|
|
Post by StRiDeR on Feb 12, 2004 20:29:58 GMT 8
W32/Doomjuice-B Aliases W32.DoomJuice.B Type Win32 worm Detection A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus. Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update. At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Description W32/Doomjuice-B is a worm which spreads by exploiting a backdoor installed by W32/MyDoom-A. The functionality of the worm is similar to W32/Doomjuice-A but without the part of the code that drops the archive with the W32/MyDoom-A source code. The worm creates a copy of itself named regedit.exe in the Windows system folder and creates the following registry entry to ensure that the copy is run when Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
NeroCheck= <system folder>\regedit.exe W32/Doomjuice-B will contact computers infected with W32/MyDoom-A by attempting to connect to port 3127 of randomly chosen IP addresses. If the worm contacts a computer infected with W32/MyDoom-A a copy of W32/Doomjuice-B will be transfered to the computer and executed. On 13th February and any date thereafter the W32/Doomjuice-B will attempt to launch a denial-of-service attack against www.microsoft.com. The denial-of-service attack routine is changed in order to make blocking of the worm HTTP requests difficult. Recovery Please follow the instructions for removing worms. Windows NT/2000/XP/2003 In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry. At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens. Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup. Locate the HKEY_LOCAL_MACHINE entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ NeroCheck= <system folder>\regedit.exe and delete it if it exists. Close the registry editor. |
|
|
|
Post by StRiDeR on Feb 12, 2004 20:31:46 GMT 8
|
|
|
|
Post by StRiDeR on Feb 13, 2004 20:40:22 GMT 8
W32/DoomHunt-A
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received just one report of this worm from the wild.
Description
W32/DoomHunt-A is a worm which spreads to computers infected with the W32/MyDoom-A and W32/MyDoom-B worms and terminates processes and removes files associated with these worms.
W32/DoomHunt-A listens for connections on port 3127. If a connection is made the worm sends back a copy of itself to be executed on the remote computer.
When run the worm copies itself to the Windows system folder using the filename worm.exe and creates the following registry entry to ensure it is run at system logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DELETE ME
W32/DoomHunt-A will terminate the following processes:
SHIMGAPI.DLL
CTFMON.DLL
REGEDIT.EXE
TEEKIDS.EXE
MSBLAST.EXE
EXPLORER.EXE
TASKMON.EXE
INTRENAT.EXE
and deletes the following files:
SHIMGAPI.DLL
CTFMON.DLL
REGEDIT.EXE
TEEKIDS.EXE
MSBLAST.EXE
EXPLORER.EXE
TASKMON.EXE
INTRENAT.EXE
Recovery
Please follow the instructions for removing worms.
You will also need to edit the following registry entry for each user who ran the virus. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.
Each user has a registry area named HKEY_USERS\\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\DELETE ME
and delete it if it exists.
Close the registry editor and reboot your computer.
If problems persist please contact technical support.
|
|
|
|
Post by StRiDeR on Feb 13, 2004 20:41:51 GMT 8
Troj/Pinbol-A
Type
Trojan
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received just one report of this Trojan from the wild.
Description
Troj/Pinbol-A is an IRC backdoor Trojan.
When Troj/Pinbol-A is first executed a copy is created in the Windows folder with the filename smvc32.exe and the following registry entry is created so that the Trojan is run when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SMVC = smvc32.exe
Troj/Pinbol-A connects to a channel on a remote IRC server enabling an attacker to gain unauthorised access to the victim's machine.
Troj/Pinbol-A will store email addresses harvested from the victim's computer in the file C:\cyclop.bin and periodically email this information to the attacker.
A proxy server is set up on a random port number which is stored in the registry at HKCU\Software\socks.
The following registry entry will also be created by the Trojan:
HKCU\Software\magic = 666.
Recovery
Please follow the instructions for removing Trojans.
|
|
|
|
Post by atokENSEM on Feb 14, 2004 20:53:28 GMT 8
Important!!!!
Mydoom hilang sengat 12 Februari
VIRUS komputer yang sedang melanda Internet masa kini, MyDoom, dijangka akan terus menyerang e-mel di seluruh dunia sehingga 12 Februari ini, tarikh ia diprogramkan untuk berhenti mengganas.
Pengarah syarikat keselamatan komputer global, F-Secure, Mikko Hypponen berkata, selepas tarikh itu, MyDoom dijangka tidak akan merebak sekiranya komputer yang dijangkiti itu diperbetulkan tarikhnya, namun bukan semua komputer masa atau tarikhnya sentiasa tepat.
Katanya, tidak seperti kebanyakan virus komputer yang selalu menyerang hanya sekali, MyDoom bertindak ganas kerana ia merebak secara berterusan daripada komputer yang dijangkitinya sehingga 12 Februari.
“Virus itu yang juga dikenali dengan Novarg, kini sudah menyerang berjuta komputer pengguna di seluruh dunia tetapi kami tidak pasti berapa banyak. Namun ia sudah melakukan serangan ke seluruh dunia,” katanya.
Cecacing MyDoom itu menyerang melalui sisipan e-mel pada komputer yang menggunakan sistem operasi (OS) Microsoft Corp (Microsoft) dan akan aktif apabila pengguna membuka e-mel itu.
Pakar keselamatan sistem komputer menganggap cecacing itu adalah serangan paling hebat bulan ini dan memberi banyak masalah berdasarkan masa serangannya yang begitu pantas.
Hypponen berkata, beliau sudah menghubungi pegawainya di pelbagai negara tetapi masih belum berjaya untuk mengenal pasti siapa yang menjadi dalang kepada penghasilan virus ini.
Katanya, cecacing asal MyDoom.A kini dikesan masih dalam keadaan paling aktif manakala jenis MyDoom .B yang dijangka lebih hebat, terbukti keaktifannya adalah pada tahap pertengahan. Pakar tidak pasti sama ada MyDoom.B sudah diprogramkan untuk ‘mati’ pada masa tertentu.
“Versi B ini dikesan tidak sehebat versi A berdasarkan kepada jenis serangan yang dilakukan iaitu tidak merebak dengan cepat,” katanya.
Minggu lalu, Microsoft berjanji untuk membayar kira-kira RM950,000 kepada sesiapa yang berjaya membantu pihak berkuasa mencari dan menjatuhkan hukuman terhadap penyebar virus itu.
Hadiah wang itu adalah kali ketiga pernah ditawarkan sehingga ini di bawah program RM19 juta Microsoft yang diumumkan November lalu bagi membantu pihak berkuasa Amerika Syarikat menangkap penyebar virus yang menyebabkan kerosakan kepada Internet.
|
|
|
|
Post by StRiDeR on Feb 16, 2004 20:26:05 GMT 8
W32/MyDoom-E
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received just one report of this worm from the wild.
Description
W32/MyDoom-E is a worm which spreads by email.
The worm copies itself to the Windows system folder using the filename taskmon.exe and sets the following registry entry that points to this copy to ensure it is run at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMon
Please note that on Windows 95/98/Me, there is a legitimate file called taskmon.exe in the Windows folder.
W32/MyDoom-E will create the file shimgapi.dll in the Windows system folder.
The worm can also copy itself into the shared folder of the KaZaA peer-to-peer application.
A more detailed description will be published shortly.
Recovery
Please follow the instructions for removing worms.
|
|
|
|
Post by atokENSEM on Feb 17, 2004 0:51:30 GMT 8
byk juga virus doom ni ye?
|
|
|
|
Post by StRiDeR on Feb 17, 2004 19:56:17 GMT 8
byk juga virus doom ni ye? byk adik beradik dia tok... |
|
|
|
Post by atokENSEM on Feb 17, 2004 20:25:29 GMT 8
byk adik beradik dia tok... oo..patutlah..asyik virus doom je..strider post! |
|
|
|
Post by StRiDeR on Feb 17, 2004 21:54:27 GMT 8
W32/Deadhat-B
Aliases
Worm.Win32.Vesser.b, W32.HLLW.Deadhat.B, WORM_DEADHAT.B
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received just one report of this worm from the wild.
Description
W32/Deadhat-B is a worm that spreads via the SoulSeek file sharing network and computers infected with the W32/MyDoom worm.
W32/Deadhat-B creates a copy of itself in the system folder with the filename msgsrv32.exe and sets the following registry entry so that the worm is run when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msgsrv32
The worm copies itself to the shared folder of an existing SoulSeek installation using the following filenames:
WinXPKeyGen.exe
Windows2003Keygen.exe
mIRC.v6.12.Keygen.exe
Norton.All.Products.KeyMkr.exe
F-Secure.Antivirus.Keymkr.exe
FlashFXP.v2.1.FINAL.Crack.exe
SecureCRTPatch.exe
TweakXPProKeyGenerator.exe
FRUITYLOOPS.SPYWIRE.FIX.EXE
ALL.SERIALS.COLLECTION.2003-2004.EXE
WinRescue.XP.v1.08.14.exe
GoldenHawk.CDRWin.v3.9E.Incl.Keygen.exe
BlindWrite.Suite.v4.5.2.Serial.Generator.exe
Serv-U.allversions.keymaker.exe
WinZip.exe
WinRar.exe
WinAmp5.Crack.exe
W32/Deadhat-B has a backdoor component listening on TCP port 2766.
W32/Deadhat-B also has an IRC backdoor component. The worm attempts to connect to one of a list of IRC servers and receives commands that allow a remote attacker control over the infected computer via this channel.
W32/Deadhat-B scans network address ranges for ports opened by the W32/MyDoom worm and will attempt to copy itself to compromised machines.
The worm may attempt to delete the following files:
C:\boot.ini
C:\autoexec.bat
C:\config.sys
C:\Windows\win.ini
C:\Windows\system.ini
C:\Windows\wininit.ini
C:\Winnt\win.ini
C:\Winnt\system.ini
C:\Winnt\wininit.ini
W32/Deadhat-B also attempts to terminate the following system monitoring and anti-virus related processes:
_avp
kfp4gui
kfp4ss
zonealarm
Azonealarm
avwupd32
avwin95
avsched32
avnt
avkserv
avgw
avgctrl
avgcc32
ave32
avconsol
apvxdwin
ackwin32
blackice
blackd
dv95
espwatch
esafe
efinet32
ecengine
f-stopw
fp-win
f-prot95
f-prot
fprot
f-agnt95
gibe
iomon98
iface
icsupp
icssuppnt
icmoon
icmon
icloadnt
icload95
ibmavsp
ibmasn
iamserv
iamapp
kpfw32
nvc95
nupgrade
nupdate
normist
nmain
nisum
navw
navsched
navnt
navlu32
navapw32
zapro
Recovery
Please follow the instructions for removing worms.
Check your administrator passwords and review network security.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msgsrv32
and delete it if it exists.
Close the registry editor.
|
|
|
|
Post by StRiDeR on Feb 17, 2004 21:56:01 GMT 8
W32/Agobot-CW
Aliases
Backdoor.Agobot.3.gen
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received just one report of this worm from the wild.
Description
W32/Agobot-CW is an IRC backdoor Trojan and network worm.
W32/Agobot-CW copies itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC and the RPC locator vulnerabilities.
These vulnerabilities allow the worm to execute its code on target computers with System level privileges. For further information on these vulnerabilities and for details on how to protect/patch the computer against such attacks please see Microsoft security bulletins MS03-001 and MS03-026. MS03-026 has been superseded by Microsoft security bulletin MS03-039.
When first run, W32/Agobot-CW copies itself to the Windows system32 folder with the filename winpn32.exe and creates the following registry entries so that the worm is run when Windows starts up:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Diagnostic Agent = diagent.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Diagnostic Agent = diagent.exe
W32/Agobot-CW connects to a remote IRC server and joins a specific channel. The backdoor functionality of the worm can then be accessed by an attacker using the IRC network.
The worm also attempts to terminate and disable various security-related programs.
Recovery
Please follow the instructions for removing worms.
Download and install the Microsoft patches mentioned above.
Check your administrator passwords and review network security.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Diagnostic Agent = diagent.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Diagnostic Agent = diagent.exe
and delete them if they exist.
Close the registry editor.
|
|
|
|
Post by StRiDeR on Feb 17, 2004 21:57:17 GMT 8
W32/Tanx-A
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
Sophos has received several reports of this worm from the wild.
Description
W32/Tanx-A is a worm that uses email to spread.
The worm arrives in a message with the following characteristics:
Subject line: ID <random characters>... thanks
Message text: Yours ID <random characters>
--
Thank
Attached file: <Randomly_generated>.exe
A more detailed analysis of W32/Tanx-A will be published here shortly. Please check again later.
Recovery
Please follow the instructions for removing worms.
|
|
|
|
Post by StRiDeR on Feb 18, 2004 21:02:14 GMT 8
W32/Netsky-B
Aliases
Win32/Netsky.B
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
Sophos has received several reports of this worm from the wild.
Description
W32/Netsky-B is a worm that spreads by email and Windows network shares.
W32/Netsky-B copies itself into the Windows folder as services.exe.
In order to run automatically when Windows starts up W32/Netsky-B creates the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\service
= "C:\\WINDOWS\\services.exe -serv"
W32/Netsky-B searches all mapped drives for files with the following extensions in order to find email adresses: MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML.
W32/Netsky-B searches drives C: to Z: and attempts to copy itself into folders with names containing the string "share" or "sharing".
The file names used by the worm for copying itself to shared folders are:
angels.pif
cool screensaver.scr
dictionary.doc.exe
dolly_buster.jpg.pif
doom2.doc.pif
e-book.archive.doc.exe
e.book.doc.exe
eminem - lick my pussy.mp3.pif
hardcore porn.jpg.exe
how to hack.doc.exe
matrix.scr
max payne 2.crack.exe
nero.7.exe
office_crack.exe
photoshop 9 crack.exe
porno.scr
programming basics.doc.exe
rfc compilation.doc.exe
serial.txt.exe
sex sex sex sex.doc.exe
strippoker.exe
virii.scr
win longhorn.doc.exe
winxp_crack.exe
W32/Netsky-B may arrive in an email with the following characteristics:
Subject line: randomly chosen from -
unknown
fake
stolen
information
warning
something for you
read it immediately
hello
Message text: randomly chosen from -
something is fool
something is going wrong
you are bad
you try to steal
you feel the same
you earn money
thats wrong
why?
take it easy
reply
do you?
that's funny
here, the cheats
here, the introduction
here, the serials
from the chatter
about me
information about you
something is going wrong!
stuff about you?
greetings
see you
here it is
that is bad
yes, really?
i found this document about you
your name is wrong
i hope it is not true!
kill the writer of this document!
something about you!
I have your password!
you are a bad writer
is that from you?
i wait for a reply!
is that your account?
is that your name?
is that true?
here
my hero
read it immediately!
here is the document.
read the details.
i'm waiting
what does it mean?
anything ok?
Attached file: one of the following filenames with a double file extension -
misc
party
disco
part2
mail2
object
ranking
dinner
release
final
location
jokes
friend
website
mails
story
found
nomoney
aboutyou
shower
topseller
product
swimmingpool
bill
note
concert
textfile
posting
stuff
attachment
details
creditcard
message
talk
document
unknown
fake
stolen
information
warning
something for you
read it immediately
hello
The extension is combination of DOC, RTF, HTM, PIF, COM, SCR and EXE. W32/Netsky-B may also send a ZIP file.
The email address of the sender will be spoofed.
Recovery
Please follow the instructions for removing worms.
|
|
|
|
Post by atokENSEM on Feb 19, 2004 1:00:18 GMT 8
pening2..tak sangka byk gile virus..
|
|
|
|
Post by StRiDeR on Feb 19, 2004 22:16:12 GMT 8
pening2..tak sangka byk gile virus.. x yah pening2...ini just for your information jerk...bukan masuk exam pun... |
|
