|
|
Post by StRiDeR on Jan 20, 2004 21:39:51 GMT 8
W32/Rirc-A
Aliases
W32/Rirc.worm, Backdoor.Rirc
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the March 2004 (3.79) release of Sophos Anti-Virus.
At the time of writing, Sophos has received just one report of this worm from the wild.
Description
W32/Rirc-A is a worm which spreads by copying itself to network shares protected by weak passwords at random IP addresses.
When first run, W32/Rirc-A copies itself to the Windows System folder and appends its pathname to the shell= line in the [Boot] section of <WINDOWS>\System.ini, so that it is run automatically each time Windows is started. For example:
[Boot]
shell=Explorer.exe <SYSTEM>\<filename of worm>
On versions of Windows NT, 2000 and XP the worm also appends its pathname to the following registry entry to run itself on startup:
HKLM\Sofware\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
The new value of this registry entry will typically be
"Explorer.exe <SYSTEM>\<filename of worm>".
Each time the worm runs it tries to connect to random IP addresses on port 139. If successful the worm tries to copy itself as Setup.exe to the following startup folders of shares:
\Documents and Settings\All Users\Start Menu\Programs\Startup\
\WINDOWS\Start Menu\Programs\Startup\
\WINNT\Profiles\All Users\Start Menu\Programs\Startup\
The worm attempts to logon to the Administrator account of remote computers using a list of 'weak' passwords and if the schedule service is active on the remote computer the worm schedules a new job to run the worm.
The worm also attempts to connect to a remote IRC server and join a specific channel. The worm then sends status information to this channel.
Recovery
Please follow the instructions for removing worms.
Check your administrator passwords and review network security. You should also check shares on other computers on the network to ensure the worm has not spread.
Editing System.ini
At the taskbar, click Start|Run and type Sysedit. Bring System.ini to the front. In the 'shell=' line in the [Boot] section, search for any references to the files you deleted. Delete only that reference, not any other text.
Editing the registry
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry, if it is present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell
it should contain a reference to explorer.exe (or possibly NALWIN32.exe if you are using NetWare) only. Remove any reference to any file you deleted. You may need to replace the reference to explorer.exe.
Close the registry editor and reboot your computer.
|
|
|
|
Post by atokENSEM on Jan 23, 2004 3:34:33 GMT 8
memang lah saya dah post...tapi saya post satu jer...maksud atok saya post dua kali ke?  ye..strider can see ape yg strider post sblm ni!ok? |
|
|
|
Post by StRiDeR on Jan 25, 2004 21:59:19 GMT 8
ye..strider can see ape yg strider post sblm ni!ok? o.k2, tok....nanti saya check.... |
|
|
|
Post by atokENSEM on Jan 27, 2004 2:42:10 GMT 8
o.k2, tok....nanti saya check.... dah check?takpe..kite lupakan..atok cuma nak bgtau je.. |
|
|
|
Post by StRiDeR on Jan 27, 2004 19:33:50 GMT 8
Troj/Divix-A
Aliases
Worm.Win32.Randon.o, Backdoor.Trojan, IRC/Flood.bat
Type
Trojan
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the March 2004 (3.79) release of Sophos Anti-Virus.
Enterprise Manager customers will receive the IDE automatically at their next scheduled update.
At the time of writing, Sophos has received just one report of this Trojan from the wild.
Description
Troj/Divix-A is a mIRC Trojan that can be used to gain unauthorised access to a victim's computer.
The operation of this Trojan will depend on two other Trojans detected by Sophos Anti-Virus as Troj/Saye-A and Troj/DoSDelf-A.
The Trojan also requires the use of several clean utilities including a mIRC client application and a tool to hide windows on the victim's desktop.
Recovery
Please follow the instructions for removing Trojans.
|
|
|
|
Post by StRiDeR on Jan 27, 2004 19:37:39 GMT 8
W32/Bagle-A Aliases W32.Beagle.A@mm, Win32.Bbgle.A@mm Type Win32 worm Detection A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the March 2004 (3.79) release of Sophos Anti-Virus. Enterprise Manager customers will receive the IDE automatically at their next scheduled update. Sophos has received many reports of this worm from the wild. Description W32/Bagle-A is a worm that sends itself to addresses harvested from files on the hard disk. The worm spoofs the "From" field in emails it sends, which means that it may appear to have come from someone you know. W32/Bagle-A arrives in an email with the following characteristics: Subject line: Hi Message text: Test =) [random characters] -- Test, yep. Attached file: <random name>.exe  The attached file may appear as a calculator icon. The worm deliberately launches the Calculator application as a disguise. W32/Bagle-A copies itself to bbeagle.exe in the Windows system folder and sets the following registry entry to ensure the worm is run at logon: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe The worm also sets the following registry entries: HKCU\Software\Windows98\uid HKCU\Software\Windows98\frun W32/Bagle-A includes a backdoor component which listens on TCP port 6777. This allows an attacker to upload and execute arbitrary programs on infected computers. Note that W32/Bagle-A will not activate if the system date is 28 January 2004 or later. |
|
|
|
Post by StRiDeR on Jan 27, 2004 19:38:54 GMT 8
W32/Bagle-A disinfection instructions
Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.
Windows 95/98/Me and Windows NT/2000/XP/2003
W32/Bagle-A can be removed from Windows 95/98/Me and Windows NT/2000/XP/2003 computers automatically with the following Resolve tools.
Windows disinfector
BAGLEGUI is a disinfector for standalone Windows computers
open BAGLEGUI
run it
then click GO.
If you are disinfecting several computers, download it, save it to floppy disk and run it from there.
Command line disinfector
BAGLESFX.EXE is a self-extracting archive containing BAGLECLI, a Resolve command line disinfector for use on Windows networks. Read the notes enclosed in the self-extractor for details on running this program.
Other platforms
To remove W32/BAGLE-A on other platforms please follow the instructions for removing worms.
|
|
|
|
Post by atokENSEM on Jan 28, 2004 18:41:44 GMT 8
W32/Bagle-A Aliases W32.Beagle.A@mm, Win32.Bbgle.A@mm Type Win32 worm Detection A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the March 2004 (3.79) release of Sophos Anti-Virus. Enterprise Manager customers will receive the IDE automatically at their next scheduled update. Sophos has received many reports of this worm from the wild. Description W32/Bagle-A is a worm that sends itself to addresses harvested from files on the hard disk. The worm spoofs the "From" field in emails it sends, which means that it may appear to have come from someone you know. W32/Bagle-A arrives in an email with the following characteristics: Subject line: Hi Message text: Test =) [random characters] -- Test, yep. Attached file: <random name>.exe The attached file may appear as a calculator icon. The worm deliberately launches the Calculator application as a disguise. W32/Bagle-A copies itself to bbeagle.exe in the Windows system folder and sets the following registry entry to ensure the worm is run at logon: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe The worm also sets the following registry entries: HKCU\Software\Windows98\uid HKCU\Software\Windows98\frun W32/Bagle-A includes a backdoor component which listens on TCP port 6777. This allows an attacker to upload and execute arbitrary programs on infected computers. Note that W32/Bagle-A will not activate if the system date is 28 January 2004 or later. bape kali nak post da.. |
|
|
|
Post by StRiDeR on Jan 28, 2004 22:12:12 GMT 8
W32/Bagle-A
Aliases
W32.Beagle.A@mm, Win32.Bbgle.A@mm Type Win32 worm - nie penerangan pasal virus W32/Bagle-A************************************** W32/Bagle-A disinfection instructions <------------------Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers. - nie cara nak remove virus nie...aper yg post dua kali nya? ...saya pun konfius...dulu pun atok cakap cam tue gak....saya dah search through ngan teliti dah...x de pun yg post dua kali....atok x baca betul2 nie kot.....
|
|
|
|
Post by atokENSEM on Jan 29, 2004 1:03:15 GMT 8
byk sgt virus worm strider dah kuarkan..tu atok ingat byk yg same...
|
|
|
|
Post by StRiDeR on Jan 29, 2004 21:06:09 GMT 8
byk sgt virus worm strider dah kuarkan..tu atok ingat byk yg same... x pe..it's o.k... |
|
|
|
Post by atokENSEM on Jan 30, 2004 3:11:17 GMT 8
ape new virus strider?
|
|
|
|
Post by StRiDeR on Feb 1, 2004 12:29:01 GMT 8
Troj/Stawin-A
Type
Trojan
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the March 2004 (3.79) release of Sophos Anti-Virus.
Enterprise Manager customers will receive the IDE automatically at their next scheduled update.
Sophos has received several reports of this Trojan from the wild.
Description
Troj/Stawin-A is a key logging Trojan that appears to have been mass-mailed out.
It may have arrived in an email with the following characteristics:
Subject line: I still love you <random characters>
Message text:
Error 551: We are sorry your UTF-8 encoding is not supported by the server,
so the text was automatically zipped and attached to this message.
Attached file: message.zip
When logging data, Troj/Stawin-A will target user interactions with banks and financial institutions. For example data entered into online banking forms. The logged data will be sent to a specific email address.
When run it will copy itself to the Windows folder using its original filename. Examples already seen have used the filename message.exe.
The Trojan will then set the following registry entry that points to the copy of the Trojan to ensure it is run at system logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OLE
Troj/Stawin-A will create the helper file HookerDll.Dll in the Windows folder.
The file kgn.txt may also be created in the Windows folder. This file is not malicious and can be deleted.
Recovery
Please follow the instructions for removing Trojans.
Change any data that may have become compromised.
Delete the file kgn.txt in the Windows folder if it exists.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry for each user who ran the virus. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.
Each user has a registry area named HKEY_USERS\\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\OLE
and delete it if it exists.
Close the registry editor and reboot your computer.
|
|
|
|
Post by StRiDeR on Feb 1, 2004 12:29:56 GMT 8
VBS/Inor-C
Aliases
TrojanDropper.VBS.Inor.z, VBS/Inor.F@dr, VBS/Inor, W32.Dumaru.Z@mm
Type
Trojan
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the March 2004 (3.79) release of Sophos Anti-Virus.
Enterprise Manager customers will receive the IDE automatically at their next scheduled update.
At the time of writing, Sophos has received just one report of this Trojan from the wild.
Description
VBS/Inor-C is a Trojan dropper.
VBS/Inor-C is a Microsoft Visual Basic script (sometimes embedded within an HTML file) which stores an executable encoded as text.
When run, VBS/Inor-C drops the executable and runs it.
VBS/Inor-C typically drops W32/Dumaru-Y as the file C:\2.exe.
Recovery
Please follow the instructions for removing Trojans.
|
|
|
|
Post by StRiDeR on Feb 1, 2004 12:31:12 GMT 8
W32/Mimail-S
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the March 2004 (3.79) release of Sophos Anti-Virus.
Enterprise Manager customers will receive the IDE automatically at their next scheduled update.
At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.
Description
W32/Mimail-S is a worm which spreads by email. The worm sends itself to email addresses harvested from your hard disk. These addresses are saved into a file named outlook.cfg in the Windows folder.
W32/Mimail-S drops a copy of itself into the Windows folder using the name rabbit.exe. W32/Mimail-S adds the entry:
RabbitWannaHome = "[windows folder]\rabbit.exe"
to the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
so that the worm loads every time you logon to your computer.
W32/Mimail-S also drops an HTML script into the file c:\ms.hta. This script pops up a dialog window asking you to enter your credit card number, expiry date and PIN. Information which the worm "phishes" in this way is written into a file named c:\xx.
W32/Mimail-S uses a wide range of randomly-constructed subject lines, message texts and attachment names in order to vary the appearance of the emails it sends out.
W32/Mimail-S spoofs the FROM address. It may use an email address that it found on the local hard disk as the FROM address. Alternatively, it takes a string from an email address found on the local hard disk and splits it into user and domain parts. If the domain has the string '.com', '.net' or '.org' in it, that domain name is taken and the string 'john@' is appended to it to create the spoofed FROM address. For example, the harvested email address jill@example.com may be turned into john@example.com.
Recovery
Please follow the instructions for removing worms.
|
|
