eBid - Buy and Sell online

The Mitsubishi Pajero Owners ClubŪ
The Mitsubishi Pajero, Shogun, Montero, Challenger, Raider and EVO 4x4 Owner's Club
The POCUK - it's not just a Club, it's a way of life!

 FAQFAQ   SearchSearch   Watched TopicsWatched Topics   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your personal messagesLog in to check your personal messages   Log inLog in 
CalendarCalendar   POCUK Club ShopClub Shop  Click here to enter the chat roomChatroom  POCUK Classified Ads serviceClassified Ads
POCUK home pagePOCUK Home  POCUK ForumsPOCUK Forums  Click here to link to the Pajero Owners Club in Poland!POC.pl  Yellow Diamond ClubsYellow Diamond Clubs

ANTI Hacker's + LATEST VIRUS info UPDATED on regular basis

Goto page 1, 2, 3  Next
Post new topic   Reply to topic    The Mitsubishi Pajero Owners ClubŪ Forum Index -> Computer bytes
View previous topic :: View next topic  
Author Message
LifeTime Member
LifeTime Member

Age: 54
Zodiac: Capricorn
Joined: 10 Oct 2002
Posts: 597
Location: North Wales

PostPosted: Thu Oct 10, 2002 8:58    Post subject: ANTI Hacker's + LATEST VIRUS info UPDATED on regular basis Reply with quote

Hi all,

I have bought this post over from the old forum, just so that we all remember about Internet Security.....: -


Just been sitting here and wondering just how secure people's computer system's really are.

Now most of you will have heard of the dreaded Hacker, but has your computer..??

While your sitting there surfing the net and enjoying what it has to offer, Paj Club:D. Is someone nipping into YOUR computer and having a surf inside there...

Here's some very good site to test your system's security: -



Have a go and test your system.

Hope these thing's help and not scare you away, but security has to be of the upmost importance, especially if you have personal detail's on your system's (home/work account's etc)

I use a firewall program called Black Ice Deffender, which can be found here: -

There are alot of very good firewall's out there and some of them are free to use.

As for Anti-Virus software, remember this need's to be kept up to date. New Viruses are released everyday, so best to try and protect yourself from them.


Attachment's can contain thing's called Trojan's, with these a Hacker can gain full access/control over your system, with of without a firewall.

What is a Trojan, the first stage of a Trojan Horse attack is to get the program on a user's machine. Typical techniques are:

post the program to newsgroups claiming to be some other program
spam mailing lists with the attached program
post program to websites
send via instant messenger programs and chat systems (ICQ, AIM, IRC, etc.)
forge e-mail from the ISP (like AOL) with a hoax message asking somebody to run a program (such as a software update).
copy to startup folder via "File and Print Sharing".
The next stage of the attack is to scan the Internet looking for machines that might be compromised. The problem is that most of the techniques outlined above don't tell the cracker/hacker where their victim machine is. Therefore, the cracker/hacker must scan the Internet looking for the machines they might have compromised.

This leads the condition where owners of firewalls (including personal firewalls) regularly see "probes" directed at their machines from crackers/hackers looking for these machines. However, if the machine hasn't been compromised, then these probes are not a problem. The probes cannot compromise the machine by themselves. Administrators can usually ignore these "attacks".

The most aggresive Trojan at the moment is called Sub7, which has become the most popular remote access trojan. At this time, it is the easiest-to-use and most powerful trojan. The reasons for this are:
It is actively maintained/updated. Most other Trojans were created once then development stopped except for a couple of bug fixes.
The program not only includes a scanner, but also can tell a slave machine to scan as well.
The creator has a contest for cracked sites using Sub7.
Supports "port redirection", so that any attack can be funneled through a victim's machines.
Contains extensive tricks to play with ICQ, AOL IM, MSN Messenger, and Yahoo messenger, including password sniffing, posting messages, and other features.
Extensive UI tricks, such as flipping the screen, talking through the victim's speaker, and spying on the victim's screen.
In short, it not only is an excellent hacking tool, the little "magic" tricks are designed to scare the <bleep> out of victims.

If you do not have any Anti-Virus software may I suggest you get some, this way you'll be protecting your own system and they system's of people you send E-mail's too.

While people have their own opinion's about which to one to use, same as the firewall software, I use the one from here: -


They do have free trial's that you can download...

Hope this hasn't scared any of you, but seeing as the School's Summer Hol's are nearly upon us, 13 bored kid fancies doing something different Very Happy.

Back to top
View user's profile Send personal message Visit poster's website Yahoo Messenger

PostPosted: Thu Oct 10, 2002 8:58    Post subject: Google Ads keep the POCUK free to join!

Back to top

PostPosted: Thu Oct 10, 2002 9:07    Post subject: Reply with quote

Welcome back Andy,
We were all starting to miss those short and precise topics from you !

Only joking, good point to bring up Very Happy

Back to top
LifeTime Member
LifeTime Member

Age: 54
Zodiac: Capricorn
Joined: 10 Oct 2002
Posts: 597
Location: North Wales

PostPosted: Fri Oct 11, 2002 17:45    Post subject: Latest nastey VIRUS.... Reply with quote

OK, Marc first posted info about this VIRUS in the last forum, so I thought I'd bring the info across that I posted telling you what to look out for.....: -


Info on the Win32.BugBear.A@mm VIRUS

Name: Win32.BugBear.A@mm
Aliases: I-Worm.Tanatos
Type: Executable Trojan Mass Mailer
Size: 50688 bytes, 5632 bytes
Discovered: September 30, 2002
Detected: September 30, 2002 11:00 (GMT+2)
Spreading: High
Damage: Medium
ITW: Yes
Technical description:

This is an Internet worm that is spreading trough e-mail.
The infected e-mail has the following characteristics:

Randomly selected from:

Payment notices
Just a reminder
Correction of errors
history screen
I need help about script!!!
Please Help...
Membership Confirmation
Get a FREE gift!
Today Only
New Contests
Lost & Found
bad news
click on this!
Market Update Report
empty account
My eBay ads
25 merchants and rising

Double extension file with final extension:
.exe .pif .scr

The worm uses the iframe exploit and it will execute itself on preview on some computers with older variants of Internet Explorer.

After the attachment is executed the worm copies itself under a random name in %SYSDIR% and it creates a registry key in
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\%name% with value %SYSDIR%\%name%
where %SYSDIR% is the system directory and %name% is the random generated name.

It will also copies itself under
%WINDIR%\Start Menu\Programs\StartUp\%name% on Win9x or
Documents and Settings\%user%\Start Menu\Programs\StartUp\%name% on Win2k/XP
where %user% is the currently logged user name.

The worm drops a dll file in %SYSDIR% that will be used for logging all the keystrokes. That dll is detected as Trojan.KeyLogger.BugBear.A
Also the worm creates 2 .dat files in %WINDIR% and 2 .dll files in %SYSDIR%. Those files are data files and are used by the virus to store all the information gathered from that computer.

The worm has one threads that periodically checks the existence of it's files and the runonce registry key and kills the following processes:

On a different threads it will scan for mail databases with the extensions:
.ods .inbox .mmf .nch .mbx .eml .tbb .dbx and will gather some of the e-mails found there.
The Worm is spreading to local network as well, by searching the StartUp folder in network shares, and dropping itself there.

It also opens port 36794 and waits for HTTP connections.


- automatic removal: let BitDefender delete the infected files it finds

Virus analyzed by:
Sorin Victor DUDEA
BitDefender Virus Researcher


Good hunting...

Back to top
View user's profile Send personal message Visit poster's website Yahoo Messenger
Site Admin
Site Admin

Age: 56
Zodiac: Pisces
Joined: 09 Oct 2002
Posts: 3749
Location: S/W New Forest Border

PostPosted: Sun Oct 13, 2002 11:58    Post subject: Jdbgmgr.exe (teddy bear) virus ... HOAX Reply with quote

This is a hoax virus, still doing the rounds. Do NOT remove this program, unless you want to create a load of problems for yourself when you try to use pages using java scripts, for example, the club shop Wink

For more info and a link for recovery, click here


Back to top
View user's profile Send personal message Send e-mail Visit poster's website
LifeTime Member
LifeTime Member

Age: 54
Zodiac: Capricorn
Joined: 10 Oct 2002
Posts: 597
Location: North Wales

PostPosted: Sun Oct 13, 2002 12:15    Post subject: Reply with quote

Further info from the BOSSES above HOAX VIRUS....: -


Jdbgmgr.exe file hoax
Reported on: April 12, 2002
Last Updated on: July 16, 2002 07:22:47 AM PDT

Symantec Security Response encourages you to ignore any messages regarding this hoax. It is harmless and is intended only to cause unwarranted concern.

Type: Hoax

Technical Details....: -

This is a hoax that, like the SULFNBK.EXE Warning hoax, tries to persuade you to delete a legitimate Windows file from your computer. The file that the hoax refers to, Jdbgmgr.exe, is a Java Debugger Manager. It is a Microsoft file that is installed when you install Windows.

It has a teddy bear icon as described in the hoax:

CAUTION: Jdbgmgr.exe, like any file, can become infected by a virus. One virus in particular, W32.Efortune.31384@mm, targets this file. Norton AntiVirus has provided protection against W32.Efortune.31384@mm since May 11, 2001.

NOTE: If you have already deleted the Jdbgmgr.exe file, some Java applets may not run correctly. This is not a critical system file. The file version may vary with your operating system and version of Internet Explorer. If you want to restore the file, read the instructions in the How to restore the Jdbgmgr.exefile section at the end of this document.

Hoax message
This hoax has appeared in several languages. Some are as follows:

I found the little bear in my machine because of that I am sending this message in order for you to find it in your machine. The procedure is very simple:

The objective of this e-mail is to warn all Hotmail users about a new virus that is spreading by MSN Messenger. The name of this virus is jdbgmgr.exe and it is sent automatically by the Messenger and by the address book too. The virus is not detected by McAfee or Norton and it stays quiet for 14 days before damaging the system.

The virus can be cleaned before it deletes the files from your system. In order to eliminate it, it is just necessary to do the following steps:
1. Go to Start, click "Search"
2.- In the "Files or Folders option" write the name jdbgmgr.exe
3.- Be sure that you are searching in the drive "C"
4.- Click "find now"
5.- If the virus is there (it has a little bear-like icon with the name of jdbgmgr.exe DO NOT OPEN IT FOR ANY REASON
6.- Right click and delete it (it will go to the Recycle bin)
7.- Go to the recycle bin and delete it or empty the recycle bin.



Back to top
View user's profile Send personal message Visit poster's website Yahoo Messenger
LifeTime Member
LifeTime Member

Age: 54
Zodiac: Capricorn
Joined: 10 Oct 2002
Posts: 597
Location: North Wales

PostPosted: Sun Oct 13, 2002 12:31    Post subject: Reply with quote

Here's one for all MSN user's to look out for....: -



Name: Win32.MsnWorm.Rodok.A
Aliases: Worm.Win32.Fleming (Kaspersky)
Type: Executable Worm
Size: 53248 bytes
Discovered: 9 October 2002
Detected: 9 October 2002, 18:00 (GMT+2)
Spreading: Low
Damage: Low
ITW: Unknown

- a process called "BR2002" running (it can be seen by right-clicking the taskbar and launching Task Manager).

Technical description:

This worm spreads by by maliciously inviting the user's MSN Messenger contacts to download it; it was written in Visual Basic.

The virus is disguised as a CD-key generator for the great Half-Life/CounterStrike games; when run, it invites the user to click the "Generate" button, but the resulting "keys" are just random digits:

The virus actually steals the user's CD-keys for Half-Life and CounterStrike. The keys are read from the following registry keys:
- HKCU\Software\Valve\CounterStrike\Settings\Key
- HKCU\Software\Valve\Half-Life\Settings\Key
and sent to styggefolk@hotmail.com; the sent message looks like this:
I have loaded the ur CDKEY Generator 1.3! CS: <key> HL: <key>
In order to spread, the worm sends instant messages to the user's contacts, inviting them to download and run a program (actually a copy of the virus) from a website:

The virus then attempts to download an executable file from the location http://home.no.net/downl0ad/CS-Keygen.exe and save it as C:\hehe2397824.exe.
If the user receives a message from styggefolk@hotmail.com, it will take a specific action depending on the contents of that message:

- if the message reads "hey", the virus will send the CounterStrike/Half-Life CD keys again;

- if the message reads "hello", the virus will download a file (probably containing an updated version of the virus) from the location http://home.no.net/downl0ad/Update.exe and save it as C:\update35784.exe; a message will be sent back to styggefolk@hotmail.com, containing the text "Updating...";

- if the message reads "hi", the virus will reply with "Spamming..." and send virus download invitations again to the user's contacts.

The worm runs the downloaded executable files (C:\hehe2397824.exe, C:\update35784.exe), if they are found; it will remain resident, waiting for messages from styggefolk@hotmail.com.

Manual Removal:

Invoke Task Manager, select the process called "BR2002" and click "End Task". You should also delete the file "br2002.exe" that contains the worm.

Automatic Removal:

Let BitDefender delete/disinfect files found infected.

Analyzed by:
Bogdan Dragu
BitDefender Virus Researcher


Andy....(on the look out)
Back to top
View user's profile Send personal message Visit poster's website Yahoo Messenger
LifeTime Member
LifeTime Member

Age: 54
Zodiac: Capricorn
Joined: 10 Oct 2002
Posts: 597
Location: North Wales

PostPosted: Tue Oct 15, 2002 4:31    Post subject: Reply with quote

This one is for anyone running a Network....: -



Name: Win32.Worm.Opaserv.A
Aliases: -
Type: Executable Network Worm
Size: 28672 bytes
Discovered: September 30, 2002
Detected: September 30, 2002 17:00 (GMT+2)
Spreading: High
Damage: Low
ITW: Yes

- File "scrsvr.exe" in the Windows folder;
- One or both of the registry entries:
- "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScrSvr"
- "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScrSvrOld".

Technical description:

When first run, the worm will copy itself to the Windows folder with the name "scrsvr.exe" and create the entries "ScrSvr" and "ScrSvrOld" in the "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" registry key, causing the new and original copies of the virus to be run at Windows start-up; the new copy will then be launched, and the original process terminated.

As the new copy of the virus (the one in the Windows folder) is launched, it finds the "ScrSvrOld" registry entry and deletes it (that entry exists only to ensure the old copy is run in case the new one fails). The original file containing the virus is also deleted. A mutex object called "ScrSvr31415" (3.1415... are the first digits of pi) is created, unless it already exists, in which case the process ends; this prevents multiple copies of the virus from being run at the same time.

The virus then registers itself as a service process and reduces its priority in order not to consume CPU time unless the system is idle. It will create several execution threads, for spreading and updating the worm.

The worm spreads by scanning the network for full-access shared C drives and copying itself there; the "win.ini" file in the Windows folder is modified in order to run the copy of the worm at the next start-up; the file "c:\tmp.ini" is used for temporarily storing the contents of the "win.ini" file. The worm uses the SMB (Server Message Block) protocol in order to access shared network resources.

(The C: partition is not normally shared by network computers, but they can be infected if the user logged on the infected computer has Administrator rights on the other computers in the network; this is usually the case with Domain Administrators).

The worm also attempts to update itself from the www.opasoft.com site and store the downloaded version in the file "scrupd.exe"; two other temporary files ("ScrSin.dat" and "ScrSout.dat") are used while communicating with the update server.

Manual Removal:

Delete the registry entry/entries described in the "Symptomps" section above; also open the "win.ini" file in the Windows folder with a text editor (eg: Notepad) and delete the lines referring to the "scrsvr.exe" or "tmp.ini" files; restart the computer in Safe Mode if possible and delete the "scrsvr.exe" file (and the original copy of the virus, referred by the "ScrSvrOld" registry entry).

To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.

Automatic Removal:

Let BitDefender delete infected files.

Analyzed by:
Bogdan Dragu
BitDefender Virus Researcher


Back to top
View user's profile Send personal message Visit poster's website Yahoo Messenger
LifeTime Member
LifeTime Member

Age: 54
Zodiac: Capricorn
Joined: 10 Oct 2002
Posts: 597
Location: North Wales

PostPosted: Tue Oct 15, 2002 4:38    Post subject: Reply with quote

Just a reminder to keep your Windows up-to-date.....: -



Name: Win32.Nimda.A@mm
Aliases: W32/Nimda.A
Type: File Infector & Internet Worm, written in Visual C language
Size: 57344 bytes
Risk: High
ITW: Yes


This virus comes through e-mail as an attached file, with the body of the mail apparently empty but which actually contains the code to use an exploit which will execute the virus when the user just view the message (if he is using Outlook or Outlook Express without latest Service Packs or patches from Microsoft). Once installed it copies itself in the system directory with the nameriched20.dll modifying itself to be loaded as a DLL
(Dinamically Link Library). This DLL is used by applications that work with Richedit Text Format such as Wordpad.

To be activated at every reboot, the virus modifies system.ini in the boot section, writing the following line:
shell=explorer.exe load.exe -dontrunold
The virus attaches a thread to explorer.exe to run its viral code.
To spread it uses MAPI (Mailing API) functions to read user\\\'s e-mails from where it extracts SMTP (Simple Mail Transfer Protocol) addresses and e-mail addresses.

Another method to spread is by using the Unicode Web Traversal exploit similar to CodeBlue. Information and a patch for this exploit are located at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
Using this exploit the virus gets control of the execution flow on that server and download itself under the name admin.dll, then puts a HTML code in the web page hosted by the IIS server to download the virus. To do this it tries to modify the files with the name:
index, main, default
and with the extension one of:

Also the virus enumerates the network resources visible to the infected computer and tries to copy in shared files or folders.
The virus is able to infect files by attaching the executable as a resource with raw data named f in the virus program. When the infected file is executed the virus takes over the control and executes the original file so the user doesn\\\'t notice anything. This is accomplished by dropping that f resource in a file with the same name as the original but with a space appended, followed by .exe.
The virus activates the user guest with no password and add it to the Administrator group. Also it creates a share for every root directory (from C to Z) with all access rights, and disables the proxy by modifying the keys:
CurrentVersion\\\\Internet Settings\\\\MigrateProxy 1

CurrentVersion\\\\Internet Settings\\\\ProxyEnable 0

CurrentVersion\\\\Internet Settings\\\\ProxyEnable 0

Leaving the library riched20.dll not deleted will reactivate the virus when a program using this library is executed.
As a signature the following text can be found in the file:
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China

Virus analysed by Costin Ionescu, Data Security Expert of SOFTWIN Antivirus Laboratory.


Back to top
View user's profile Send personal message Visit poster's website Yahoo Messenger
LifeTime Member
LifeTime Member

Age: 54
Zodiac: Capricorn
Joined: 10 Oct 2002
Posts: 597
Location: North Wales

PostPosted: Tue Oct 15, 2002 4:43    Post subject: Reply with quote

Latest Klez virus doing the round's.....: -



Name: Win32.Klez.H@mm
Aliases: N/A
Type: Executable Internet-Worm
Size: ~85Kbytes
Discovered: April 17, 2002
Detected: April 17, 2002; 14:00 (GMT+2)
Spreading: High
Damage: Low
ITW: Yes

- File Wink??.exe in the system directory (usually C:\Windows\System (95/98/Me) or C:\Winnt\System32 (NT/2000) or C:\Windows\System32 (XP))
- A file with a random name and extension .exe in the folder C:\Program Files

Technical description:

This is a new version of the virus Klez having a few changes from the last version (Win32.Klez.E@mm)
It comes as an attached file in a mail with the format similar to its previous version:

- how are you
- let's be friends
- darling
- so cool a flash,enjoy it
- your password
- honey
- some questions
- please try again
- welcome to my hometown
- the Garden of Eden
- introduction on ADSL
- meeting notice
- questionnaire
- congratulations
- sos!
- japanese girl VS playboy
- look,my beautiful girl friend
- eager to see you
- spice girls'vocal concert
- japanese lass' sexy pictures
- Undeliverable mail--"%s"'
- Returned mail--"%s"'
Where %s is replaced with a stolen subject from other e-mails

It also attaches another file taken from the root directory, besides the file which contains the virus.
An example is this:

In addition to the mail bodies presented in the previous version it has another message:
Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.
We developed this free immunity tool to defeat the malicious virus.
You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it.
If so,Ignore the warning,and select 'continue'.
If you have any question,please mail to me.

An example of such e-mail is this:

It uses the IFRAME exploit to execute automatically when the user previews the message (with Outlook or Outlook Express).
You can find description and patch for the IFRAME exploit at this link:

When it is executed the virus copies itself in the System directory with a name starting with wink.

Another major difference from the last version is that the virus that it carries with it is a new version Win32.Elkern.C. It drops this file infector in the directory C:\Program Files with a random name and executes it.

It uses the same methods of spreading through e-mail and network.

The virus contains the follwing text:

Win32 Klez V2.01 & Win32 Foroux V1.0
Copyright 2002,made in Asia
About Klez V2.01:
1,Main mission is to release the new baby PE virus,Win32 Foroux
2,No significant change.No bug fixed.No any payload.
About Win32 Foroux (plz keep the name,thanx)
1,Full compatible Win32 PE virus on Win9X/2K/NT/XP
2,With very interesting feature.Check it!
3,No any payload.No any optimization
4,Not bug free,because of a hurry work.No more than three weeks from having such idea to accomplishing coding and testing

- delete all files infected with Win32.Klez.H@mm
- restore from backup the files infected with Win32.Elkern.C

Virus analyzed by
Costin Ionescu
BitDefender Virus Researcher

Back to top
View user's profile Send personal message Visit poster's website Yahoo Messenger
LifeTime Member
LifeTime Member

Age: 54
Zodiac: Capricorn
Joined: 10 Oct 2002
Posts: 597
Location: North Wales

PostPosted: Tue Oct 22, 2002 4:34    Post subject: Reply with quote

Yet another mailer one...: -



Name: Win32.Apbost.A@mm
Aliases: I-Worm.Xiv.a (KAV), WORM_BOOSTAP.A (Trend)
Type: Mass Mailer, Worm, Script and Executable Infector
Size: 204800 bytes
Discovered: October 15, 2002
Detected: October 15, 2002, 14:00 (GMT+2)
Spreading: High
Damage: High
ITW: Unknown

- Presence of appboost.exe in %windir% Attention! This file is hidden, and it may not be seen using default settings in Explorer.
- Presence of appbsvc.exe in %windir%
- Presence of registry key HKEY_CURRENT_USER\Software\Microsoft\Mails\%number% containing a binary sequence
- Infected executable files have changed icons with the one shown here:

Technical description:

It spreads using several different methods. It may come as an infected mail attachment, in which case it uses an IE vulnerability which allows the execution of the attached file without permission, so it is enough to view/preview the email to get infected.

Once the code is executed the virus copies itself as %windir%\appboost.exe with hidden attribute set and as %windir%\appbsvc.exe with regular attributes. After this it registers appbsvc.exe as a system process - cannot be killed using task manager under WinNT/2k/Xp - and appboost.exe as default shell open command for .BAT, .CMD, .COM, .EXE, .PIF and .SCR files.

Executables enumerated above are infected only if they are opened using shell open command (e.g. using Explorer).

The virus also searches memory processes' names and if they contain predefined antivirus/preferential strings they are terminated.

Messages sent by the worm may have as subject a combination of: "A nice Screensaver of", "Ein netter Screensaver von", "New Version of", "Eine neue Version von", "Important!:", "Wichtig!:" and "Angelina Jolie", "Anna Kournikova", "Porn Screensaver", "Sex Screensave", "TvTool", "Flashget", "WarezBoardAccess", "Undelivarable EMail", "Brute Force Tool". Attached files may have one of the following names: "PamAnderson.scr", "Jolie.scr", "AnnaKournikova.scr", "XXX.scr", "FreeSex..exe", "TvTool.exe", "FlashGet.exe", "WarezBoardAccess.exe", "Undelivarableemail.exe", "BestTool.exe", "vertag.exe".

Due to some bugs existing in this version of the worm it will crush on several systems with error reports (e.g. "appboot.exe has generated errors and will be closed") and may not run at all on Win98 systems.

It infects php3 files (.php, .php3 and .phtml) by appending php code which scans and ifects all the phps it finds on the system, then adds a user to apache server (if the server exists) to allow remote attacks and manipulates some mirc scrips.
File shares for KaZaa are created with virus executables with names composed of a combination of words found on victim's system and some built in words (e.g. "Crack", "Extra Pack - Key Gen", "Performance Fix", etc) with different executable extensions (.bat, .cmd, .exe, .pif, etc).

Because of the method of infection specific for high-level language viruses and because of the presence of some major bugs in the virus code the infected system becomes unstable relatively quick and has high probability of failure in booting the system.

Analyzed by:

Mircea Ciubotariu
BitDefender virus researcher


Back to top
View user's profile Send personal message Visit poster's website Yahoo Messenger
LifeTime Member
LifeTime Member

Age: 54
Zodiac: Capricorn
Joined: 10 Oct 2002
Posts: 597
Location: North Wales

PostPosted: Tue Oct 22, 2002 4:38    Post subject: Reply with quote

Someone trying to sneak a VIRUS in disguiesed as an Antidote to the Bugbear Virus.......: -



Name: Win32.BogusBear.A@mm
Aliases: N/A
Type: Executable, Mass Mailer
Size: 9728 bytes
Discovered: October 14, 2002
Detected: October 14, 2002, 18:00 (GMT+2)
Spreading: Low
Damage: Low
ITW: Yes (1 report)
Another malware disguised as an antidote to the latest outbreak: BugBear.


- File PrTecTor.exe, m_prgrm.zip, m_Base64.xrf, m_WAB.xrf in system directory (usually C:\Windows\System (Win95/98/Me); C:\WINNT\System32 (WinNT, Win 2000); C:\Windows\System32 (WinXP))
- File m_regedit.exe in Windows directory
- If the date is set to the year 2003, Windows will shut down immediately after logon.

Technical description:

This is an internet worm written in assembly language using encryption techniques in order to slow the analysis process. The virus works on all Windows platforms for Intel processors.

The worm comes as an attached zip file to a mail with the format:
From: Alerta_RaPida boletin@viralert.net
Subject: ProTeccion TOTAL contra W32/Bugbear (30dias)
Attachment: protect.zip

If the user unzip the archive and executes the file ProTecT.exe the virus will show the following fake message (only when executed the first time):

After the user press the OK button, the virus renames the original regedit.exe file to m_regedit.exe and copies itself as regedit.exe, changing it's icon to regedit's default icon.
Next it checks the date to be in the year 2003, in which case will exit Windows.
It installs itself in the system directory as PrTecTor.exe and sets the registry value:
With the string data equal to the PrTecTor.exe full path.

It reads the information about the default Internet Account and steals the e-mail addresses from the WAB (Windows Address Book) and puts them into the file m_WAB.xrf from the System directory. It creates a ZIP archive m_prgrm.zip which will be used as an attachment in the infected e-mails, and encodes it in Base64 format (used in e-mail attachments).

After this it checks every minute for an internet connection and when the user connects to the Internet will start sending e-mails with the format shown above to e-mail addresses stored in m_WAB.xrf file. After it sends a successful e-mail, it will delete it from that file.

Disguising itself as regedit.exe, when the user will try to run regedit.exe it will delete the above registry key (so the user cannot detect it by looking to that registry key) and when the program is closed it will write back the registry value.

The author is probably Spanish and calls himself XRF. He named this virus WKaPCOM.

Sending the virus inside an archive will probably trick some deficient antiviral protections at user level or mail-server level.


- let BitDefender delete infected files
- rename m_regedit.exe to regedit.exe and then using it delete the registry value shown above

Virus analyzed by:
Costin Ionescu
BitDefender Virus Researcher


Back to top
View user's profile Send personal message Visit poster's website Yahoo Messenger

Joined: 10 Oct 2002
Posts: 787
Location: Whitstable, Kent

PostPosted: Tue Oct 22, 2002 23:53    Post subject: Reply with quote

Good info there Andy.

You should get out more Wink Wink Wink Wink Wink

Back to top
View user's profile Send personal message Visit poster's website MSN Messenger
LifeTime Member
LifeTime Member

Age: 54
Zodiac: Capricorn
Joined: 10 Oct 2002
Posts: 597
Location: North Wales

PostPosted: Thu Oct 24, 2002 13:23    Post subject: Reply with quote


Name: VBS.Trojan.Carewmr.A
Aliases: N/A
Type: Script Trojan
Size: 3292 bytes
Discovered: oct 22, 2002
Detected: oct 22, 2002, 14:00 (GMT+2)
Spreading: No
Damage: High

It creates many 0 bytes size files in "C:\", and some empty folders (also in "C:\").

Technical description:

The Trojan display some message boxes with the text:
1. "Welcome to CLRAV of Kaspersky Labs, press OK or Accept to Start scanning your computer. "
2. "ERROR!, Code error:3212552, please execute this tool in MS-DOS."
3. "Thank You for prefer Kaspersky Labs Products"

On September the 1st it also display the message:
"Mr.Carew vuelve otra vez!!, jaja"

It tries to delete some registry keys:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ZoneAlarm Pro"

It also tries to connect to the site "http:\\www.avp.ru".

It creates 0 bytes size files on "C:\":
- "C:\Norton2003isbad_preferKAVORAVP"
- "C:\AVP"
- "C:\NAV"
- "C:\CHILE"
- "C:\GSM1900MHZ"
- "C:\VBS.CarewMR.a"
- "C:\Windows is a real virus?"
- "C:\WindowsXP"
- "C:\Windows3.11"
- "C:\Windows98SE"
- "C:\WindowsME"
- "C:\Windows 95"
- "C:\WindowsNT"
- "C:\Windows2000"
- "C:\PORN"
- "C:\*beep*"
- "C:\ICQ"
- "C:\PANDA"
- "C:\NOD32"
- "C:\TREND"
- "C:\AvpM.exe"
- "C:\Kaspersky_AntiVirus_PersonalPRO_THEBEST!!!!!"
- "C:\Norton_thePOOR"
- "C:\Madonna_Sucking_my_dick.avi"
- "C:\Your_system_is_infected_by_a_virus_jajajajajajaja.jajajaja"

It also creates the folders:
- "C:\Symantec"
- "C:\KasperskyLabs"
- "C:\PandaSoftware"
- "C:\TrendMicro"
- "C:\Eset-Nod-*beep*".

It tries to delete the folder "C:\Windows".

The trojan creates in current folder a file, named "CLRAV_Report.log", with an error message:
"Due an error, Code error:3212552, CLRAV has not disinfect your computer
For Support please send a e-mail to support@kaspersky.com and please indicate the Code Error."


- manual removal: delete all files found infected.
- automatic removal: let BitDefender delete files found infected.

Analyzed by:
Mihaela Stoian
BitDefender virus researcher

Back to top
View user's profile Send personal message Visit poster's website Yahoo Messenger
LifeTime Member
LifeTime Member

Age: 54
Zodiac: Capricorn
Joined: 10 Oct 2002
Posts: 597
Location: North Wales

PostPosted: Thu Oct 24, 2002 13:24    Post subject: Reply with quote


Name: Win32.Magistr.B@mm
Type: Internet Worm and File Infector written in assembly language
Size: ~30K
Aliases: none
Risk: high
ITW: Yes


This virus is an improved and more stable version of the Win32.Magistr.A@mm.
It's decryption routine is more elaborate and the original data from the Entry Point is now encrypted with a key generated from the computer name. Because of this, cleaning the infected files is more difficult.

It is able to infect more computers connected in a network because it now looks for more Windows directory names than the previous version.

In network infection it searches for the following directory names:


and infects the files in those directories. After that it registers itself in WIN.INI and SYSTEM.INI under the [Windows] and [Run] sections for WIN.INI and under [boot] and [Shell] sections for SYSTEM.INI.

On the local machine it adds itself in the registry under the following key: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] with the name of the first infected file and the value the path to that file. This new version search for e-mail addresses in Eudora's address book, in addition to the previous e-mail clients such as Outlook Express, Netscape and so on.

The texts for e-mail body are now in French too. The word used to compose the message are in the following list: habeas corpus judgement condamn trouvons coupable a rembourse sous astreinte aux entiers depens aux depens ayant delibere le present arret vu l'arret conformement a la loi execution provisoire rdonn audience publique a fait constater cadre de la procedure magistrad.
Now the virus sends trough e-mail not only doc files but .GIF images too. The virus checks for existence of ZoneAlarm firewall and if it exists, the virus terminates it.

Virus analyzed by Marius Gheorghescu, Head of Virus Research of SOFTWIN Antivirus Laboratory.

Back to top
View user's profile Send personal message Visit poster's website Yahoo Messenger
LifeTime Member
LifeTime Member

Age: 54
Zodiac: Capricorn
Joined: 10 Oct 2002
Posts: 597
Location: North Wales

PostPosted: Thu Oct 24, 2002 13:25    Post subject: Reply with quote


Name: Worm.Sircam.A
Aliases: W32.Sircam.Worm@mm, W32/SirCam@mm, Backdoor.SirCam
Type: Win32 worm
Risk: High
In the Wild: YES


Worm.Sircam-A is an Internet and network worm similar to I-Worm.Magistr.A. The virus spreads through e-mail using its own SMTP routine, sending itself to addresses from the Address Book and from cache or through the shared directories.
It is transmitted through a message with a randomly chosen subject and body, in the form of a combination between the virus infection routine and a file chosen randomly from My Documents.
The original name of the file is kept, but an executable extension is added (.pif, .exe, .lnk).
Users who do not have the option to see attachment extensions activated, will only see the original extension and can be easily fooled.

Destructive actions:
1. It sends randomly, as attachment with the viral code, one of the infected system files at the e-mail addresses from the Address Book.
2. On a random algorithm (one in 20 infected systems), it deletes all files and directories on the root directory C:\. This happens on oct. 16 of every year, on the systems using the D/M/Y format for standard date. If the attached file (that generated the infection) contains "FA2" without being followed by "sc", this destructive action happens regardless of date format.
3. It slows system performances in one of 50 cases, multiplying a .txt file c:\recycled\sircam.sys.
4. Sircam A@mm sends confidential information too: it might chose one of your extremely confidential files to attach to its viral code and send to your contacts from the Address Book.

The body message is as follows:

Subject: Document file name (without extension)
From: [user_of_infected_machine@prodigy.net.mx]
To: [random@email.from.address.book]
Hi! How are you?

I send you this file in order to have your advice

or: I hope you can help me with this file that I send
I hope you like the file that I send you
This is the file with the information that you ask for

See you later! Thanks

or, in Spanish:

Subject: Document file name (without extension)
From: [user_of_infected_machine@prodigy.net.mx]
To: [random@email.from.address.book]

Hola como estas ?

Te mando este archivo para que me des tu punto de vista

or: Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informacion que me pediste

Nos vemos pronto, gracias.

If the attachment is opened, the worm copies itself in the system directory under the name scam32.exe. It also copies itself into the directory "Recycled" under the name sirc32.exe, which is a hidden file. Then the virus creates the following three keys in the registries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services cu valoarea Driver32 = %System%\scam32.exe
to be accessed once Windows is started, and:
HKLM\SOFTWARE\Classes\exefile\shell\open\command cu valoarea C:\Recycled\sirc32.exe "%1" %*" for the routine infection to be executed before any other EXE file.

If the virus finds network shared directories, it will try to copy itself into the local Windows directory under the name rundll32.exe. The original file is renamed as run32.exe. If the worm succeeds, it will modify the autoexec.bat file by introducing a new line which will allow it to execute the file previously saved in the Windows directory.

As a "signature" the author added the following strings in the virus in an encrypted form:
[SirCam Version 1.0 Copyright 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]

Virus Analyzed by Costin Ionescu, Data Security Expert, SOFTWIN Antivirus Laboratory.

Back to top
View user's profile Send personal message Visit poster's website Yahoo Messenger
Display posts from previous:   
Post new topic   Reply to topic    The Mitsubishi Pajero Owners ClubŪ Forum Index -> Computer bytes All times are GMT + 1 Hour
Goto page 1, 2, 3  Next
Page 1 of 3

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

All contents © Hobson's Choice IT Solutions Ltd 1997 on
Powered by phpBB © 2001, 2002 phpBB Group