Aktuelle Virenwarnungen

#1 Worm/SoBig.A

Details:
--------
Name: Worm/SoBig.A
Alias: Win32.Sobig.A@mm
Type: Internet Worm
Discovered: January 9, 2003
Size: 65.536KB
Platforms: Windows


Description:
------------
Worm/SoBig.A is an Internet worm that spreads through e-mail by using addresses it collects by searching files with the following extensions *.txt, *.eml, *.html, *.htm, *.dbx, and *.wab files.

The worm arrives through e-mail in the following format:

Subject: <selected from the list below>

- Re: Movies
- Re: Sample
- Re: Document
- Re: Here is that sample

Body: <none>

Attachment: <selected from the list below>

- Movie_0074.mpeg.pif
- Document003.pif
- Untitled1.pif
- Sample.pif

If executed, the worm copies itself in the \windows\ directory under the filename, "Winmgm32.exe". Additionally, the files "C:\Windows\reteral[1].txt", "C:\Windows\%sytem%\mptask.exe" and "C:\Windows\%system%\sysmgmt32.dll" gets created. Additionally, the worm will copy itself to the startup directories on all the shared network drives.


So that it gets run each time a user restart their computer the following registry key gets added:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"WindowsMGM"="C:\\WINDOWS\\winmgm32.exe"
"MPtask Services"="C:\\WINDOWS\\SYSTEM\\mptask.exe"

It will then try to download the file mptask.exe from the following URL:

- http://www.lorico****.com/users/***k/txtfile._

This downloaded file will be recognized as TR/Delf.W1.
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...

#2 Worm/Avril.B

Details:
--------
Name: Worm/Avril.B
Alias: W32/Lirva.C
Type: Internet Worm
Discovered: January 8, 2003
Size: 34.815 KB
Platform: Windows


Description:
------------
Worm/Avril.B is a slight variation of Worm/Avril.A, an Internet worm that spreads through e-mail by searching for email addresses in the following files: IDX, NCH, DBX, MBX, WAB, HTML, EML, HTM, TBB and SHTML., as well as, through the use of the mIRC network.

This variant arrives through e-mail with the following characteristics:

Subject: <randomly selected from>

- Fw: Redirection error notification
- Re: Brigada Ocho Free membership
- Re: According to Purge's Statement
- Fw: Avril Lavigne - CHART ATTACK!
- Re: Reply on account for IIS-Security Breach (TFTP)
- Re: ACTR/ACCELS Transcriptions
- Re: IREX admits you to take in FSAU 2003
- Fwd: Re: Have U requested Avril Lavigne bio?
- Re: Reply on account for IFRAME-Security breach
- Fwd: Re: Reply on account for Incorrect MIME-header
- Re: Vote seniors masters - don't miss it!
- Fwd: RFC-0245 Specification requested...
- Fwd: RFC-0841 Specification requested...
- Fw: F. M. Dostoyevsky "Crime and Punishment"
- Re: Junior Achievement
- Re: Ha perduto qualque cosa signora?

Body:
Body1: AVRIL LAVIGNE - THE CHART ATTACK!

Vote fo4r Complicated!
Vote fo4r Sk8er Boi!
Vote fo4r I'm with you!
Chart attack active list:

Body2: Restricted area response team (RART)
--------------------------------------------------------------------------------
Attachment you sent to is intended to overwrite start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch

Body3: Network Associates weekly report:
Microsoft has identified a security vulnerability in Microsoft® IIS 4.0 and 5.0
that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected against the vulnerability
and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so
to apply the patch immediately.

Patch is also provided to subscribed list of Microsoft® Tech Support:

Body4: AVRIL LAVIGNE - THE BEST

Avril Lavigne's popularity increases:>
SO: First, Vote on TRL for I'm With U!
Next, Update your pics database!
Chart attack active list .>.>

Attachment: <randomly selected from>

- Resume.exe
- ADialer.exe
- MSO-Patch-0071.exe
- MSO-Patch-0035.exe
- Two-Up-Secretly.exe
- Transcripts.exe
- Readme.exe
- AvrilSmiles.exe
- AvrilLavigne.exe
- Complicated.exe
- TrickerTape.exe
- Sophos.exe
- Cogito_Ergo_Sum.exe
- CERT-Vuln-Info.exe
- Sk8erBoi.exe
- IAmWiThYoU.exe
- Phantom.exe
- EntradoDePer.exe
- SiamoDiTe.exe
- BioData.exe
- ALavigne.exe

Worm/Avril.B arrives via email, mIRC, ICQ and Kazaa.

Due to an vulnerability the virus has the ability to execute itself automatically in preview pane on Microsoft Outlook. Microsoft has released a patch here:

It searches for email addresses in the following files: IDX, NCH, DBX, MBX, WAB, HTML, EML, HTM, TBB and SHTML. After it copies itself to various locations is creates the file "c:\windows\listrecp.dll" where the found email adresses are stored. It also creates a script.ini file for mIRC so it can spread through mIRC. A third file is created called "c:\windows\temp\avril-ii.inf" which contains some comments from the virus author. For example: "2002 (c) Otto von Gutenberg" and "Made in .::]|KaZAkHstaN|[::.". The virus has its own SMTP engine. If ICQ is installed the worm tries to send itself to all contacts on your list automatically. It does not matter if the sending process will finish ok, canceled, not accepted. The worm will resend the file every minute again. If Kazaa is installed the worm copies itself to its shared directory.

The directories the worm copies itself to include:

- C:\Windows\temp\avril-ii.inf
- C:\Windows\temp\download.sys
- C:\Windows\System\<random 11 characters>.exe

It also does some modifications in the file "C:\autoexec.bat" (see below):

@win \RECYCLED\0cE26cHf.exe
@win \RECYCLED\Bbh1dFeD.exe
@win \RECYCLED\31c9a1Af.exe
@win \RECYCLED\25G0466A.exe

** filenames are random.

So that it gets run each time a user restart their computer the following registry key gets added:

- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Avril Lavigne - Muse"="C:\\WINDOWS\\SYSTEM\\<11 random characters>.exe"

- HKEY_LOCAL_MACHINE\Software\OvG\Avril Lavigne
@="Done"
"PSW-Trojan"="1"

The worm is looking for the following programs and terminates them when found in memory:

- _Avp32.exe
- _avpcc.exe
- _avpm.exe
- Ackwin32.exe
- Anti-trojan.exe
- Apvxdwin.exe
- Autodown.exe
- Avconsol.exe
- Ave32.exe
- Avgctrl.exe
- Avkserv.exe
- Avp.exe
- Avp32.exe
- Avpcc.exe
- Avpdos32.exe
- Avpm.exe
- Avpmon.exe
- Avpnt.exe
- Avptc32.exe
- Avpupd.exe
- Avsched32.exe
- Avwin95.exe
- Avwupd32.exe
- Blackd.exe
- Blackice.exe
- Cfiadmin.exe
- Cfiaudit.exe
- Cfind.exe
- Claw95.exe
- Claw95ct.exe
- Cleaner.exe
- Cleaner3.exe
- Dv95.exe
- Dv95_o.exe
- Dvp95.exe
- Ecengine.exe
- Efinet32.exe
- Esafe.exe
- Espwatch.exe
- F-agnt95.exe
- Findviru.exe
- Fprot.exe
- F-prot.exe
- F-prot95.exe
- Fp-win.exe
- Frw.exe
- F-stopw.exe
- Iamapp.exe
- Iamserv.exe
- Ibmasn.exe
- Ibmavsp.exe
- Icload95.exe
- Icloadnt.exe
- Icmoon.exe
- Icssuppnt.exe
- Icsupp95.exe
- Iface.exe
- Iomon98.exe
- Jed.exe
- Kpf.exe
- Kpfw32.exe
- Lockdown2000.exe
- Lookout.exe
- Luall.exe
- Moolive.exe
- Mpftray.exe
- N32scan.exe
- Navapw32.exe
- Navlu32.exe
- Navnt.exe
- Navsched.exe
- Navw.exe
- Navw32.exe
- Navwnt.exe
- Nisum.exe
- Nmain.exe
- Normist.exe
- Nupgrade.exe
- Nvc95.exe
- Outpost.exe
- Padmin.exe
- Pavcl.exe
- Pccwin98.exe
- Pcfwallicon.exe
- Persfw.exe
- Rav7.exe
- Rav7win.exe
- Rescue.exe
- Safeweb.exe
- Scan32.exe
- Scan95.exe
- Scanpm.exe
- Scrscan.exe
- Serv95.exe
- Smc.exe
- Sphinx.exe
- Sweep95.exe
- Tbscan.exe
- Tca.exe
- Tds2-98.exe
- Tds2-nt.exe
- Vet95.exe
- Vettray.exe
- Vsecomr.exe
- Vshwin32.exe
- Vsscan40.exe
- Vsstat.exe
- Webscan.exe
- Webscanx.exe
- Wfindv32.exe
- Zonealarm.exe

If the worm finds active processes with one of the following stings inside it will also terminate these programs.

- Norton
- AVP
- Anti
- Virus
- McAfee
- anti
- virus

On every 7th, 11th and 24th of a month the worm display colored ellipses in the middle of the screen:




The text on-top reads: "AVRIL_LAVIGNE_LET_GO - MY_MUSE:] 2002 (c) Otto von Guternburg"

It then attempts to open the following web site: www.avril-lavigne.com.

On every start-up, 4 more copies of the virus itself are created at c:\recycled\<11 random cahracters>.exe and 4 more entries in c:\autoexec.bat are made.
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...

#3 Worm/ExplorerZip.E

Details:
--------
Name: Worm/ExplorerZip.E
Alias: W32/ExploreZi-N
Type: Internet Worm (UPX packed)
Discovered: January 8, 2003
Size: 91.048KB
Platforms: Windows


Description:
------------
Worm/ExplorerZip.E is a mass mailing Internet worm that spreads through the use of stored e-mail addresses.

The worm arrives through e-mail in the following format:

Subject: RE: <random text>
Body:

Hi <email name> !
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
bye.

Attachment: zipped_files.exe

If executed, the worm copies itself in the \windows\%system% directory under the filenames "_setup.exe", "<random filename>,exe" and "Explorer.exe".




Additionally, the "Win.ini" file in C:\Windows will also get modified:

- C:\Windows\Win.ini
run=
run=C:\Windows\system\_setup.exe or
run=C:\Windows\system\explore.exe


So that it gets run each time a user restart their computer the following registry key gets added:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
"run"="C:\\WINNT\\System32\\Explore.exe"

** Registry key created only with Microsoft Windows NT/2000/XP

Worm/ExplorerZip.E will then zero out the lengths of files with the following extensions:

- *.asm,
- *.c
- *.cpp
- *.doc
- *.h
- *.ppt
- *.xls

When it is finished, it will display the following message boxes to help disguise itself.
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...

#4 Worm/Yaha.M.2

Details:
--------
Name: Worm/Yaha.M.2
Alias: W32/Lentin.M
Type: Internet Worm
Discovered: January 7, 2002
Size: 28.672KB
Platform: Windows


Description:
------------
Worm/Yaha.M.2 is is a slight modification of Worm/Yaha.M, an Internet worm that spread by retrieving e-mail addresses from the Windows Address Book, as well as, from addresses found in cached webpages(HTM, HTML and HTA files) and contacts located in the MSN Messenger address listing. Unlike other variants of Yaha, this variant does not show the funny screens the previous versions displayed.

If executed, the worm copies itself in the \windows\%system% directory under the filenames:

- tcpsvs32.exe
- nav32_loader.exe
- WinServices.exe
- winloader32.dll

So that it gets run each time a user restart their computer the following registry keys get added:

- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"WinServices"="C:\\WINDOWS\\SYSTEM\\WinServices.exe"

and

- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"WinServices"="C:\\WINDOWS\\SYSTEM\\WinServices.exe"

Additionally, the following key gets added:

- HKEY_CLASSES_ROOT\exefile\shell\open\command
@="\"%1\" %*"
@="\"C:\\WINDOWS\\SYSTEM\\nav32_loader.exe\"\"%1\"%*"

Worm/Yaha.M.2 will attempt to shut-down the processes of many antivirus and firewall applications. It is packed with UPX.
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...

#5 Worm/Recovery.B

Details:
--------
Name: Worm/Recovery.B
Alias: None
Type: Internet Worm
Discovered: January 2, 2003
Size: 17.920KB
Platform: Windows


Description:
------------
Worm/Recovery.B is an Internet worm that spreads through e-mail by using addresses it collects in the Microsoft Outlook Address Book.

The worm arrives through e-mail in the following format:

Subject: Help with removal
Body:

Hello readers,

I have just cleaned my computer from a highly damaging computer virus
Which is spreading rapidly through computer networks worldwide.

There is one way to check to see if your computer is infected with this virus.

Click the "Start" menu at the bottom left of your screen.
Click the "Find" or "Search" button.
Click the "Files or folders..." option.
Then once the search application starts, type "Jdbgmgr.exe"

If you have found this file, right-click on it and click the "Properties" tab.
If the Properties menu has a picture of a bear on it, your computer is infected with this virus. (Note that the non-infected file picture has a hammer and a screwdriver shown in it)
You may delete this file, but this is not the only file that the virus infects,
To remove this virus, I have included a virus removal tool in the attachments "CleanFiles.com"
that will scan all system files and remove any infectious code from them. This virus removal tool is very easy to use. If you have any trouble with this tool,
read the help menu that the removal tool supplies.

If your computer is infected with this virus, It is strongly recommended that you send this removal tool to as many people as you can to help remove the traces of this virus worldwide

Attachment: CLEANFILES.COM

If executed, the worm copies itself to the following files:

- C:\Program Files\Kazaa\My Shared Folder\*.* (random file names)
- C:\Windows\Start Menu\Programs\StartUp\LoadWin.pif
- C:\Windows\TEMPFILES.PIF
- C:\Windows\WINSTARTUP.PIF
- C:\Windows\MSUPDATER.PIF
- C:\Windows\WINSTART32.PIF
- C:\Windows\WINUPD32.COM
- C:\Windows\REGEDIT32.COM
- C:\Windows\WINHLP32.COM
- C:\Windows\CHARMAP.PIF
- C:\Windows\System\MSJPEG32.PIF
- C:\Windows\System\RUNSYS32.BAT
- C:\Windows\System\REGFILES.BAT
- C:\Windows\System\WINBATCH.BAT
- C:\Windows\System\MSJAVA.PIF
- C:\Windows\System\FILECMD32.COM
- C:\Windows\System\MSWIN32.PIF
- C:\Windows\System\WINOCX32.PIF
- C:\Windows\System\CLEANFILES.COM
- C:\Windows\System\MSWINREGFILES32.COM
- C:\Windows\System\CHECKTHIS.PIF
- C:\Windows\JAVA\WINJAVA32.PIF
- C:\Windows\JAVA\JAVATEMP.BAT
- C:\Windows\JAVA\JAVASTART.COM
- C:\Windows\Temp\WINHWGVXK.BAT
- C:\Windows\Temp\JDBGMGR.EXE

Copies itself to all local drives as REMOVAL.EXE (for example: D:\REMOVAL.EXE, E:\REMOVAL.EXE, ...)

Additionally, the following registry key gets added:

HKEY_CURRENT_USER\Software\Zed/[rRlf]\Recovery\1.1
@="W32/Recovery family worm by Zed/[rRlf]"
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...

#6 Worm/Avril.A (Naith.A)?

Details:
--------
Name: Worm/Avril.A (Worm/Naith.A)
Alias: W32/Naith.A-mm
Type: Internet Worm
Discovered: January 7, 2003
Size: 32.766KB
Orig File: IAmWiThYoU.exe
Platform: Windows


Description:
------------
Worm/Avril.A is an Internet worm that spreads through e-mail by searching for email addresses in the following files: IDX, NCH, DBX, MBX, WAB, HTML, EML, HTM, TBB and SHTML., as well as, through the use of the mIRC network.

The worm arrives through e-mail in the following format:

Subject: <randomly selected from>

- Fw: Avril Lavigne - the best
- Fw: Prohibited customers...
- Fwd: Re: Admission procedure
- Fwd: Re: Reply on account for Incorrect MIME-header
- Re: According to Daos Summit
- Re: ACTR/ACCELS Transcriptions
- Re: Brigade Ocho Free membership
- Re: Reply on account for IFRAME-Security breach
- Re: Reply on account for IIS-Security
- Re: The real estate plunger

Body:
Body1:
Avril fans subscription
FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony
Vote for I'm with you!
Admission form attached below

Body2:
Microsoft has identified a security vulnerability in Microsoft® IIS 4.0 and 5.0
that is eliminated by a previously-released patch.
Customers who have applied that patch are already protected against the vulnerability
and do not need to take additional action.
Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so
to apply the patch immediately.
Patch is also provided to subscribed list of Microsoft® Tech Support:
Patch:
Date :

Body3:
Restricted area response team (RART)
--------------------------------------------------------------------------------
Attachment you sent to Harry H. is intended to overwrite start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch
--------------------------------------------------------------------------------

Attachment: <randomly selected from>

- AvrilLavigne.exe
- AvrilSmiles.exe
- CERT-Vuln-Info.exe
- Cogito_Ergo_Sum.exe
- Complicated.exe
- Download.exe
- IAmWiThYoU.exe
- MSO-Patch-0035.exe
- MSO-Patch-0071.exe
- Readme.exe
- Resume.exe
- Singles.exe
- Sk8erBoi.exe
- Sophos.exe
- Transcripts.exe
- Two-Up-Secretly.exe

Worm/Avril.A arrives via email, mIRC, ICQ and Kazaa.

Due to an vulnerability the virus has the ability to execute itself automatically in preview pane on Microsoft Outlook. Microsoft has released a patch here:

It searches for email addresses in the following files: IDX, NCH, DBX, MBX, WAB, HTML, EML, HTM, TBB and SHTML. After it copies itself to various locations is creates the file "c:\windows\listrecp.dll" where the found email adresses are stored. It also creates a script.ini file for mIRC so it can spread through mIRC. A third file is created called "c:\windows\temp\avril-ii.inf" which contains some comments from the virus author. For example: "2002 (c) Otto von Gutenberg" and "Made in .::]|KaZAkHstaN|[::.". The virus has its own SMTP engine. If ICQ is installed the worm tries to send itself to all contacts on your list automatically. It does not matter if the sending process will finish ok, canceled, not accepted. The worm will resend the file every minute again. If Kazaa is installed the worm copies itself to its shared directory.

The directories the worm copies itself to include:

- C:\Windows\temp\AvrilSmiles.exe
- C:\Windows\temp\bfD46g62.TFT
- C:\RECYCLED\0cE26cHf.exe
- C:\RECYCLED\Bbh1dFeD.exe
- C:\RECYCLED\31c9a1Af.exe
- C:\RECYCLED\25G0466A.exe

** filenames are a random 8 characters

It also does some modifications in the file "C:\autoexec.bat" (see below):

@win \RECYCLED\0cE26cHf.exe
@win \RECYCLED\Bbh1dFeD.exe
@win \RECYCLED\31c9a1Af.exe
@win \RECYCLED\25G0466A.exe

** filenames are random.

So that it gets run each time a user restart their computer the following registry key gets added:

- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Avril Lavigne - Muse"="C:\\WINDOWS\\SYSTEM\\7h827fg6b6c.EXE"

- HKEY_LOCAL_MACHINE\Software\OvG\Avril Lavigne
@="Done"
"PSW-Trojan"="1"

The worm is looking for the following programs and terminates them when found in memory:

- _Avp32.exe
- _avpcc.exe
- _avpm.exe
- Ackwin32.exe
- Anti-trojan.exe
- Apvxdwin.exe
- Autodown.exe
- Avconsol.exe
- Ave32.exe
- Avgctrl.exe
- Avkserv.exe
- Avp.exe
- Avp32.exe
- Avpcc.exe
- Avpdos32.exe
- Avpm.exe
- Avpmon.exe
- Avpnt.exe
- Avptc32.exe
- Avpupd.exe
- Avsched32.exe
- Avwin95.exe
- Avwupd32.exe
- Blackd.exe
- Blackice.exe
- Cfiadmin.exe
- Cfiaudit.exe
- Cfind.exe
- Claw95.exe
- Claw95ct.exe
- Cleaner.exe
- Cleaner3.exe
- Dv95.exe
- Dv95_o.exe
- Dvp95.exe
- Ecengine.exe
- Efinet32.exe
- Esafe.exe
- Espwatch.exe
- F-agnt95.exe
- Findviru.exe
- Fprot.exe
- F-prot.exe
- F-prot95.exe
- Fp-win.exe
- Frw.exe
- F-stopw.exe
- Iamapp.exe
- Iamserv.exe
- Ibmasn.exe
- Ibmavsp.exe
- Icload95.exe
- Icloadnt.exe
- Icmoon.exe
- Icssuppnt.exe
- Icsupp95.exe
- Iface.exe
- Iomon98.exe
- Jed.exe
- Kpf.exe
- Kpfw32.exe
- Lockdown2000.exe
- Lookout.exe
- Luall.exe
- Moolive.exe
- Mpftray.exe
- N32scan.exe
- Navapw32.exe
- Navlu32.exe
- Navnt.exe
- Navsched.exe
- Navw.exe
- Navw32.exe
- Navwnt.exe
- Nisum.exe
- Nmain.exe
- Normist.exe
- Nupgrade.exe
- Nvc95.exe
- Outpost.exe
- Padmin.exe
- Pavcl.exe
- Pccwin98.exe
- Pcfwallicon.exe
- Persfw.exe
- Rav7.exe
- Rav7win.exe
- Rescue.exe
- Safeweb.exe
- Scan32.exe
- Scan95.exe
- Scanpm.exe
- Scrscan.exe
- Serv95.exe
- Smc.exe
- Sphinx.exe
- Sweep95.exe
- Tbscan.exe
- Tca.exe
- Tds2-98.exe
- Tds2-nt.exe
- Vet95.exe
- Vettray.exe
- Vsecomr.exe
- Vshwin32.exe
- Vsscan40.exe
- Vsstat.exe
- Webscan.exe
- Webscanx.exe
- Wfindv32.exe
- Zonealarm.exe

If the worm finds active processes with one of the following stings inside it will also terminate these programs.

- Norton
- AVP
- Anti
- Virus
- McAfee
- anti
- virus

On every 7th, 11th and 24th of a month the worm display colored ellipses in the middle of the screen:




The text on-top reads: "AVRIL_LAVIGNE_LET_GO - MY_MUSE:] 2002 (c) Otto von Guternburg"

It then attempts to open the following web site: www.avril-lavigne.com.

On every start-up, 4 more copies of the virus itself are created at c:\recycled\<8 random cahracters>.exe and 4 more entries in c:\autoexec.bat are made.
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...

#7 VBS/PicaWorm.P

Details:
--------
Name: VBS/PicaWorm.P
Alias: None
Type: Internet Worm
Discovered: January 7, 2003
Size: 6.623KB
Platform: Windows


Description:
------------
VBS/PicaWorm.P is an Internet worm that spreads through e-mail by using addresses it collects in the Microsoft Outlook Address Book, as well as, through the use of the mIRC network.

The worm arrives through e-mail in the following format:

Subject: Osama bin laden has been captured!!!
Body: osama had been caught in pakistan, read the full article in the attachment
Attachment: capture.vbs

If executed, it will create two script files "script.ini" for mIRC and "events.ini" for Pirch to spread in those networks.

So that it gets run each time a user restart their computer the following registry key gets added:

- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"capture"="wscript.exe C:\\WINDOWS\\capture.vbs %"

Additionally, the following keys gets added:

- HKEY_CURRENT_USER\Software\unmasked2
"mailed"="1"
"Mirqued"="1"
"pirched"="1"

VBS/PicaWorm.P contains two comment lines in the first line: "Vbs.unmasked2 Created By Case" and the last line: "Vbswg 1.5. [K]Alamar."
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...

#8 W32/Elerad

Details:
--------
Name: W32/Elerad
Alias: Win32.Elerad
Type: File Infector
Discovered: January 6, 2003
Platform: Windows XP
Size: 5.041


Description:
------------
W32/Elerad is a file infector that infects all PE executables in the current and sub-directories. After all files were infected the virus displays a messagebox.
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...

#9 Worm/Ina

Details:
--------
Name: Worm/Ina
Alias: I-Worm.Jerm, BAT_ARIC.A
Type: Batch Worm
Discovered: January 3, 2002
Size: 5.011KB
Platform: Windows


Description:
------------
Worm/Ina is an Internet worm that spreads through e-mail by using addresses it collects in the Microsoft Outlook Address Book, as well as, through the use of the IRC network and the file-sharing prgram KaAzA.

The worm arrives through e-mail in the following format:

Subject: hehe, isn't that fascinating...
Body: ... I just want to say something to the attachment: It is the first ever batch virus, that is able to update itself via the internet! Hehe, you don't have to execute it (if you don't want to , but if you understand a bit batch, look at it, it's really interesting!

Attachment: bat.ina.bat

If executed, the worm will first deletes a selected group of antivirus software files (listed below) before it tries to copy itself under the filename "c:\bat.ina.bat". Having the ability to update itself via Internet, the worm creates a file called c:\ftp.txt. A script.ini file is created only if the directories above exist. Another script called events.ini will be created if c:\pirch98\ exists. Those two scripts try to send the worm via the mIRC and Pirch chat programs. The worm adds a few registry settings so that the c:\ drive will be shared in the Kazaa network. An email routine is also present. Therefore the file \windows\mail.vbs is created. Finally, the worm deletes the created files c:\kazaa.reg and c:\ftp.txt. If c:\msg.vbs is executed the worm displays a message box.




The list of created, deleted or modified files include:

Adds:
- c:\updatecheck.bat
- c:\msg.vbs
- c:\msg.reg
- c:\pirch98\events.ini
- c:\mirc\script.ini
- c:\mirc32\script.ini
- c:\progra~1\mirc\script.ini
- c:\progra~1\mirc32\script.ini
- %windir%\mail.vbs
- c:\ftp.txt
- c:\kazaa.reg

Copies Itself:
- c:\bat.ina.bat

Modifes:
- c:\windows\win.ini
load=
load=c:\bat.ina.bat

Deletes:
- c:\mirc\script.ini
- c:\mirc32\script.ini
- c:\progra~1\mirc\script.ini
- c:\progra~1\mirc32\script.ini
- c:\pirch98\events.ini
- c:\programme\norton~1\s32integ.dll
- c:\programme\f-prot95\fpwm32.dll
- c:\programme\mcafee\scan.dat
- c:\tbavw95\tbscan.sig
- c:\programme\tbav\tbav.dat
- c:\tbav\tbav.dat
- c:\programme\avpersonal\antivir.vdf
- c:\msg.vbs

So that it gets run each time a user restart their computer the following registry key gets added:

- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"msg"="c:\\msg.vbs"

Additionally, the following registry gets added:

- HKEY_CURRENT_USER\Software\Kazaa\LocalContent
"DisableSharing"=dword:00000000
"DownloadDir"="C:\\Program Files\\KaZaA\\My Shared Folder"
"Dir0"="012345:c:\\"
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...

#10 W97M/Killboot.A

Details:
--------
Name: W97M/Killboot.A
Alias: Macro.Word97.Norver, W97M_OPEY.AV
Type: Macro
Discovered: December 30, 2002
Platform: Windows


Description:
------------
W97M/Killboot.A is a macro virus that infects every Word2000 document when a user closes an infected document. By doing so, it infects the normal template (normal.dot) so it will activate on every launch of Microsoft Word. The virus has not been seen to work under Word97. The dropped file, "C:\setver.exe" and the modified file "C:\autoexec.bat" will be detected as TR/Killboot.A.

The following registry key will get modified:

- HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security
"Level"=dword:00000002
"Level"=dword:00000001

The following registry will get added:

-HKEY_CURRENT_USER\Software\Microsoft\Office
"KCPA"=" 200012085"
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...

#11 Alle Informationen von: http://support.centralcommand.com
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...