Post by Devil Asyerium on Jan 30, 2004 14:00:03 GMT -5
I will post all to do with Virus' in here, also some info about the MILLIONS of virus' that are still around and that are stopped.
The current Virus threat is the My.Doom virus, it is sent as an email attachment and once opened it opens a backdorr on your computer, allowing hackers to acces your computer documents with ease...
Official statement:
A computer program that is designed to replicate itself by copying itself into the other programs stored in a computer. It may be benign or have a negative effect, such as causing a program to operate incorrectly or corrupting a computer's memory.
'Mydoom' worm strikes computers Computer users are advised to update anti-virus software A malicious new computer virus spread via e-mail is clogging networks and may allow unauthorised access to personal computers, experts warn. The worm, called Mydoom or Novarg, is carried as an e-mail attachment and sends itself out to new e-mail addresses once opened by the recipient. The virus may also open a "back door" to the computer to give hackers access. "As far as I can tell right now, it's pretty much everywhere on the planet," said one anti-virus expert. Thousands of e-mails triggered by the worm were bombarding networks within hours of its discovery, warned Vincent Gullotto, vice-president of California-based Network Associates' emergency response team. 'Technical thing' Unlike many of its predecessors, Mydoom does not entice the recipient to open the attachment by promising nude pictures or personal messages. MYDOOM DETAILS From: random e-mail address To: address of the recipient Subject: random words Message body: several different mail error messages, such as: Mail transaction failed. Partial message is available Attachment (with a textfile icon): random name ending with ZIP, BAT, CMD, EXE, PIF or SCR extension When a user clicks on the attachment, the worm will start Notepad, filled with random characters and it will immediately start to spread further Instead, the e-mail carrying the virus often bears the subject "Test" or "Status". The message inside may read: "The message contains Unicode characters and has been sent as a binary attachment". "Because that sounds like a technical thing, people may be more apt to think it's legitimate," the Associated Press news agency quoted Steve Trilling of Symantec, an anti-virus company, as saying. The worm only affects computers which use Microsoft Windows. Users who delete or ignore the e-mail attachment - which usually ends .exe, .scr, .zip, .cmd or .pif - avoid damage. Symantec said the worm also appeared to contain a programme that recorded keystrokes entered on infected machines. This could allow it to collect usernames and passwords from unsuspecting users. Other companies said the virus, once fully activated, told Windows to receive instructions from another computer. However, other companies did not detect such capabilities.
Sarc say:
When W32.Novarg.A@mm is executed, it does the following:
Creates the following files:
%System%\Shimgapi.dll. Shimgapi.dll acts as a proxy server, opening TCP listening ports in the range of 3127 to 3198. The backdoor also has the ability to download and execute arbitrary files.
%Temp%\Message. This file contains random letters and is displayed using Notepad.
%System%\Taskmon.exe.
--------------------------------------------------------------------------------
Notes:
Taskmon.exe is a legitimate file in the Windows 95/98/Me operating systems, but is in the %Windir% folder, not the %System% folder. (By default, this is C:\Windows or C:\Winnt.) Do not delete the legitimate file that is in the %Windir% folder.
%System% is a variable: The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Temp% is a variable: The worm locates the temporary folder and copies itself to that location. By default, this is C:\Windows\TEMP (Windows 95/98/Me), or C:\WINNT\Temp (Windows NT/2000), or C:\Document and Settings\<UserName>\Local Settings\Temp (Windows XP).
--------------------------------------------------------------------------------
Adds the value:
"(Default)" = "%System%\shimgapi.dll"
to the registry key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
so that Explorer.exe loads Shimgapi.dll.
Adds the value:
"TaskMon" = "%System%\taskmon.exe"
to the registry keys:
HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that TaskMon is run when you start Windows.
Checks the system date, and if the date is between February 1, 2004 and February 12, 2004, the worm will perform a DoS attack against www.sco.com. The DoS is performed by creating 64 threads that send GET requests and use a direct connection to port 80.
--------------------------------------------------------------------------------
Notes:
Due to the way the worm verifies the system date, the DoS will only be executed on 25% of infected computers.
The DoS only occur when the system date is checked during the initial infection or if the computer is rebooted.
--------------------------------------------------------------------------------
Creates the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version
Searches for the email addresses in the files with the following extensions:
.htm
.sht
.php
.asp
.dbx
.tbb
.adb
.pl
.wab
.txt
Attempts to send email messages using its own SMTP engine. The worm looks up the mail server that the recipient uses before sending the email. If it is unsuccessful, it will use the local mail server instead. The email will have the following characteristics:
From: The "From" address may be spoofed.
Subject: The subject will be one of the following:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message: The message will be one of the following:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
test
Attachment: The attachment file name, not including the extension, will be one of the following:
document
readme
doc
text
file
data
test
message
body
The attached file may have either one or two file extensions. If it does have two, the first extension will be one of the following:
.htm
.txt
.doc
The second extension, or the only extension if there is only one, will be one of the following:
.pif
.scr
.exe
.cmd
.bat
.zip (This is an actual .zip file that contains a copy of the worm, sharing the same file name as the .zip. For example, readme.zip can contain readme.exe.)
Copies itself to the Kazaa download folder as one of the following files:
winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004
with a file extension of:
.pif
.scr
.bat
.exe
------------------------------------------------------------------------
More Virus info soon to keep you safe on the net!!
The current Virus threat is the My.Doom virus, it is sent as an email attachment and once opened it opens a backdorr on your computer, allowing hackers to acces your computer documents with ease...
Official statement:
A computer program that is designed to replicate itself by copying itself into the other programs stored in a computer. It may be benign or have a negative effect, such as causing a program to operate incorrectly or corrupting a computer's memory.
'Mydoom' worm strikes computers Computer users are advised to update anti-virus software A malicious new computer virus spread via e-mail is clogging networks and may allow unauthorised access to personal computers, experts warn. The worm, called Mydoom or Novarg, is carried as an e-mail attachment and sends itself out to new e-mail addresses once opened by the recipient. The virus may also open a "back door" to the computer to give hackers access. "As far as I can tell right now, it's pretty much everywhere on the planet," said one anti-virus expert. Thousands of e-mails triggered by the worm were bombarding networks within hours of its discovery, warned Vincent Gullotto, vice-president of California-based Network Associates' emergency response team. 'Technical thing' Unlike many of its predecessors, Mydoom does not entice the recipient to open the attachment by promising nude pictures or personal messages. MYDOOM DETAILS From: random e-mail address To: address of the recipient Subject: random words Message body: several different mail error messages, such as: Mail transaction failed. Partial message is available Attachment (with a textfile icon): random name ending with ZIP, BAT, CMD, EXE, PIF or SCR extension When a user clicks on the attachment, the worm will start Notepad, filled with random characters and it will immediately start to spread further Instead, the e-mail carrying the virus often bears the subject "Test" or "Status". The message inside may read: "The message contains Unicode characters and has been sent as a binary attachment". "Because that sounds like a technical thing, people may be more apt to think it's legitimate," the Associated Press news agency quoted Steve Trilling of Symantec, an anti-virus company, as saying. The worm only affects computers which use Microsoft Windows. Users who delete or ignore the e-mail attachment - which usually ends .exe, .scr, .zip, .cmd or .pif - avoid damage. Symantec said the worm also appeared to contain a programme that recorded keystrokes entered on infected machines. This could allow it to collect usernames and passwords from unsuspecting users. Other companies said the virus, once fully activated, told Windows to receive instructions from another computer. However, other companies did not detect such capabilities.
Sarc say:
When W32.Novarg.A@mm is executed, it does the following:
Creates the following files:
%System%\Shimgapi.dll. Shimgapi.dll acts as a proxy server, opening TCP listening ports in the range of 3127 to 3198. The backdoor also has the ability to download and execute arbitrary files.
%Temp%\Message. This file contains random letters and is displayed using Notepad.
%System%\Taskmon.exe.
--------------------------------------------------------------------------------
Notes:
Taskmon.exe is a legitimate file in the Windows 95/98/Me operating systems, but is in the %Windir% folder, not the %System% folder. (By default, this is C:\Windows or C:\Winnt.) Do not delete the legitimate file that is in the %Windir% folder.
%System% is a variable: The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Temp% is a variable: The worm locates the temporary folder and copies itself to that location. By default, this is C:\Windows\TEMP (Windows 95/98/Me), or C:\WINNT\Temp (Windows NT/2000), or C:\Document and Settings\<UserName>\Local Settings\Temp (Windows XP).
--------------------------------------------------------------------------------
Adds the value:
"(Default)" = "%System%\shimgapi.dll"
to the registry key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
so that Explorer.exe loads Shimgapi.dll.
Adds the value:
"TaskMon" = "%System%\taskmon.exe"
to the registry keys:
HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that TaskMon is run when you start Windows.
Checks the system date, and if the date is between February 1, 2004 and February 12, 2004, the worm will perform a DoS attack against www.sco.com. The DoS is performed by creating 64 threads that send GET requests and use a direct connection to port 80.
--------------------------------------------------------------------------------
Notes:
Due to the way the worm verifies the system date, the DoS will only be executed on 25% of infected computers.
The DoS only occur when the system date is checked during the initial infection or if the computer is rebooted.
--------------------------------------------------------------------------------
Creates the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\Version
Searches for the email addresses in the files with the following extensions:
.htm
.sht
.php
.asp
.dbx
.tbb
.adb
.pl
.wab
.txt
Attempts to send email messages using its own SMTP engine. The worm looks up the mail server that the recipient uses before sending the email. If it is unsuccessful, it will use the local mail server instead. The email will have the following characteristics:
From: The "From" address may be spoofed.
Subject: The subject will be one of the following:
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message: The message will be one of the following:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
test
Attachment: The attachment file name, not including the extension, will be one of the following:
document
readme
doc
text
file
data
test
message
body
The attached file may have either one or two file extensions. If it does have two, the first extension will be one of the following:
.htm
.txt
.doc
The second extension, or the only extension if there is only one, will be one of the following:
.pif
.scr
.exe
.cmd
.bat
.zip (This is an actual .zip file that contains a copy of the worm, sharing the same file name as the .zip. For example, readme.zip can contain readme.exe.)
Copies itself to the Kazaa download folder as one of the following files:
winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004
with a file extension of:
.pif
.scr
.bat
.exe
------------------------------------------------------------------------
More Virus info soon to keep you safe on the net!!