigobank.com.au
                              butterfielddirect.com
                              cajamadrid
                              citibank
                              client.ccf.fr
                              commbank.com.au
                              direct-validate.bankofamerica.com
                              etrade.com.ua
                              firstdirect.com
                              halifax-online.co.uk
                              hangseng.com
                              hsbc
                              ibank.barclays.co.uk
                              internationalbanking
                              lloydstsb.com
                              macquarie.com.au
                              national.com.au
                              nationwide.co.uk/default.htm
                              navyfcu.org
                              sabb.com
                              stgeorge.com.au
                              suncorp.com.au
                              Logged information is sent to a remote web server with an IP address of 69.50.166.66.

                              Comment

                              Working...
                              X