|
The Mitsubishi Pajero Owners ClubŪ
The Mitsubishi Pajero, Shogun, Montero, Challenger, Raider and EVO 4x4 Owner's Club
|
| View previous topic :: View next topic |
| Author |
Message |
Andy(NorthWales)
LifeTime Member
Age: 58
Zodiac: 
Joined: 10 Oct 2002
Posts: 600
Location: North Wales
|
 Posted: Thu Oct 24, 2002 13:26 Post subject: |
 |
|
Win32.Badtrans.B@mm
Name: Win32.Badtrans.B@mm
Aliases: I-Worm.BadtransII (KAV) Win32/Badtrans.B@mm (RAV)
Type: Executable Mass Mailer
Size: ~29Kbytes
Discovered: 11-25-2001
Detected: 11-26-2001 12:00 (GMT+2)
Spreading: Medium
Damage: Low
ITW: Yes
Symptoms:
- Following files in Windows System directory:
o Kernel32.exe
o Cp_25389.NLS
o KDLL.DLL
o PROTOCOL.DLL (only after sending infected e-mails)
Technical description:
It comes in the following format:
From: e-mail address of the infected sender or one of the following e-mail addresses:
- " Anna" aizzo@home.com
- "JUDY" JUJUB271@AOL.COM
- "Rita Tulliani" powerpuff@videotron.ca
- "Tina" tina0828@yahoo.com
- "Kelly Andersen" Gravity49@aol.com
- " Andy" andy@hweb-media.com
- "Linda" lgonzal@hotmail.com
- "Mon S" spiderroll@hotmail.com
- "Joanna" joanna@mail.utexas.edu
- "JESSICA BENAVIDES" jessica@aol.com
- " Administrator" administrator@border.net
- " Admin" admin@gte.net
- "Support" support@cyberramp.net
- "Monika Prado" monika@telia.com
- "Mary L. Adams" mary@c-com.net
Subject:
Empty, or RE: or RE: <original subject>
Body:
Empty
Attachment:
Is made from one of the following words:
fun, Humor, docs, info, Sorry_about_yesterday, Me_nude Card, SETUP, stuff, YOU_are_FAT!, HAMSTER, news_doc, New_Napster_Site, README images, Pics
the extension of the attachment could be a combination of .MP3. .DOC. .ZIP. with .scr .pif or just .scr or .pif
The worm is using the IFRAME vulnerability and it will be executed on computers with Outlook Express just by preview. Computers with security patch will be infected only by executing the attachment.
You can find description and patch for the IFRAME exploit at this link:
http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp
After execution the worm will copies itself in Windows %System% directory under the kernel32.exe name, and it will drop the kdll.dll at the same location.
To ensure that it will be executed at restart it adds the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Kernel32 with value kernel32.exe
Then it will delete itself from the location where it was executed, and it will gather computer information (like User name, computer name, RAS information, passwords, so on) and sends it to the following e-mail address:
uckyjw@hotmail.com
The Worm has two methods of getting e-mail addresses:
It search them in *ht* and *.asp files in Internet Cache directory or it gets them with MAPI functions from e-mails received by the infected user.
It will not send itself twice to the same address because it keeps the already used e-mail addresses in %SYSTEM%\PROTOCOL.DLL.
Removal:
Manual removal: not recomended
Automatic removal: Run BitDefender and let it delete the infected files it founds.
Please download the Badtrans free removal tool, AntiBadtrans.B.exe, to automatically remove this virus.
Virus analyzed by:
Sorin Victor Dudea
BitDefender Virus Researcher
Andy... |
|
| Back to top |
|
 |
Google
Sponsor
|
| Posted: Thu Oct 24, 2002 13:26 Post subject: Google Ads keep the POCUK free to join! |
|
|
|
|
| Back to top |
|
|
Andy(NorthWales)
LifeTime Member
Age: 58
Zodiac:
Joined: 10 Oct 2002
Posts: 600
Location: North Wales
|
| Posted: Wed Nov 06, 2002 17:31 Post subject: |
|
|
Win32.Bride.A@mm
Name: Win32.Bride.A@mm
Aliases: W32/Braid.A (Sophos), Bridex (F-Secure)
Type: Executable Mass-mailer
Size: 118787 bytes
Discovered: 4 November 2002
Detected: 4 November 2002, 15:00 (GMT+2)
Spreading: Medium
Damage: Medium
ITW: Unknown
Symptoms:
- file "regedit.exe" in the Windows System folder (not in the Windows folder !);
- file "Explorer.exe" on the Desktop (with an icon of Internet Explorer, not of Windows Explorer !);
- email message file "Help.eml" on the Desktop;
- file "bride.exe" in the Windows System folder;
- the registry entry HKCU\Software\Microsoft\Windows\CurrentVersion\Run\regedit.
Technical description:
This is a mass-mailing worm written in Visual Basic, which carries along the file infector Win32.FunLove.4070. The FunLove body and most of the character strings used by the virus are encrypted, to make reverse engineering more difficult.
The worm arrives in an email message in the following format:
From: (Windows registered user name of infected user)
Subject: (Windows registered organization of infected user)
Body:
Hello,
Product Name: (Windows version)
Product Id: (Windows product id)
Product Key: (Windows product key)
Process List:
(list of names and descriptions of running security processes)
Thank you.
Attachment: README.EXE
The virus exploits the IFRAME vulnerability in Internet Explorer 5.xx; the attachment (README.EXE) will automatically be executed when the message is selected in the preview pane of Outlook/Outlook Express (on unpatched systems); more information and a patch for this exploit are available at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp.
The virus will copy itself as "regedit.exe" in the Windows System folder and will create the registry entry HKCU\Software\Microsoft\Windows\CurrentVersion\Run\regedit in order for Windows to run the worm at every start-up.
The worm will also copy itself on the Desktop as "Explorer.exe" (with Internet Explorer's icon). An email message file ("Help.eml") containing the worm will be created (also on the Desktop); when the user opens it, the attachment will once again automatically be executed (due to the IFRAME exploit):
Another two copies of the worm (one of them in Base64 format) will be created in temporary files called "Brade0.tmp" and "Brade1.tmp".
The worm will stop services with names containing one of the substrings:
MST
MS_
S -
_NP
VIEW
IRMON
SMTPSVC
MONIKER
PROGRAM
It will also terminate processes with names including these strings:
dbg
mon
vir
iom
anti
fire
prot
secu
view
debug
Names and descriptions of these processes will be included in the body of email messages, under the title "Process List". The "From" and "Subject" fields of messages are filled in with values read from the entries
RegisteredOwner
RegisteredOrganization
under the registry key HKLM\Software\Microsoft\Windows\CurrentVersion.
The messages will also contain information about the running Windows version, id and key, taken from the registry entries
ProductName
ProductId
ProductKey
Email messages containing the worm will be sent to addresses gathered by scanning .htm and .dbx files, and also to the "anonymous" user on the name/domain server.
The worm will overwrite the beginning of "msconfig.exe" (in the Windows System folder) with a sequence of code that drops a version of the file infector Win32.FunLove.4070 in "bride.exe"; this virus contains the following text: "DonkeyoVaccineiEraser" instead of the original "Fun Loving Criminal". This dangerous virus will proceed to infecting executable files on the local system and on network shared folders.
Under certain conditions, the worm will try to open the following web-pages:
HttP://Www.hOtmAIl.coM/
hTtP://wWw.sEX.cOm/
Manual Removal:
You need to remove the registry entry (described in the Symptomps section) that launches the worm at every start-up; in order to modify the registry, you should use the original "regedit.exe" in the Windows folder, not the one in the Windows System folder (which is actually a copy of the worm). After removing the registry entry, you need to restart Windows and delete the files named in the Symptoms section. (You might want to restart Windows in Safe Mode for these tasks).
To get rid of the Win32.FunLove.4070 virus, you have to restore infected files from backup (if available), or use the BitDefender free removal tool for FunLove. You might need to disconnect the computers in the network until the virus is eliminated from every one of them.
Automatic Removal:
Let BitDefender delete infected files.
Analyzed by:
Bogdan Dragu
BitDefender Virus Researcher |
|
| Back to top |
|
|
Andy(NorthWales)
LifeTime Member
Age: 58
Zodiac:
Joined: 10 Oct 2002
Posts: 600
Location: North Wales
|
| Posted: Wed Nov 06, 2002 17:33 Post subject: |
|
|
Win32.PiBi.B@mm
Name: Win32.PiBi.B@mm
Aliases: I-Worm.PieceByPiece.B (Red Cell)
Type: Executable Mass-mailer & IRC / P2P Worm
Sizes: 32256 bytes (65-70 KB when unpacked, ~30 KB when ZIP-compressed)
Discovered: 29 October 2002
Detected: 29 October 2002, 20:30 (GMT+2)
Spreading: Medium
Damage: Low
ITW: Unknown
Symptoms:
- files named "wsysNNN.exe" and "w32sysNNN.zip" in the "System" subfolder of the Windows folder (NNN being a random number);
- the registry entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32.dll module";
- the file C:\boot64.bin (containing the worm in base64 format);
- modified script.ini file in the mIRC folder;
- one of the following files (aprox. 32 KB in size !) in the shared folders of Kazaa/Morpheus/BearShare/eDonkey2000:
- wmplay9.exe
- wamp3.exe
- winxpserial.exe
- kmd22.exe.
Technical description:
The second version of Win32.Pibi.A@mm also spreads by using mass-mailing, IRC and file sharing applications; it was written in Visual C++ and packed with UPX.
It arrives attached to an email message in one of the following formats:
From: (address of infected user)
Subject: Re: hya
Body: Istall the program in the attachment.
Attachment: install.exe
From: "Microsoft" <support@microsoft.com>
Reply-To: "Microsoft" <microsoft@microsoft.com>
Subject: WindowsXP Service Release Pack 2.002
Body: Istall the program in the attachment.
Attachment: install.exe
The worm will attempt to terminate the execution of some antivirus programs, by scanning for modules containing one of the following substrings in the name:
AV, F-, av, NOD32, SCAN, MON, ALERT, ANTIVIR, PCCW, PCC, FP-, TRAP, TDS2-, VET, SWEEP, MCAFEE, FIREW, DVP, CFI, ICL, VSHW
When run for the first time, the virus will:
- create the registry entry "HKLM\Software\PieceByPieceB\inf" with the value "yep";
- make a copy of itself in <Windows>\system\wsysNNN.exe (where NNN is a random number), and create the registry entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32.dll module" in order for Windows to run that copy at every start-up.
- copy itself (with one of the following names: wmplay9.exe, wamp3.exe, winxpserial.exe, kmd22.exe) in the shared folders of Kazaa, Morpheus, BearShare and eDonkey2000, in order to spread to other users of those file sharing applications;
- create a .zip archive of itself in <Windows>\system\w32sysNNN.zip (if WinZip is installed) and modify script.ini in the mIRC folder in order to send this archive to other users on the chat server (if mIRC is installed); the infected user will also automatically join the #pbpB chat channel;
- create a base64-encoded copy of the worm in C:\boot64.bin (used for email attachments) and send email messages in the format described above to addresses found by scanning *.htm files in the Temporary Internet Files folder;
- display the following message box:
The worm then calls the RegisterServiceProcess API function in order to hide itself from the list of running tasks (in Windows 9x) and to continue running after the current user logs off the machine. It will once again call the mass-mailing routine, and also set a timer to call that routine every 50 seconds.
On October 18th the virus displays the following lyrics:
Manual Removal:
Delete the registry entry and the files described in the Symptomps section; you might have to restart Windows in Safe Mode for this.
Automatic Removal:
Let BitDefender delete infected files.
Analyzed by:
Bogdan Dragu
BitDefender Virus Researcher |
|
| Back to top |
|
|
Andy(NorthWales)
LifeTime Member
Age: 58
Zodiac:
Joined: 10 Oct 2002
Posts: 600
Location: North Wales
|
| Posted: Wed Nov 06, 2002 17:33 Post subject: |
|
|
VBS.Trojan.Carewmr.A
Name: VBS.Trojan.Carewmr.A
Aliases: N/A
Type: Script Trojan
Size: 3292 bytes
Discovered: oct 22, 2002
Detected: oct 22, 2002, 14:00 (GMT+2)
Spreading: No
Damage: High
ITW: No
Symptoms:
It creates many 0 bytes size files in "C:\", and some empty folders (also in "C:\").
Technical description:
The Trojan display some message boxes with the text:
1. "Welcome to CLRAV of Kaspersky Labs, press OK or Accept to Start scanning your computer. "
2. "ERROR!, Code error:3212552, please execute this tool in MS-DOS."
3. "Thank You for prefer Kaspersky Labs Products"
On September the 1st it also display the message:
"Mr.Carew vuelve otra vez!!, jaja"
It tries to delete some registry keys:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVPCC"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\NAVW32"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TrueVector"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ZoneAlarm Pro"
It also tries to connect to the site "http:\\www.avp.ru".
It creates 0 bytes size files on "C:\":
- "C:\Norton2003isbad_preferKAVORAVP"
- "C:\AVP"
- "C:\NAV"
- "C:\CHILE"
- "C:\TEMUCO"
- "C:\MCAFEE"
- "C:\ENTELPCS"
- "C:\GSM1900MHZ"
- "C:\SONYERICSSON"
- "C:\CAREFULLY_WHIT_ME"
- "C:\YOUR_PC_IS_VERY_BAD"
- "C:\I HATE MELINA"
- "C:\VBS.CarewMR.a"
- "C:\Windows is a real virus?"
- "C:\MELINA_TE_ODIO_MUERETE!"
- "C:\WindowsXP"
- "C:\Windows3.11"
- "C:\Windows98SE"
- "C:\WindowsME"
- "C:\Windows 95"
- "C:\WindowsNT"
- "C:\Windows2000"
- "C:\TELLCELL S.A"
- "C:\PORN"
- "C:\ORAL_SEX"
- "C:\*beep*"
- "C:\ICQ"
- "C:\PANDA"
- "C:\NOD32"
- "C:\TREND"
- "C:\PC-CILLIN"
- "C:\AvpM.exe"
- "C:\Kaspersky_AntiVirus_PersonalPRO_THEBEST!!!!!"
- "C:\Norton_thePOOR"
- "C:\Madonna_Sucking_my_dick.avi"
- "C:\Your_system_is_infected_by_a_virus_jajajajajajaja.jajajaja"
- "C:\THE_HEURISTIC_OF_NORTON_IS_VERY_BAD_AND_PRODUCE:POSITIVES-FALSES"
It also creates the folders:
- "C:\Symantec"
- "C:\KasperskyLabs"
- "C:\PandaSoftware"
- "C:\TrendMicro"
- "C:\Eset-Nod-*beep*".
It tries to delete the folder "C:\Windows".
The trojan creates in current folder a file, named "CLRAV_Report.log", with an error message:
"Due an error, Code error:3212552, CLRAV has not disinfect your computer
For Support please send a e-mail to support@kaspersky.com and please indicate the Code Error."
Removal:
- manual removal: delete all files found infected.
- automatic removal: let BitDefender delete files found infected.
Analyzed by:
Mihaela Stoian
BitDefender virus researcher |
|
| Back to top |
|
|
Andy(NorthWales)
LifeTime Member
Age: 58
Zodiac:
Joined: 10 Oct 2002
Posts: 600
Location: North Wales
|
| Posted: Wed Nov 06, 2002 17:34 Post subject: |
|
|
Win32.Apbost.A@mm
Name: Win32.Apbost.A@mm
Aliases: I-Worm.Xiv.a (KAV), WORM_BOOSTAP.A (Trend)
Type: Mass Mailer, Worm, Script and Executable Infector
Size: 204800 bytes
Discovered: October 15, 2002
Detected: October 15, 2002, 14:00 (GMT+2)
Spreading: High
Damage: High
ITW: Unknown
Symptoms:
- Presence of appboost.exe in %windir% Attention! This file is hidden, and it may not be seen using default settings in Explorer.
- Presence of appbsvc.exe in %windir%
- Presence of registry key HKEY_CURRENT_USER\Software\Microsoft\Mails\%number% containing a binary sequence
- Infected executable files have changed icons with the one shown here:
Technical description:
It spreads using several different methods. It may come as an infected mail attachment, in which case it uses an IE vulnerability which allows the execution of the attached file without permission, so it is enough to view/preview the email to get infected.
Once the code is executed the virus copies itself as %windir%\appboost.exe with hidden attribute set and as %windir%\appbsvc.exe with regular attributes. After this it registers appbsvc.exe as a system process - cannot be killed using task manager under WinNT/2k/Xp - and appboost.exe as default shell open command for .BAT, .CMD, .COM, .EXE, .PIF and .SCR files.
Executables enumerated above are infected only if they are opened using shell open command (e.g. using Explorer).
The virus also searches memory processes' names and if they contain predefined antivirus/preferential strings they are terminated.
Messages sent by the worm may have as subject a combination of: "A nice Screensaver of", "Ein netter Screensaver von", "New Version of", "Eine neue Version von", "Important!:", "Wichtig!:" and "Angelina Jolie", "Anna Kournikova", "Porn Screensaver", "Sex Screensave", "TvTool", "Flashget", "WarezBoardAccess", "Undelivarable EMail", "Brute Force Tool". Attached files may have one of the following names: "PamAnderson.scr", "Jolie.scr", "AnnaKournikova.scr", "XXX.scr", "FreeSex..exe", "TvTool.exe", "FlashGet.exe", "WarezBoardAccess.exe", "Undelivarableemail.exe", "BestTool.exe", "vertag.exe".
Due to some bugs existing in this version of the worm it will crush on several systems with error reports (e.g. "appboot.exe has generated errors and will be closed") and may not run at all on Win98 systems.
It infects php3 files (.php, .php3 and .phtml) by appending php code which scans and ifects all the phps it finds on the system, then adds a user to apache server (if the server exists) to allow remote attacks and manipulates some mirc scrips.
File shares for KaZaa are created with virus executables with names composed of a combination of words found on victim's system and some built in words (e.g. "Crack", "Extra Pack - Key Gen", "Performance Fix", etc) with different executable extensions (.bat, .cmd, .exe, .pif, etc).
Because of the method of infection specific for high-level language viruses and because of the presence of some major bugs in the virus code the infected system becomes unstable relatively quick and has high probability of failure in booting the system.
Analyzed by:
Mircea Ciubotariu
BitDefender virus researcher |
|
| Back to top |
|
|
Andy(NorthWales)
LifeTime Member
Age: 58
Zodiac:
Joined: 10 Oct 2002
Posts: 600
Location: North Wales
|
| Posted: Mon Nov 11, 2002 8:33 Post subject: |
|
|
Check the name of this one......: -
-------------------------------------------------------------------
Win32.Blondy.A@mm
Name: Win32.Blondy.A@mm
Aliases: -
Type: Executable Mass-Mailer, network worm, Kazaa&mIRC worm
Size: ~128 KB (unpacked)
Discovered: 6 November 2002
Detected: 6 November 2002, 21:00 (GMT+2)
Spreading: Medium
Damage: Medium
ITW: Yes
Symptoms:
- The registry entry HKCR\exefile\shell\open\command having a value other than "%1" %*;
- A subfolder "Profiles" in the Windows folder.
Technical description:
This is an Internet worm written in Visual C++ that spreads via email, network shares/drives, Kazaa file sharing and IRC; it also acts as an IRC backdoor server.
When run for the first time, the virus will display a fake error message:
The virus will make copies of itself in the Windows folder, the Windows System folder and a random subfolder of the Program Files folder; the copies will be given random names, by including names of existing files (or the respective Program Files subfolder) and the following substrings:
run, dx, cmd, 16, 32, 98, lib, vxd, sys, dll, cfg, def
The following registry entries will be created to run the virus at start-up:
- HKLM\Software\Microsoft\CurrentVersion\Run\LoadSystemProfile = <filename of Windows folder copy> powprof.dll,LoadCurrentUserProfile
- HKLM\Software\Microsoft\CurrentVersion\Run\<Program Files subfolder name> = <Program Files subfolder copy>
The registry entry HKCR\exefile\shell\open\command will be modified in order to launch the virus every time an executable file is launched by the user; after installing itself this way, the virus will not allow the execution of programs containing the following substrings in the name:
- panda
- avp
- kaspers
- f-prot
- f-secure
- antivir
- conseal
- worm + guard
- zone + labs
- mc + afee
- pc + cillin
- black + ice
- norton + virus
A line will be added in the [windows] section of the win.ini file, in order to run the Windows System copy of the worm at start-up.
The worm continuously checks if these "installation" procedures have been disabled, and reenables them if so.
Two "configuration files" will be created and maintained by the worm in the Windows folder; they both have random names generated in a similar way as the ones above. One of these files for example keeps a list of email addresses to which the worm has sent or is planning to send email messages.
The virus will search for windows and processes that include the following substrings in the name:
- black
- panda
- shield
- guard
- scan
- mcafee
- nai_vs_stat
- iomon
- navap
- avp
- alarm
- f-prot
- secure
- labs
- antivir
and attempts to close them; if a matching process has been found, after terminating its execution the virus will attempt to erase its file.
A thread of the virus will periodically scan the fixed and network-mapped drives. While scanning the fixed drives, the virus will modify the mIRC script files, collect email addresses (from wab files), and attempt to delete vbs (Visual Basic script) files in the Windows and Windows System folders. It will copy itself and create an "autorun.inf" file on mapped drives, in order for users to get infected when accessing that drive with Windows Explorer.
The worm also copies itself on network shared folders.
It tries to hide windows named "Outlook Express", "Choose Profile", "Internet Mail", but appears to fail in doing so.
Email messages are sent to addresses collected from wab (Windows Address Book) files and addresses gathered by using MAPI functions. The sender's address may be forged, the subject and body may vary, as well as the name of the attached file. The virus seems to attempt to use the infamous IFRAME exploit for some email messages it sends (see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp for more informations and a fix for this vulnerability) in order for the email attachement to be automatically run when the message is previewed ( on systems using Outlook/Outlook Express and unpatched versions of Internet Explorer 5.xx).
In some messages, the address of the sender may be formed by joining the following components:
- dreamy / candy_f / bryan16 / jerry / baby_17 / neo / trish1 / linda17 / monica / nicole / angel_f / blue16 / tweety / alice / jane17 / badboy / rap_girl / CrazyGirl / steve / happy / amanda / crazy;
- @hotmail.com / @yahoo.com / @mail.com / @yahoo.co.uk / @usa.net.
The subject line may be built up by adding the following words:
- HeY, ZzZz, Bla Bla, HoWie, Happy, Hi again, Wow, Hi, Hello, Hey Ya, Boom, Hi There
or the Bulgarian versions:
- Zdrasti, Zdr Otnovo, Ohoo, Ei dupe, Pisamce, TinKi WinKy, ZzZz, Bla Bla, Hey, Privet, Boom
and various smiley sequences.
The worm also includes a list of fixed combinations of senders/subjects/message bodies/attachment names (where not specified, these fields may vary as described above):
From: support@games.yahoo.com
Subject: Yahoo! Games
Body:
Yahoo! Team is proud to present our new surprise
for clients of Yahoo! and Yahoo! Mail.
We plan to send you the best Yahoo! Games weekly.
This new service is free and it's a gift for the 5th
anniversary of Yahoo!. We hope that you would like it.
The whole Yahoo! Team want to express our gratitude to
you, the people who help us to improve Yahoo! so much,
that it became the most popular worldwide portal.
Thank You!
We do our best to serve you.
-------------
Yahoo! Team.
www.Yahoo.com
Attachment: Yahoo!Chess.exe
From: support@kefche.com
Subject: kefche.com
Body:
Ekiput na Kefche.com ima radostta da pozdravi vsichki
fenove na Kefcheto s 1-ta godishnina ot puskaneto na site-a.
Nie se prevurnahme v nai-dobriq i poseshtavan bg site
za zabavleniq i igri. Ot samoto si nachalo Kefche.com ima
za cel da vi nosi samo i edinstveno smqh i zabava,
nadqvame se che sme postignali celite si  )
Po sluchai godishninata, ekiput ni poe iniciativata da
izprashta vsqka sedmica nai-dobrite flash-cheta i
igrichki na vsichki user-i poseshtavashti Kefche-to.
Nadqvame se da vi haresa i tova da bude samo nachaloto
na edno novo zabavlenie )
-----------------
Kefche.com Team.
Subject: Blondinkii
Body:
Hey ) Kak q karash? Pomnish li me oshte )
Nadqvam se che da. Baq vreme ne sme sa chuvali..
Neshto novo ima li? Namerih edna mnoo qka programka
i neznam zashto, no mi napomni za teb )
Kakvo pravi blondinka kato rodi bliznaci? - Chudi se koi e vtoriq tatko
Kakva e razlikata mejdu 10 ovce i 3 blondinki? Otgovor: 7
Kak mojesh da razsmeesh blondinka v petak? - Kato i razkajesh vic vav vtornik
Kefqt li ta vicovete? Shegichka de Razkazva vicove na 5 minuti )
Posmqh se za baq vreme napred :pPpP Haide bye za sega, i da pishesh )
Attachment: blondes.exe
Subject: Blondes Forever
Body:
Hey, whatz up ) Where are you? Don't you chat any more?
I haven't seen you so long. Read this )
- What do blondes wear behind their ears to attract men? Their ankles!!
- Why did god invent the female orgasm? So blondes know when to stop screwing!!
- What is a blond with hair black colored? Artificial intelligence!
Blondes forever!! Time off, i must go now, but i'll be very
happy if you write to me soon Bye bye )
Attachment: blondes.exe
From: greetings@reply.yahoo.com
Subject: %s sent you a Yahoo! Greeting (%s = email name of infected user)
Body:
Surprise! You've just received a Yahoo! Greeting
from "%s" (%s)!
This is an interactive greeting card
and requires Flash Media Player.
Enjoy!
The Yahoo! Greetings Team.
-----------------
Yahoo! Greetings is a free service. If you'd like to send someone a
Yahoo! Greeting, you can do so at http://greetings.yahoo.com
Attachment: Yahoo!Tomcats.exe
From: bg@microsoft.com
Subject: Microsoft Bulgaria
Body:
Blagodarenie na dulgogodishnite tradicii na Microsoft v Bulgaria
i dobrata i suvestna rabota na vsichki neini podchineni, mojem
nai-nakraq da pozdravim bulgarskiq potrebitel s prevod na
Internet Explorer na bulgarski.
Tova e edno uspeshno produljenie na iniciativata za prevejdane na
Ms Office 2000 " na rodniq ni ezik. Update-a e bezplaten i e
podaruk po sluchai 10 godishninata na Microsoft v Bulgaria.
Nadqvame se bulgarskite potrebiteli da ostanat dovolni, koeto shte
bude nai-golemiq podaruk za nas.
---------------------
Microsoft, Bulgaria.
Attachment: IE_0274_bg.exe
From: alert@computel.bg
Subject: Vajno
Body:
Panda Antivirus preduprejdava za nalichieto na nov virus
v internet, narechen W32.Roro@mm. Razprostranqva se predimno
po IRC i chrez zarazeni internet stranici. Sled zarazqvaneto
toi iztriva mp3-ki, filmi i dokumenti.
Poradi golemiq broi zarazeni bulgari prez poslednite
nqkolko dena, Panda Antivirus zapochna razprostranenieto na
patch, koito opravq bug v Internet Explorer 5.5 i minali
versii, pozvolqvasht na stranici sas zlovredno sudurjanie
da izpulnqvat komandi vurhu posetitelite.
Druga nasha preporuka e ako ste veche zarazeni da ne
opitvate da mahate virusa ruchno, a samo s antivirusna
programa, poneje pri neuspeshen opit za premahvane
W32.Roro iztriva razlichni vidove failove na operacionnata
sistema.
------------------
Panda Antivirus, Bulgaria.
www.Computel.bg
Attachment: IE50_032.exe
From: support@winamp.com
Subject: WinAmp Team
Body:
Hello, WinAmp User. WinAmp Team is proud to present our new
surprise for users of WinAmp. WinAmp 3.0 Final has been just
released and we believe that it will be the player you've ever
dreamed about.
We plan to start a new tradition, sending the best skin or
add-on to our users every week. This new service is free and
we hope that you would like it.
Everyone can offer us suggestions.
We do our best to serve you.
----------------
WinAmp Team.
www.WinAmp.com
Attachment: Iguana1.0_skin.exe
From: support@microsoft.com
Subject: Virus Alert
Body:
McAfee Antivirus warns about a new virus, called W32.Roro@mm.
It is a high risk worm and it's using IRC and internet pages
to infect computers. The virus deletes movies, music and
system files.
Due to the significant increase of infected users,
Microsoft Corporation, with the collaboration of
McAfee Antivirus, supports clients of Microsoft Windows
with a patch, which fixes a bug in Internet Explorer 5.5
or minor versions. This bug allows internet pages
to grant access to local resources of visitors.
-----------------
McAfee Antivirus
www.McAfee.com
Attachment: IE_0276_Setup.exe
From: support@yahoo.com
Subject: Yahoo! Toolbar
Body:
Yahoo! Team is proud to present our new surprise
for clients of Yahoo! and Yahoo! Mail.
Yahoo! Toolbar is an innovative technology, which
helps you to access Yahoo! Services easier than ever.
It is free and is a gift for the 5th anniversary of Yahoo!.
We hope that you would like it.
The whole Yahoo! Team want to express our gratitude to you,
the people who help us to improve Yahoo! so much, that it
became the most popular worldwide portal.
Thank You!
We do our best to serve you.
-------------
Yahoo! Team.
www.Yahoo.com
Attachment: Yahoo!Toolbar.exe
Body:
Hello ) How are you? Do you remember me? I hope so ) I've just
watched Tomcats, it's marvellous :pP. The summer vacation is over and
this is quite unpleasent  ( I have a lot to tell you about, later..
You can't guess what I've found.. A working Credit Card generator ))
I purchased a bride from Russia yesterday LoL.. I gave a fake address
of course )) Don't go too far and watch out ) I'll be very happy
if you write to me soon )) Bye..
Attachment: [TNT]Gen.exe
Body:
Hi again ) Where are you? Don't you chat any more? I haven't
seen you so long.. Well, I've got a lot to tell you about. The
Summer vacation was too good to be true. Beach, disco's, friends..
Unfortunately, it's Winter now and the temperatures here are very
low. I was ill almost 2 weeks. Quite unpleasant ( Let's talk
about you Are you oK? Are you in love ) I sent you a surprise )
There are cool thoughts, especially about love. It's nice. I'm a
little bit bored of these stupid computers, but I'm waiting for
the reply ) Bye!
(or similar message body)
One of the following PS lines may be added to the message body:
P.S. Hvarli edno oko na %s )
P.S. Bqgai na %s mnoo zdravo flash4e ima :pP
P.S. Be happy, don't worry ~pPp. Check this - %s Cool )
P.S. Have you visited %s Co0l )
(%s = variable name)
In order to spread to users of the Kazaa file sharing network, the worm will create a subfolder "Profiles" in the Windows folder and copy itself in there with various names, built up by joining substrings of various attractive names. Actually, these "copies" embed the body of the virus several times, and their sizes vary accordingly. The "Profiles" subfolder will be shared to other Kazaa users.
When the worm locates mIRC, it will modify one of the files:
- remotes.ini
- controls.ini
- versions.ini
- notes.ini
- url.ini
- version.ini
and add a line in mirc.ini to include that file; the generated script will act as a backdoor server (allowing various remote control commands to be executed on the infected computer).
Under certain conditions, the worm might erase the user's files, including the ones with the following extensions: swf, jpg, mp3, mpg, asf, mov, mpeg, avi, bmp, zip, html, htm, wav, ace, rar, doc, txt, pdf, dos, com, bat, sys, ini, dos.
Manual Removal:
Manual removal might be very difficult and is not recommended. A professional antivirus should be used instead.
Automatic Removal:
Let BitDefender delete infected files.
Analyzed by:
Bogdan Dragu
BitDefender Virus Researcher |
|
| Back to top |
|
|
Andy(NorthWales)
LifeTime Member
Age: 58
Zodiac:
Joined: 10 Oct 2002
Posts: 600
Location: North Wales
|
| Posted: Mon Nov 11, 2002 8:39 Post subject: |
|
|
Remember that the VIRUSES listed below are still doing the round's, so be careful.
Top 5 VIRUSES........
Win32.Klez.E@mm
Win32.Nimda.A@mm
I-Worm.Sircam.A
Win32.Badtrans.B@mm
Win32.Magistr.B@mm
Andy... |
|
| Back to top |
|
|
SteveN
*****
Joined: 10 Oct 2002
Posts: 571
|
| Posted: Mon Nov 11, 2002 17:35 Post subject: |
|
|
Just recieved a this by email:-
" *** WARNING : This message originates from the Internet ***
>
> If you receive a phone call and your mobiles phone displays ACE-? on
> the screen DON'T ANSWER THIS CALL - END THE CALL IMMEDIATELY. IF YOU
> ANSWER THE CALL, YOUR PHONE WILL BE INFECTED BY THIS VIRUS.This virus
> will erase all IMEI and IMSI information from both your phone and your
> SIM card, which will make your phone unable to connect with the
> telephone network.You will have to buy a new phone. This information
> has been confirmed by both Motorola and Nokia. There are over 3
> million mobile phones being infected by this virus in USA now. You can
> also check this news in the CNN web site.
>
>
> Please forward this piece of information to all your friends. "
It may be true or not, but just in case
SteveN
Have found this to be a HOAX LOOK here
SteveN |
|
| Back to top |
|
|
Andy(NorthWales)
LifeTime Member
Age: 58
Zodiac:
Joined: 10 Oct 2002
Posts: 600
Location: North Wales
|
| Posted: Mon Nov 25, 2002 1:28 Post subject: |
|
|
Win32.Bride.B@mm
Name: Win32.Bride.B@mm
Aliases: W32/Braid.B (Sophos), Bridex (F-Secure)
Type: Executable Mass-mailer
Size: 90111 bytes
Discovered: 19 November 2002
Detected: 19 November 2002, 16:00 (GMT+2)
Spreading: Medium
Damage: Low
ITW: Yes
Symptoms:
- file "Madam.exe" on the Desktop (with an icon of Internet Explorer);
- email message file "Madam.eml" on the Desktop.
Technical description:
This is the second version of the mass-mailer Win32.Bride.A@mm; it doesn't carry along the FunLove file infector anymore, and doesn't install itself (it won't automatically be run at Windows start-up). Its strings are no longer encrypted and on Windows NT/2000/XP the executable might not be run (its format is slightly damaged, and the NT versions make more thorough verifications of executable format compliance than the 9x versions).
The worm arrives in an email message in the following format:
From: (Windows registered user name of infected user)
or
From: Help
Subject: (Windows registered organization of infected user)
Body:
Hello,
My name is donkey-virus.
I wish you a merry Christmas and happy new year.
Thank you.
Attachment: README.EXE
The attachment will still be automatically run on unpatched systems, as the virus exploits the IFRAME vulnerability. The following picture will be displayed when the virus is run:
The worm will copy itself on the Desktop as Madam.exe (with Internet Explorer's icon); it will also create an email message file on the desktop (Madam.eml); when the user opens this file with Outlook/Outlook Express, the attachment will once again be executed and the user will be invited to fill-in the recipient address and send the email; the attached file (README.EXE) may not be visible (due to the malformed MIME header).
The names of the temporary files used by the worm have been changed to "Madam0.tmp" and "Madam1.tmp".
The worm will stop services with names containing one of the substrings:
MST
MS_
S -
_NP
VIEW
IRMON
SMTPSVC
MONIKER
PROGRAM
It will also terminate processes with window names including these strings:
dbg
mon
vir
iom
anti
fire
prot
secu
view
debug
Mass-mailing: As in version A, email addresses are collected from .htm and .dbx files; the "anonymous" user on the name/domain server will also be targeted.
The From and Subject fields are taken from the registry entries:
- HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner;
- HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization.
(if the RegisteredOwner entry cannot be read, the text "Help" will appear in the From field).
The sender's email address may be forged in messages that are sent by the virus.
The file's description contains the following copyright text:
Copyright (C) Madam Inc. 1981-2002
Manual Removal:
Delete the desktop items described in the Symptomps section.
Users running unpatched versions of Internet Explorer 5.xx should get the security update from: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp .
Automatic Removal:
Let BitDefender delete infected files.
Analyzed by:
Bogdan Dragu
BitDefender Virus Researcher |
|
| Back to top |
|
|
Andy(NorthWales)
LifeTime Member
Age: 58
Zodiac:
Joined: 10 Oct 2002
Posts: 600
Location: North Wales
|
| Posted: Mon Nov 25, 2002 1:31 Post subject: |
|
|
Win32.PiBi.B@mm
Name: Win32.PiBi.B@mm
Aliases: I-Worm.PieceByPiece.B (Red Cell)
Type: Executable Mass-mailer & IRC / P2P Worm
Sizes: 32256 bytes (65-70 KB when unpacked, ~30 KB when ZIP-compressed)
Discovered: 29 October 2002
Detected: 29 October 2002, 20:30 (GMT+2)
Spreading: Medium
Damage: Low
ITW: Unknown
Symptoms:
- files named "wsysNNN.exe" and "w32sysNNN.zip" in the "System" subfolder of the Windows folder (NNN being a random number);
- the registry entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32.dll module";
- the file C:\boot64.bin (containing the worm in base64 format);
- modified script.ini file in the mIRC folder;
- one of the following files (aprox. 32 KB in size !) in the shared folders of Kazaa/Morpheus/BearShare/eDonkey2000:
- wmplay9.exe
- wamp3.exe
- winxpserial.exe
- kmd22.exe.
Technical description:
The second version of Win32.Pibi.A@mm also spreads by using mass-mailing, IRC and file sharing applications; it was written in Visual C++ and packed with UPX.
It arrives attached to an email message in one of the following formats:
From: (address of infected user)
Subject: Re: hya
Body: Istall the program in the attachment.
Attachment: install.exe
From: "Microsoft" <support@microsoft.com>
Reply-To: "Microsoft" <microsoft@microsoft.com>
Subject: WindowsXP Service Release Pack 2.002
Body: Istall the program in the attachment.
Attachment: install.exe
The worm will attempt to terminate the execution of some antivirus programs, by scanning for modules containing one of the following substrings in the name:
AV, F-, av, NOD32, SCAN, MON, ALERT, ANTIVIR, PCCW, PCC, FP-, TRAP, TDS2-, VET, SWEEP, MCAFEE, FIREW, DVP, CFI, ICL, VSHW
When run for the first time, the virus will:
- create the registry entry "HKLM\Software\PieceByPieceB\inf" with the value "yep";
- make a copy of itself in <Windows>\system\wsysNNN.exe (where NNN is a random number), and create the registry entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32.dll module" in order for Windows to run that copy at every start-up.
- copy itself (with one of the following names: wmplay9.exe, wamp3.exe, winxpserial.exe, kmd22.exe) in the shared folders of Kazaa, Morpheus, BearShare and eDonkey2000, in order to spread to other users of those file sharing applications;
- create a .zip archive of itself in <Windows>\system\w32sysNNN.zip (if WinZip is installed) and modify script.ini in the mIRC folder in order to send this archive to other users on the chat server (if mIRC is installed); the infected user will also automatically join the #pbpB chat channel;
- create a base64-encoded copy of the worm in C:\boot64.bin (used for email attachments) and send email messages in the format described above to addresses found by scanning *.htm files in the Temporary Internet Files folder;
- display the following message box:
The worm then calls the RegisterServiceProcess API function in order to hide itself from the list of running tasks (in Windows 9x) and to continue running after the current user logs off the machine. It will once again call the mass-mailing routine, and also set a timer to call that routine every 50 seconds.
On October 18th the virus displays the following lyrics:
Manual Removal:
Delete the registry entry and the files described in the Symptomps section; you might have to restart Windows in Safe Mode for this.
Automatic Removal:
Let BitDefender delete infected files.
Analyzed by:
Bogdan Dragu
BitDefender Virus Researcher |
|
| Back to top |
|
|
Andy(NorthWales)
LifeTime Member
Age: 58
Zodiac:
Joined: 10 Oct 2002
Posts: 600
Location: North Wales
|
| Posted: Mon Nov 25, 2002 1:32 Post subject: |
|
|
VBS.Trojan.Carewmr.A
Name: VBS.Trojan.Carewmr.A
Aliases: N/A
Type: Script Trojan
Size: 3292 bytes
Discovered: oct 22, 2002
Detected: oct 22, 2002, 14:00 (GMT+2)
Spreading: No
Damage: High
ITW: No
Symptoms:
It creates many 0 bytes size files in "C:\", and some empty folders (also in "C:\").
Technical description:
The Trojan display some message boxes with the text:
1. "Welcome to CLRAV of Kaspersky Labs, press OK or Accept to Start scanning your computer. "
2. "ERROR!, Code error:3212552, please execute this tool in MS-DOS."
3. "Thank You for prefer Kaspersky Labs Products"
On September the 1st it also display the message:
"Mr.Carew vuelve otra vez!!, jaja"
It tries to delete some registry keys:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVPCC"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\NAVW32"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TrueVector"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ZoneAlarm Pro"
It also tries to connect to the site "http:\\www.avp.ru".
It creates 0 bytes size files on "C:\":
- "C:\Norton2003isbad_preferKAVORAVP"
- "C:\AVP"
- "C:\NAV"
- "C:\CHILE"
- "C:\TEMUCO"
- "C:\MCAFEE"
- "C:\ENTELPCS"
- "C:\GSM1900MHZ"
- "C:\SONYERICSSON"
- "C:\CAREFULLY_WHIT_ME"
- "C:\YOUR_PC_IS_VERY_BAD"
- "C:\I HATE MELINA"
- "C:\VBS.CarewMR.a"
- "C:\Windows is a real virus?"
- "C:\MELINA_TE_ODIO_MUERETE!"
- "C:\WindowsXP"
- "C:\Windows3.11"
- "C:\Windows98SE"
- "C:\WindowsME"
- "C:\Windows 95"
- "C:\WindowsNT"
- "C:\Windows2000"
- "C:\TELLCELL S.A"
- "C:\PORN"
- "C:\ORAL_SEX"
- "C:\*beep*"
- "C:\ICQ"
- "C:\PANDA"
- "C:\NOD32"
- "C:\TREND"
- "C:\PC-CILLIN"
- "C:\AvpM.exe"
- "C:\Kaspersky_AntiVirus_PersonalPRO_THEBEST!!!!!"
- "C:\Norton_thePOOR"
- "C:\Madonna_Sucking_my_dick.avi"
- "C:\Your_system_is_infected_by_a_virus_jajajajajajaja.jajajaja"
- "C:\THE_HEURISTIC_OF_NORTON_IS_VERY_BAD_AND_PRODUCE:POSITIVES-FALSES"
It also creates the folders:
- "C:\Symantec"
- "C:\KasperskyLabs"
- "C:\PandaSoftware"
- "C:\TrendMicro"
- "C:\Eset-Nod-*beep*".
It tries to delete the folder "C:\Windows".
The trojan creates in current folder a file, named "CLRAV_Report.log", with an error message:
"Due an error, Code error:3212552, CLRAV has not disinfect your computer
For Support please send a e-mail to support@kaspersky.com and please indicate the Code Error."
Removal:
- manual removal: delete all files found infected.
- automatic removal: let BitDefender delete files found infected.
Analyzed by:
Mihaela Stoian
BitDefender virus researcher |
|
| Back to top |
|
|
tomcat
Guest
|
| Posted: Fri Nov 29, 2002 21:54 Post subject: Virus/firewall/hoaxes |
|
|
Just some helpful site's before you all start panicking...
If you get an email telling you to delete this file or that program, check here first, it could be a hoaxe.
http://www.vmyths.com
Firewall protection, not only stops incoming probes but ask's before letting any program access the internet, and its FREE!!!
http://www.zonelabs.com/store/content/home.jsp
Follow the link to the 'Shields Up' page and see if your open to attack...
http://grc.com
Great antivirus program Norton antivirus scans all incoming and outgoing email.... tarps the virus dead..
http://www.symantec.com
Regards Steve |
|
| Back to top |
|
|
Andy(NorthWales)
LifeTime Member
Age: 58
Zodiac:
Joined: 10 Oct 2002
Posts: 600
Location: North Wales
|
| Posted: Sat Jan 04, 2003 3:16 Post subject: |
|
|
OK been awhile so there are some new bug and creep-crawlys around....: -
Remember these one are still out there so keep everything updated...: -
Win32.Klez.H@mm
Win32.BugBear.A@mm
JS.Trojan.NoClose.B
Win32.Nimda.E@mm
Win32.Worm.Opaserv.A
----------------------------------------------------------
Win32.Yahaa.K@mm
Name: Win32.Yahaa.K@mm
Aliases: W32.Yaha.K@mm (NAV)
Type: Executable Mass Mailer
Size: 34304 bytes
Discovered: December 28, 2002
Detected: December 28, 2002, 13:00 (GMT+2)
Spreading: Medium
Damage: Low
ITW: Yes
Symptoms:
- Files WinServices.exe, nav32_loader.exe, tcpsvs32.exe, Winloader32.dll
in the System directory (usually c:\windows\system - on Windows 95/98/ME,
c:\winnt\system32 - on Windows NT/2000, c:\windows\system32 - on Windows XP)
Technical description:
This Internet Worm is a modification of Win32.Yahaa.J@mm
The major changes since its previous version are the subjects, attachments and
mail bodies of the infected email.
Subject:
Are you the BEST
Free Win32 API source
Learn SQL 4 Free
I Love You..
Wanna be like a stone ?
Are you a Soccer Fan ?
Sexy Screensavers 4 U
Check it out
Sample Playboy
Hardcore Screensavers 4 U
XXX Screensavers 4 U
We want peace
Wanna be a HE-MAN
Visit us
One Virus Writer's Story
One Hacker's Love
World Tour
Whats up
Wanna be my sweetheart ??
Screensavers from Club Jenna
Jenna 4 U
Free rAVs Screensavers
Feel the fragrance of Love
Wanna Hack ??
Sample KOF 2002
The King of KOF
Wanna Brawl ??
Wanna Rumble ??
Play KOF 2002 4 Free
Demo KOF 2002
Free Demo Game
Wanna be friends ??
Need money ??
Are you beautiful
Who is your Valentine
Free Screenavers of Love
Free XXX
Free Screensavers
WWE Screensavers
Freak Out
Wanna be friends ?
Things to note
Lovers Corner
Patch for Elkern.gen
Patch for Klez.H
Free Screensavers 4 U
Project
Sample Screensavers
Are you in Love
I am in Love
I Love You
You are so sweet
The Hotmail Hack
U realy Want this
to ur lovers
to ur friends
Find a good friend
Learn How To Love
Are you looking for Love
Wowwwwwwwwwww check it
Check ur friends Circle
The world of Friendship
Shake it baby
How sweet this Screen saver
war Againest Loneliness
Need a friend?
Say 'I Like You' To ur friend
love speaks from the heart
Let's Dance and forget pains
Looking for Friendship
True Love
make ur friend happy
Who is ur Best Friend
hey check it yaar
Check this poo
Hello
Hi
Attachment:
hotmail_hack.exe
friendship.scr
world_of_friendship.scr
shake.scr
Sweet.scr
Be_Happy.scr
Friend_Finder.exe
I_Like_You.scr
love.scr
dance.scr
GC_Messenger.exe
True_Love.scr
Friend_Happy.scr
Best_Friend.scr
life.scr
colour_of_life.scr
friendship_funny.scr
funny.scr
The_Best.scr
Codeproject.scr
SQL_4_Free.scr
I_Love_You.scr
Stone.scr
Sex.scrSoccer.scr
Real.scr
Plus6.scr
Plus2.scr
Playboy.scr
Hardcore4Free.scr
xxx4Free.scr
Screensavers.scr
Peace.scr
Body_Building.scr
Services.scr
VXer_The_LoveStory.scr
Hacker_The_LoveStory.scr
World_Tour.scr
up_life.scr
Sweetheart.scr
Sexy_Jenna.scr
Jenna_Jemson.scr
zDenka.scr
Ravs.scr
Free_Love_Screensavers.scr
Romeo_Juliet.scr
Hacker.scr
KOF_Fighting.exe
KOF_Sample.exe
KOF_Demo.exe
KOF_The_Game.exe
KOF2002.exe
King_of_Figthers.exe
KOF.exe
My_Sexy_Pic.scr
MyProfile.scr
Ways_To_Earn_Money.exe
Beautifull.scr
Valentines_Day.scr
zXXX_BROWSER.exe
Britney_Sample.scr
THEROCK.scr
FreakOut.exe
MyPic.scr
Notes.exe
Cupid.scr
FixElkern.com
FixKlez.com
Romantic.scr
Project.exe
Love.scr
Body:
****************************************************************
hey,
did u always dreamnt of hacking ur friends hotmail account..
finally i got a hotmail hack from the internet that really works..
ur my best friend thats why sending to u..
check it..just run it..enter victim's address and u will get the pass.
****************************************************************
hi,
check the attached love screensaver
and feel the fragrance of true love..
****************************************************************
Hi,
check the attached screensaver..
its really wonderfool..
i got it from freescreensavers.com
****************************************************************
Hi,
check ur friends circle using the attached friendship screensaver..
check the attached screensaver
and if u like it send it to all those you consider
to be true friends... if it comes back to you then
you will know that you have a circle of friends..
****************************************************************
Hi,
check the attached screensaver
and enjoy the world of friendship..
****************************************************************
Hi,
are u in a rocking mood...
check the attached scrennsaver and start shaking..
****************************************************************
Hi,
Check the attached screensaver..
****************************************************************
Hi,
Are you lonely ??..
check the attached screensaver and
forget the pain of loneliness
****************************************************************
Hi,
Looking for online pals..
check the attached friend finder software..
****************************************************************
Hi,
sending you a screensaver..
check it and let me know how it is...
****************************************************************
Hi,
Check the attached screensaver
and feel the fragrance of true love...
****************************************************************
Hey,
I just got this wonderfull screensaver from freescreensaver.com..
Just check it out and let me know how it is..
I just came across it.. check out..
=====================================================================
Are you one of those unfortunate human beings who are desperately
looking for friends.. but still not getting true friends with whom
you can share your everything..
anyway you wont feel down any more cause GC Chat Network has brought
up a global chat and online match making system using its own GC
Messenger. Attached is the fully functional free version of GC<BR>Instant Messenger and Match Making client..
Just install, register an account with us and find thousands of online
pals all over the world..
You can also search for friends by specific country,city,region etc.
Regards Admin,
GC Global Chat Network System..
****************************************************************
Hi,
So you think you are in love..
is it true love ? you may think right now that you are in
true love but it is certainly possible that it is nothing
but a mere infatuation to you..
anyway to know yourself better than you have ever known check
the attached screensaver and feel the fragrance of true love..
****************************************************************
Hey pal,
you know friendship is like a business...
to get something you need to give something..
though its not that harsh as business but to
get love and care from your friends you need to give
love,care and respect to your friends.. right {BR>
check the attached screensaver and you will learn how to
make your friends happy..
****************************************************************
Hi,
Its quite obvious that in our life we have numerous friends
but.. BUT Best Friend can only be ONE.. right {BR>so can you decide who is your best friend {BR>i guess not.. cause mostly you will find that your best friend
wont care about u like somebody else..
anyway i found one way to find who is my best friend..
check it..
just check the attached screensaver.. answer some questions
in it and also ask your best friend to answer the questions..
..then you will know more about him..
****************************************************************
Hey pal,
wanna have some fun in life... {BR>feel like life is too boring and monotonous..
check the attached screensaver and bring colours
to your black & white life..
****************************************************************
Hi,
I just came across this funny screensaver..
sending it to u.. hope u like it..
check out and die laughing..
****************************************************************
<<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>>
This E-Mail is never sent unsolicited. If you receive this
E-Mail then it is because you have subscribed to the official
newsletter at the KOF ONLINE website.
King Of Fighters is one of the greatest action game ever made.
Now after the mind boggling sucess of KOF 2001 SNK proudly
presents to you KOF 2002 with 4 new charecters.
Even though we need no publicity for our product but this
time we have decided to give away a fully functional trial
version of KOF 2002. So check out the attached trial version
of KOF 2002 and register at our official website to get a free
copy of KOF2002 original version
Best Regards,
Admin,KOF ONLINE..
<<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>>
****************************************************************
Hello,
I just came across your email ID while searching in the Yahoo profiles.
Actually I want a true friend 4 life with whom I can share my everything.
So if you are interested in being my friend 4 life then mail me.
If you wanna know about me, attached is my profile along with some of my
pics. You can check and if you like it then do mail me.
I will be waiting for your mail.
Best Wishes,
Your Friend..
****************************************************************
Hello,
Looking for some Hardcore mind boggling action ?
Install the attached browser software and browse
across millions of paid hardcore sex sites for free.
Using the software you can safely and easily browse
across most of the hardcore XXX paid sites across the
internet for free. Using it you can also clean all
traces of your web browsing from your computer.
Note:The attached browser software is made exclusivley
for demo only. You can use the software for a limited
time of 35 days after which you have to register it
at our official website for its furthur use.
Regards,
Admin.
****************************************************************
Klez.H is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
We developed this free immunity tool to defeat the malicious virus.
You only need to run this tool once,and then Klez will never come into your PC
****************************************************************
Hello,
The attached product is send as a part of our official campaign
for the popularity of our product.
You have been chosen to try a free fully functional sample of our
product.If you are satified then you can send it to your friends.
All you have to do is to install the software and register an account
with us using the links provided in the software. Then send this software
to your friends using your account ID and for each person who registers
with us through your account, we will pay you $1.5.Once your account reaches
the limit of $50, your payment will be send to your registration address by
check or draft.
Please note that the registration process is completely free which means
by participating in this program you will only gain without loosing anything.
Best Regards,
Admin,
****************************************************************
Payload:
On May 22 and March 25 it displays a message box with the title "You are my Best Friend"
and the text "Happy Birthday Dear", and swaps mouse's buttons.
On Thursday randomly changes the start page of Internet Explorer to one of the following:
http://www.unixhideout.com
http://www.hirosh.tk
http://www.neworder.box.sk
http://www.blacksun.box.sk
http://www.coderz.net
http://www.hackers.com/html/neohaven.html
http://www.ankitfadia.com
http://www.hrvg.tk
http://www.hackersclub.up.to
and sets Internet Explorer to run in Full Screen.
It attempts to change the file attributes to hidden for all the files in current user's "My Documents" folder.
This will make the user to be unable to see his documents with a default configured Explorer.
Also it will create the file aYeHS.txt on the desktop with the content one of the
texts below:
[Variant 1]
==================================================
W32.@YerH$.B,Made in India,
wE aRe thE greAt iNdIaNs..
----------------------------
aBouT mE :
jUst a c0mputEr gEEk..
i tHinK i aM sTill a sCripT kiddiE..
eDucAtiOn : sCh00l sTudEnt..
aBouT @YerH$.B:
n0 dEstrucTivE paYload$ f0r inFecTeD c0mpUteRs.
teRminAtioN oF aV + FireWaLL f0r sUrvIvaL.
tImE dEfiNed tRigErRinG.. jUst f0r fUn.. n0 paYloaD.
c0ntAinS bUg iN rEpliCation c0de.. no tIme t0 fiX.
g0nNa fiX iT iN nExt rElEase..
n0 m0rE $hiT
===================================================
>> qph@hackermail.com
[Variant 2]
==================================================
W32.@YerH$.B,Made in India,
wE aRe thE greAt iNdIaNs..
----------------------------
spEciAl 10x to c0bra..
f0r inSpirAtIon + c0dIng hElp..
==================================================
>> qph@hackermail.com
[Variant 3]
======================================================
W32.@YerH$.B,Made in India
wE aRe thE greAt iNdIaNs..
----------------------------
wAnT peAce aNd pr0speRity in InDiA ?..
f**k tHe c0rruptEd p0litiCian$..no poo$ nEEdeD..
mErA bhAraT mAhaN ??.. n0t yeT..wE nEEd t0 mAkE iT..
talenT & hArd w0rK shOulD be rEspEctEd..
sElf stYleD a**H***$ mUsT bE eLimInatEd....
n0 m0re $hiT m0n0p0lY..
======================================================
>> qph@hackermail.com
[Variant 4]
=================================================
W32.@YerH$.B,Made in India.
wE aRe thE greAt iNdiAnS.
----------------------------
iNdiAn hAckeRs + vXerS teAm up...
aNd kicK lamEr a**
no m0re pAk poo..
itZ oUr tiMe to shOw tHem, the p0wer of teaM w0rk.
f**k AIC,GFORCE,SILVERLORDS,WFD..f*****g k1dd1es..
no poo bUsineSS iN heRe aNd
nO lamE stuFF..
=================================================
>> qph@hackermail.com
[Variant 5]
============================================================
r0xx pReSaNt$ W32.@YerH$.B (all r1ght$ re$erv3d..  )
w3 aRe tHe gRe@t 1nD1aN$..
------------------------------------------------------
m@iN mIssIoN iS t0 sPreAd tHe nAmE @YerH$
s00 mUch t0 c0me..
iNclUdEd DDoS c0mp0neNtS c@usE oF poo p@kI l@meRs
eXp3ct th3 uNeXp3ctEd
dEdic@t3d t0 : mY b3$t fRi3nD
============================================================'
>> qph@hackermail.com
Removal:
- automatic removal: let BitDefender delete/disinfect files found infected.
- manual: - restore the registry value HKEY_CLASSES_ROOT\exefile\shell\open\command\(default)
to contain the data: ["%1" %*] (withouth the square brackets)
- set explorer to see hidden files and remove the hidden attribute from files in
"My Documents"
Virus analyzed by:
Costin Ionescu
BitDefender Virus Researcher |
|
| Back to top |
|
|
Andy(NorthWales)
LifeTime Member
Age: 58
Zodiac:
Joined: 10 Oct 2002
Posts: 600
Location: North Wales
|
| Posted: Sat Jan 04, 2003 3:18 Post subject: |
|
|
This one has a similar headin above named virus but is different.........
---------------------------------------------------------------------
Win32.Yahaa.J@mm
Name: Win32.Yahaa.J@mm
Aliases: W32.Yaha.J@mm (NAV)
Type: Executable Mass Mailer
Size: 30090 bytes
Discovered: December 28, 2002
Detected: December 28, 2002, 13:00 (GMT+2)
Spreading: Medium
Damage: Low
ITW: Yes
Symptoms:
- Files msnmsg32.exe, winReg.exe, nav32.exe in the System directory
(usually c:\windows\system - on Windows 95/98/ME, c:\winnt\system32 -
on Windows NT/2000, c:\windows\system32 - on Windows XP)
- in the Windows directory there are some of the files:
- bestfriend.scr
- mAtRiX.scr
- EvilDaemon.scr
- Love.scr
- Escort.scr
- NeverMind.scr
- HotShot.scr
- Honey.scr
- ScreenSaver.scr
- LoverScreenSaver.scr
Technical description:
This is an Internet Worm which comes as attachment to an infected e-mail.
The virus is written in Visual C++ 6.0 and the executable is packed with UPX 1.20.
The format of the infected e-mail is:
From: A fake sender <fake-email>
Subject: one of:
- Missing your best friend ?
- mAtRiX
- Wanna be a hacker ?
- Check this
- Help someone..
- Experience the smooooth music
- Still Dreaming..
- Pamela 4 U
- Friendship ScreenSaver
- Are you In Love
- Mission Impossible
- Good Luck
- Do you love your wife
- Happy Cristmas
- Leona and Ralph
- Dedicated to kYo-3
- So Sweet
- Happy Valentines Day
- Who is your best friend
- You are my best friend
- Are you in Love
- Horny Britney Spears Screensavers
- Devon Loves Bill Gates
- Pamela Anderson Screensavers
- Enjoy the fragrance of Love
- KOF Screensavers
- Electric Screensavers
- Accoustic Screensavers
- Hardcore Screensavers
- Sexy Screensavers
- Bill Gates
- Marcos D'Costa
- Sunrise Screensavers
- Valentine Screensaver
- Lover's Scnreensaver
- IBM Screensavers
- Microsoft Screensavers
Attachment: one of the below, corresponding to the subject:
- bestfriend.scr
- mAtRiX.scr
- EvilDaemon.scr
- Love.scr
- Escort.scr
- NeverMind.scr
- HotShot.scr
- Honey.scr
- ScreenSaver.scr
- LoverScreenSaver.scr
The extension might be changed as a double extension (the second always is .scr).
Body:
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
This e-mail is never sent unsolicited. If you need to unsubscribe,
follow the instructions at the bottom of the message.
***********************************************************
Enjoy this friendship Screen Saver and Check ur friends circle...
Send this screensaver from www.truefriends.net to everyone you
consider a FRIEND, even if it means sending it back to the person
who sent it to you. If it comes back to you, then you'll know you
have a circle of friends.
* To remove yourself from this mailing list, point your browser to:
http://truefriends.net/remove?freescreensaver
* Enter your email address in the field provided and click "Unsubscribe".
OR...
* Reply to this message with the word "REMOVE" in the subject line.
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
When the user executes the attachment the virus copies itself in the system directory
under the names shown in symptoms and sets the following registry values:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default)
with data: "%sysdir%\nav32.exe""%1"%*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winReg
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\winReg
with data: "%sysdir%\winReg.exe"
The first registry value will cause the execution of the worm every time an executable
is ran from Explorer, the other registry values will cause the execution at every logon
of the virus.
The worm will also attempt to close some processes of various antiviruses and firewalls to
avoid the detection through monitoring his activity. It will kill any process if its name
contains the following strings:
ANTIVIR, APACHE.EXE, LOCKDOWNADVANCED, WEBSCANX, SAFEWEB, ICMON, CFINET, CFINET32, AVP.EXE,
LOCKDOWN2000, AVP32, ZONEALARM, ALERTSVC, AMON.EXE, AVPCC.EXE, AVPM.EXE, ESAFE.EXE, PCCIOMON,
PCCMAIN, POP3TRAP, WEBTRAP, AVCONSOL, AVSYNMGR, VSHWIN32, VSSTAT, NAVAPW32, NAVW32, NMAIN,
LUALL, LUCOMSERVER, IAMAPP, ATRACK, MCAFEE, FRW.EXE, IAMSERV.EXE, NSCHED32, PCFWALLICON,
SCAN32, TDS2-98, TDS2-NT, VETTRAY, VSECOMR, NISSERV, RESCUE32, SYMPROXYSVC, NISUM, NAVAPSVC,
NAVLU32, NAVRUNR, NAVWNT, PVIEW95, F-STOPW, F-PROT95, PCCWIN98, IOMON98, FP-WIN, NVC95, NORTON.
After installing, it shows a fake error message:
"Application initilisation error"
When the worm detects an active internet connection it will try to send an e-mail with the format
shown above.
The virus creates in the windows directory a file named zEsT.txt with the content:
====================================================
r^0^x~X pR3$@Nt$ @Y3rH$.@
tHi$ i$ jU$t tH3 b3gInNiNg..
w3 ar3 tH3 gR3@t 1nD1@N$..
w3 k1cK pAk1 a$$..
====================================================
Removal:
- automatic removal: let BitDefender delete/disinfect files found infected.
- manual: restore the registry value HKEY_CLASSES_ROOT\exefile\shell\open\command\(default)
to contain the data: ["%1" %*] (withouth the square brackets)
Virus analyzed by:
Costin Ionescu
BitDefender Virus Researcher |
|
| Back to top |
|
|
Andy(NorthWales)
LifeTime Member
Age: 58
Zodiac:
Joined: 10 Oct 2002
Posts: 600
Location: North Wales
|
| Posted: Sat Jan 04, 2003 3:19 Post subject: |
|
|
Win32.HLLW.Lioten.A
Name: Win32.HLLW.Lioten.A
Aliases: N/A
Type: Executable, Worm
Size: 17 KB (packed with UPX), 40 KB (unpacked)
Discovered: December 18, 2002
Detected: December 18, 2002, 18:00 (GMT+2)
Spreading: Low
Damage: VeryLow
ITW: Yes
Symptoms:
- File iraq_oil.exe in C:\WinNT\System32 or <SystemDir> ( <SystemDir> is the Windows system directory )
Technical description:
The worm will run only on NT platforms: Windows NT 4, Windows 2000 or Windows XP, because it uses functions of the "netapi32.dll" library.
The worm tries to access random IP addresses on port 445, that is, it tries to connect to remote computers by TCP on the network or on the Internet, and if succedes, it tries to copy itself to:
\\<IP_Address>\c$\winnt\system32\iraq_oil.exe or
\\<IP_Address>\Admin$\system32\iraq_oil.exe
It tries the following passwords in its connection attempts:
"" (no password)
"admin"
"root"
"111"
"123"
"1234"
"123456"
"654321"
"1"
"!@#$"
"asdf"
"asdfgh"
"!@#$%"
"!@#$%^"
"!@#$%^&"
"!@#$%^&*"
"server"
After successfully copied to the destination, the worm tries to create a task schedule on the remote computer that would execute the worm executable after a few hours or even the next day, depending on the time zone of the victim's computer.
Removal:
- manual removal: delete the file "iraq_oil.exe" located in the folder "C:\WinNT\System32" and/or your computer system folder
- automatic removal: let BitDef ender delete the files found infected with this worm
Analyzed by:
Mihai Neagu
BitDefender Virus Researcher |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum
|
|
FAQ
Watched Topics
Memberlist
Usergroups
Register
Profile
Log in to check your personal messages
Log in
POCUK FaceBook Group
Calendar
