|
|
Post by atokENSEM on Feb 28, 2004 1:07:48 GMT 8
Norton x bagus sangat...cuba atok pakai Pc-Cilin...x pun F-Prot...tue antara antivirus yg paling bagus...sebab sebelum system run atau execute aper2 fail, dia scan dulu...macam norton, bila dah kena baru nak bagitau... atok dah buat dah kat pc dia...thanks..  |
|
|
|
Post by StRiDeR on Feb 28, 2004 19:06:17 GMT 8
atok dah buat dah kat pc dia...thanks.. samer2 |
|
|
|
Post by StRiDeR on Feb 29, 2004 14:14:55 GMT 8
W32/Nachi-D
Aliases
Worm.Win32.Welchia.d, W32.Welchia.D.Worm, WORM_NACHI.D, W95/Nachi.D
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.
Description
W32/Nachi-D is a worm which spreads to computers at random IP addresses that are infected with W32/MyDoom-A or are vulnerable to the following Microsoft buffer overflow vulnerabilities: DCOM RPC, WebDAV, IIS5/WEBDAV and Locator Service.
For further information see Microsoft Security Bulletins MS03-026, MS03-007 and MS03-049.
The worm connects to random IP addresses on port 135 or 445 and exploits these buffer-overflow vulnerabilities to execute a small amount code on computers that have not been patched. The buffer overflow code downloads the worm and runs it. The worm allows itself to be downloaded via a random port above 1024.
The worm spreads to computers at random IP addresses that are infected with W32/MyDoom-A via a backdoor component installed by W32/MyDoom-A that provides access on port 3127.
When first run the worm copies itself to <SYSTEM>\drivers\svchost.exe and creates a new service named WksPatch with the Startup Type set to Automatic, so that the service is run automatically each time Windows is started.
The display name of the new service is created by randomly combining one word from each of the following 3 lists:
"System", "Security", "Remote", "Routing", "Performance", "Network", "License"
or "Internet"
"logging", "Manager", "Procedure", "Accounts" or "Event"
"provider", "sharing", "Messaging" or "Client"
For example: "System logging provider".
The worm tries to disable selected known malware by deleting files in the Windows System folder named intrenat.exe, Regedit.exe, shimgapi.dll, cftmon.dll, Explorer.exe or TaskMon.exe and by deleting the following registry entries (if they exist):
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Gremlin
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Nerocheck
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Shimgapi.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
The worm deletes a service named RpcPatch (if it exists) and creates the following registry entry if it doesn't already exist:
HKCR\CLSID(E6FB5E20-DE35-11CF-9C87-00AA005127ED)\InProcServer32 = "<SystemRoot>\System32\webcheck.dll"
If the above registry entry was not already set, the worm creates a new 'clean' version of the HOSTS file located at <SYSTEM>\drivers\etc\hosts. The new HOSTS file simply contains an entry for localhost set to the loopback address of 127.0.0.1.
The worm may also try to download and install service packs 1 and 2 for Windows 2000 and service pack 5 for Windows XP, if they haven't already been installed.
On some language versions of Windows the worm replaces files with an extension of ASP, HTM, PHP, CGI, STM, SHTM or SHTML, located in the <WINDOWS>\help\iishelp\common folder, or in the folder specified by the following registry entry:
HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\
The replacement file is a harmless HTML file containing the text "LET HISTORY TELL FUTURE !".
When the worm is run after July 2004 it will remove itself from the computer.
Recovery
Please follow the instructions for removing worms.
|
|
|
|
Post by StRiDeR on Feb 29, 2004 14:15:58 GMT 8
W32/Maddis-A Aliases W32/Maddis.worm, W32/Aveng.A Type Win32 worm Detection A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus. Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update. At the time of writing, Sophos has received just one report of this worm from the wild. Description W32/Maddis-A is a worm which spreads via networks shares. The worm uses stealth techniques in an attempt to hide its presence on an infected computer.
When first run, W32/Maddis-A creates a copy of itself named usrinit.exe in the Windows system folder and a file named helper.dll in the Windows or Temp folder.
On Windows98 based operating systems the worm adds the registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
On Windows NT based operating systems usrinit.exe is registered as a service.
Helper.dll hides the worm by intercepting system functions and masking any values which contain the following strings:
helper.dll
command.exe
windowsupd*
wiu*.exe
uihelp
userinit*.dll
boomer*
usrinit*
W23/Maddis-A sends an HTTP packet containing various system and password
information to the following urls:
www.proxylist.ru/control/21/
www.proxylist.com.ua/control/21/
www.proxylist.com.ru/control/21/
www.proxylist.biz/control/21/
66.98.173.166/control/21/
The information sent to the URLs is similar to that shown below.
GET /control/21/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MS IE 6.0; Windows NT 5.01)
Host: www.proxylist.ru
Info: Windows NT; Passwords not Found; POS not Found
Ping: 0
CheckSum: tmFHE7kUmr
Http: 1029
Socks : 1030
Telnet: 1031
HostName: john
DNSName: john.example.com
NetBios : N
MsSQL: Y
WinDir: C:\WINNT\
Cache-Control: no-cache
Connection: close
W32/Maddis-A opens several ports and runs proxy servers for Telnet, HTTP and Socks.
Recovery To remove W32/Maddis-A from Windows NT: Update Sophos Anti-Virus with the W32/Maddis-A IDE. Go to Start|Settings|Control Panel Double click on 'Services' Scroll down the list to find the 'WindowsUpdate' service Highlight 'WindowsUpdate' and click the 'Startup' button Select 'Disabled' and click 'OK' Restart the computer After restarting the computer follow the instructions for removing worms to complete the recovery. To remove W32/Maddis-A from Windows 2000/XP: Update Sophos Anti-Virus with the W32/Maddis-A IDE Go to Start|Settings|Control Panel If running Windows XP select 'Performance and Maintenance' Select 'Administrative Tools' Select 'Services' Scroll down the list to find the 'WindowsUpdate' service Right click on WindowsUpdate and select 'Properties' Click the 'Startup' button, select 'Disabled' and click 'OK' Restart the computer After restarting the computer follow the instructions for removing worms to complete the recovery. |
|
|
|
Post by StRiDeR on Feb 29, 2004 14:17:03 GMT 8
W32/Bagle-C
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
Sophos has received several reports of this worm from the wild.
Note: Sophos has been detecting W32/Bagle-C since 00:58 GMT on 28 February. This new IDE has been issued to enhance detection.
Description
W32/Bagle-C is an email worm which sends itself via its own SMTP engine to addresses harvested from your hard disk.
The worm appears with a Microsoft Office 2000 Excel icon. When run the worm
opens NOTEPAD.EXE, copies itself to the Windows system folder as README.EXE and creates the following files in the same folder:
DOC.EXE - a DLL plugin used to load ONDE.EXE
ONDE.EXE - the main DLL component of the worm
README.EXEOPEN - a copy of the worm in ZIP format
W32/Bagle-C adds the value:
gouday.exe = <SYSTEM>\readme.exe
to the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This means that W32/Bagle-C runs every time you logon to your computer:
W32/Bagle-C also creates the following registry entries:
HKCU\Software\DateTime2\frun=1
HKCU\Software\DateTime2\port=2745
HKCU\Software\DateTime2\uid=<number>
Emails have the following characteristics:
Subject lines:
Price
New Price-list
Hardware devices price-list
Weekly activity report
Daily activity report
Maria
Jenny
Jessica
Registration confirmation
USA government abolishes the capital punishment
Freedom for everyone
Flayers among us
From Hair-cutter
Melissa
Camila
Price-list
Pricelist
Price list
Hello my friend
Hi!
Well...
Greet the day
The account
Looking for the report
You really love me? he he
You are dismissed
Accounts department
From me
Monthly incomings summary
The summary
Proclivity to servitude
Ahtung!
The employee
There is no message text.
Attached file: a randomly named ZIP archive
W32/Bagle-C opens up a backdoor on port 2745 and listens for connections. If it receives the appropriate command it attempts to download and execute a file. W32/Bagle-C also makes a web connection to a remote URL, thus reporting the location and open port of infected computers.
The worm terminates processes with the following names:
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE
If the date is after 14 March 2004, W32/Bagle-C terminates itself and deletes all the registry entries it created when it first ran.
Recovery
Please follow the instructions for removing worms.
|
|
|
|
Post by StRiDeR on Feb 29, 2004 14:17:52 GMT 8
W32/Bagle-D
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
Sophos has received many reports of this worm from the wild.
Description
W32/Bagle-D is an email worm which sends itself via its own SMTP engine to
addresses harvested from your hard disk.
When run the worm opens NOTEPAD.EXE, copies itself to the Windows system
folder as README.EXE and creates the following files in the same folder:
DOC.EXE - a DLL plugin used to load ONDE.EXE
ONDE.EXE - the main DLL component of the worm
README.EXEOPEN - a copy of the worm in ZIP format
W32/Bagle-D adds the value:
gouday.exe = \readme.exe
to the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This means that W32/Bagle-D runs every time you logon to your computer.
W32/Bagle-D also creates the following registry entries:
HKCU\Software\DateTime3\frnu=1
HKCU\Software\DateTime3\port=2745
HKCU\Software\DateTime3\uid=
Emails have the following characteristics:
Subject lines:
Price
New Price-list
Hardware devices price-list
Weekly activity report
Daily activity report
Maria
Jenny
Jessica
Registration confirmation
USA government abolishes the capital punishment
Freedom for everyone
Flayers among us
From Hair-cutter
Melissa
Camila
Price-list
Pricelist
Price list
Hello my friend
Hi!
Well...
Greet the day
The account
Looking for the report
You really love me? he he
You are dismissed
Accounts department
From me
Monthly incomings summary
The summary
Proclivity to servitude
Ahtung!
The employee
There is no message text.
Attached file: a randomly named ZIP archive
W32/Bagle-D opens up a backdoor on port 2745 and listens for connections.
If it receives the appropriate command it attempts to download and execute
a file. W32/Bagle-D also makes a web connection to a remote URL, thus reporting
the location and open port of infected computers.
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE
If the date is after 14 March 2004, W32/Bagle-D terminates itself and deletes
all the registry entries it created when it first ran.
Recovery
Please follow the instructions for removing worms.
|
|
|
|
Post by atokENSEM on Feb 29, 2004 17:00:35 GMT 8
artikel viru ni..copy paste dr mane?
|
|
|
|
Post by StRiDeR on Feb 29, 2004 21:58:00 GMT 8
artikel viru ni..copy paste dr mane? naper tok?... |
|
|
|
Post by atokENSEM on Mar 1, 2004 0:11:58 GMT 8
takdela..byk sgt yg hang post..tu atok tanya,mane dpt..sbb..kwn atok pun ade bg mcm2 laman web ttg virus ni.. |
|
|
|
Post by StRiDeR on Mar 4, 2004 21:32:10 GMT 8
W32/Agobot-DG
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received just one report of this worm from the wild.
Description
W32/Agobot-DG is a network worm which also allows unauthorised remote access to the computer via IRC channels.
W32/Agobot-DG copies itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC and the RPC locator vulnerabilities.
These vulnerabilities allow the worm to execute its code on target computers with System level privileges. For further information on these vulnerabilities and for details on how to protect/patch the computer against such attacks please see Microsoft security bulletins MS03-001 and MS03-026. MS03-026 has been superseded by Microsoft security bulletin MS03-039.
W32/Agobot-DG drops a copy of itself to the Windows system folder as SRCHOST.EXE and creates the following registry entries to run itself on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\Generic Service Process
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Generic Service Process
W32/Agobot-DG attempts to terminate various processes related to anti-virus and security software (e.g. SWEEP95.EXE, BLACKICE.EXE and ZONEALARM.EXE).
W32/Agobot-DG collects system information and registration keys of popular games that are installed on the computer.
Recovery
Please follow the instructions for removing worms.
Check your administrator passwords and review network security.
Change any data that may have become compromised.
Download and install the Microsoft patches mentioned above.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\Generic Service Process
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Generic Service Process
and delete them if they exist.
Close the registry editor.
|
|
|
|
Post by StRiDeR on Mar 4, 2004 21:36:26 GMT 8
W32/Bagle-K Aliases I-Worm.Bagle.j, W32.Beagle.A@mm, WORM_BAGLE.GEN Type Win32 worm Detection A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
Sophos has received several reports of this worm from the wild.
Note: The IDE issued for W32/Bagle-K at 11:37 GMT on 3 March included detection for W32/Netsky-F and W32/MyDoom-H. This IDE has been updated to improve detection for W32/MyDoom-H.
Description
W32/Bagle-K is an email worm which sends itself via its own SMTP engine to addresses harvested from your hard disk. The worm searches for files with the extensions WAB, TXT, HTM, XML, DBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, ADB, TBB and SHT.
When run the worm opens copies itself to the Windows system folder as winsys.exe and creates the following files in the same folder:
W32/Bagle-K adds the value ssate.exe = <SYSTEM>\winsys.exe to the registry entry HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
This means that W32/Bagle-K runs every time you logon to your computer.
Emails have the following characteristics:
Sender: One of -
management@<recipient_internet_domain>
administration@<recipient_internet_domain>
staff@<recipient_internet_domain>
noreply@<recipient_internet_domain>
support@<recipient_internet_domain>
Subject lines:
E-mail account security warning
Notify about using the e-mail account.
Warning about your e-mail account.
Important notify about your e-mail account.
Email account utilization warning.
Notify about your e-mail account utilization.
E-mail account disabling warning.
Message text: Randomly combined by taking one string from each of the following paragraphs:
Dear user of <recipient_internet_domain>
Dear user of <recipient_internet_domain> e-mail server gateway,
Dear user of e-mail server <recipient_internet_domain>",
Hello user of <recipient_internet_domain> e-mail server,
Dear user of <recipient_internet_domain>" mailing system,
Dear user, the management of <recipient_internet_domain> mailing system wants to let you know that,
and
Your e-mail account has been temporary disabled because of unauthorized access. Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service.
Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.
We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.
Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.
and
For more information see the attached file.
Further details can be obtained from attached file.
Advanced details can be found in attached file.
For details see the attach.
For details see the attached file.
For further details see the attach.
Please, read the attach for further details.
Pay attention on attached file.
and
For security reasons attached file is password protected. The password is "<randomly_generated_numeric_pasword>".
For security purposes the attached file is password protected. Password is "<randomly_generated_numeric_pasword>".
Attached file is protected with the password for security reasons. Password is "<randomly_generated_numeric_pasword>.
In order to read the attach you have to use the following password: "<randomly_generated_numeric_pasword>.
and
The Management,
Sincerely,
Best wishes,
Have a good day,
Cheers,
Kind regards,
and
The <recipient_internet_domain> team http://www.<recipient_internet_domain>
Attached file: a randomly named ZIP archive. The name is chosen from:
Attach
Information
Readme
Document
Info
TextDocument
Text
MoreInfo
Message
As an example, here is how the worm could appear if your company's domain name was XYZCORP.COM:
An example of the kind of email which can be sent by the Bagle-K worm
W32/Bagle-K opens up a backdoor on port 2745 and listens for connections. If it receives the appropriate command it attempts to download and execute a file. W32/Bagle-K also makes a web connection to a remote URL, thus reporting the location and open port of infected computers.
W32/Bagle-K attempts to terminate several anti-virus and security-related processes:
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
LUALL.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
UPDATE.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE
W32/Bagle-K searches the mapped drives for the folders containing the string "shar" in the folder name. If such folder is found, the worm copies itself to the folder using the following names:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
P**** Screensaver.scr
P**** pics arhive, ***.exe
P****, s***, o***, a*** cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
*** hardcore images.exe
If the date is after 25 April 2005, W32/Bagle-K terminates itself and deletes all the registry entries it created.
W32/Bagle-K contains the following text hidden inside its code, which is not displayed:
Hey, NetSky, f*** **f you b*****!
Recovery Please follow the instructions for removing worms |
|
|
|
Post by StRiDeR on Mar 4, 2004 21:39:52 GMT 8
W32/Hiton-A
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.
Description
W32/Hiton-A is a mass mailing worm. A detailed description of this worm will be published here shortly.
Recovery
Please follow the instructions for removing worms
|
|
|
|
Post by StRiDeR on Mar 6, 2004 1:20:40 GMT 8
W32/Netsky-H
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.
Description
W32/Netsky-H is a worm that spreads via email. Further details will be posted shortly.
Recovery
Please follow the instructions for removing worms.
|
|
|
|
Post by StRiDeR on Mar 6, 2004 1:22:03 GMT 8
Troj/HacDef-100
Aliases
Backdoor.HacDef.084, Win32/HacDef.084, Backdoor.HackDefender
Type
Trojan
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received just one report of this Trojan from the wild.
Description
Troj/HacDef-100 is backdoor Trojan that is targeted at NT/2000/XP operating systems. As well as allowing unauthorised remote access to the victim's computer, this Trojan is also able to hide information about the victim's system including files, folders, processes, services and registry entries.
Recovery
Please follow the instructions for removing Trojans.
|
|
|
|
Post by atokENSEM on Mar 7, 2004 3:27:15 GMT 8
.:: MyCERT Special Alert: Spread of New Variants of W32.Beagle@MM ::. MyCERT received information from various Anti-virus vendors and CERTs communities around the world regarding the wild spread of two new variants of W32.Beagle@MM and W32.Netsky@MM worms, the W32.Beagle.F@MM and the W32.Netsky.D@MM. Information received from various sources says that the new variant of W32.Netsky.D@MM is spreading at a greater rate than any other worm in the wild at the time of the release of this alert. NOTE: There may be differences in naming the new variants among the AV vendors. Systems Affected: All Systems/PCs running on Windows Platform W32/Netsky.D@MM Brief Description: W32.Netsky.D@mm is a mass-mailing worm that is a variant of W32.Netsky.C@mm. The worm scans drives C through Z for email addresses and sends itself to those that are found. The Subject, Body, and Attachment names vary. The attachment will have a .pif file extension[3]. Discovered on: 1st March 2004 (US Pacific Time). The spread of this variant was detected on 2nd March 2004 in Malaysia. Payload/Damages: Sends a copy of itself by using a spoofed email address to email addresses retrieved from the infected file system. Propagation: This worm propagates by sending out email with the following details: Subject: (any of the following) Re: Your website Re: Your product Re: Your letter Re: Your archive Re: Your text Re: Your bill Re: Your details Re: My details Re: Word file Re: Excel file Re: Details Re: Approved Re: Your software Re: Your music Re: Here Re: Re: Re: Your document Re: Hello Re: Hi Re: Re: Message Re: Your picture Re: Here is the document Re: Your document Re: Thanks! Re: Re: Thanks! Re: Re: Document Re: Document Message Body: (any of the following) Your file is attached. Please read the attached file. Please have a look at the attached file. See the attached file for details. Here is the file. Your document is attached. Attachment: (any of the following) your_website.pif your_product.pif your_letter.pif your_archive.pif your_text.pif your_bill.pif your_details.pif document_word.pif document_excel.pif my_details.pif all_document.pif application.pif mp3music.pif yours.pif document_4351.pif your_file.pif message_details.pif your_picture.pif document_full.pif message_part2.pif document.pif your_document.pif W32/Beagle.H@MM The W32.Beagle.F@MM is a mass-mailing worm that opens a backdoor on TCP port 2745. It uses its own SMTP engine for email propagation. This variant propagates via email attachments and attempts to spread across file-sharing networks, such as Kazaa and iMesh by dropping itself into the directories that contain "shar" in their names. Discovered on: The W32.Beagle.F@MM was discovered on 29th February 2004 (US Pacific Time). The spread of this variant was detected on 1st March 2004 in Malaysia. Payload/Damages: Sends a copy of itself by using a spoofed email address to email addresses retrieved from the infected file system. Allows unauthorized remote access via TCP port 2745. Terminates processes related to certain security programs. Propagation: This worm propagates by sending out email with the following details: NOTE: The worm also propagates through file sharing. Subject: Various, including: Accounts department Ahtung! Camila Daily activity report Flayers among us Freedom for everyone From Hair-cutter From me Greet the day Hardware devices price-list Hello my friend Hi! Jenny Jessica for the report Maria Melissa Monthly incomings summary New Price-list Price Price list Pricelist Price-list Proclivity to servitude Registration confirmation The account The employee The summary USA government abolishes the capital punishment Weekly activity report Well... You are dismissed You really love me? he he Text: No message body Attachment: Randomly named ZIP file, containing an executable disguised as an Excel file. Consists of the name, which is randomly selected from the following list: Aline Anna Audra Bad girl Barbi Caitie caroline Gallery It_I Jammie Juli Julie kate Katrina Kelley kleopatra Lisa Mandy Mary Mary-Anne myfotos Photoalbum Photomontage Picture rebecca Rena Sara stacy Tammy The attachment name has one of the following extensions: .exe .scr .zip Removal Infected PCs/Systems can be cleaned up by using an Automatic Removal tool available at the respective Anti-virus vendors' sites. Mitigation MyCERT advises users to take note of this alert to prevent any unwanted incidents related to the worms activities within their sites. MyCERT recommends: System Administrators install Anti-virus filters at their organization's email gateways to block the worm attachments. It is important for all users to regularly update their Anti -virus softwares. Those who do not have an Anti-virus running on their PC, may download one at: www.mycert.org.my/anti-virus.htmUsers should refrain from opening unknown/suspicious attachments. Users may refer to the following document on safe email practices at: Safe Email Practices: www.mycert.org.my/faq-safe_email_practices.htmMyCERT can be reached for further assistance at: Tel: 03-89961901 Fax: 03-89960827 Email: mycert@mycert.org.my www.mycert.org.myReferences: W32.Netsky.D@mm (Symantec) securityresponse.symantec.com/avcenter/venc/data/w32.netsky.d@mm.html WORM_NETSKY.D (Trend Micro) www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.D W32.Beagle.F (Symantec) securityresponse.symantec.com/avcenter/venc/data/w32.beagle.f@mm.html AUSCERT www.auscert.org.au/render.html?it=3908 |
|
