Aktuelle Virenwarnungen (KW4) |
||
|---|---|---|
| #0
| ||
|
25.01.2003, 07:49
Ehrenmitglied
 Beiträge: 2283 |
||
 
|
|
|
|
25.01.2003, 07:50
Ehrenmitglied
Themenstarter Beiträge: 2283 |
#2
Worm/Jeem
Name: Worm/Jeem Alias: Downloader-BO.dr Type: Trojan Discovered: November 19, 2002 Platform: Microsoft Windows 95/98/Me/NT/2000/XP Size: 13.380KB Description: ------------ Worm/Jeem arrives through e-mail in the following format: Subject: FAILED DELIVERY Body: Unfortunately, it was not possible to deliver one or more of your messages. For more information, take a look in the attachment. or Body: Your message, attached did not reach the reciepent. <xxxxxx@recipient domain>. #5.5.0 smtp; 550 Requested action not taken: mailbox unavailable. ** where xxxxxx = selected numbers Attachment: Mail.hta If executed, the attachment will display a false advertisement for Perfection by Paradise skin cream. So that it gets run each time a user restart their computer the following registry key gets added: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "System Service"="C:\\WINDOWS\\SYSTEM\\MSREXE.EXE" It also adds: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Swartax "ImagePath"="C:\\WINDOWS\\SYSTEM\\MSREXE.EXE" It will then drop the following files: - C:\Windows\System\MSREXE.EXE - C:\Windows\Desktop\Output.exe - C:\Program Files\Outlook Express\Outl32.scr ------------------- Updated: message.hta ------------------- Details: -------- Name: Worm/Jeem Alias: Downloader-BO.dr Type: Trojan Discovered: UPDATED on January 21, 2003 Platform: Microsoft Windows 95/98/Me/NT/2000/XP Description: ------------ "Message.hta" will be detected as Worm/Jeem, which was updated for on November 19, 2002. "Message.hta" contains encrypted code for an .exe file. If executed, a trojan downloader will be installed to c:\mware.exe. If mware.exe is then executed, it will download a keylogger that Vexira Antivirus already detects as Tr/TweakPan, it will install itself to the following location, :\windows\system\mskhpk.exe. A second file will be created in c:\windows\system\mskhpk.dll. This is the file used to log the keystrokes. So that it gets run each time a user restart their computer the following registry key gets added: - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "TwkCplDaemon"="C:\\WINDOWS\\SYSTEM\\mskhpk.exe" The following blank website is displayed titled "!": __________ powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ... |
|
|
|
|
|
|
25.01.2003, 07:50
Ehrenmitglied
Themenstarter Beiträge: 2283 |
#3
BDS/AntiPC
Name: BDS/AntiPC Size: 114.688 KB Type: Backdoor Server Platform: Microsoft Windows 95/98/Me/NT/2000/XP Discovered: January 16, 2003 Description: -------------- Like other backdoor programs, BDS/AntiPC would potentially allow someone with malicious intent backdoor access to your computer. Once executed, BDS/AntiPC remains in memory. It does not create or modify any registry keys. It was originally received as "Server.exe". __________ powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ... |
|
|
|
|
|
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!
bitte erst » hier kostenlos registrieren!!
Folgende Themen könnten Dich auch interessieren:
Seite(n): 1
Copyright © 2024, Protecus.de - Protecus Team - Impressum / Mediadaten
Name: Worm/Ainjo.e
Alias: Win32.Hunch.A@mm
Type: Internet Worm
Discovered: January 23, 2003
Size: 127.488 KB
Platform: Microsoft Windows 95/98/Me/NT/2000/XP
Description:
------------
Worm/Ainjo.e is an Internet worm that spreads through e-mail by using addresses it collects in the Microsoft Outlook Address Book, as well as, through the use of the mIRC network and through the file-sharing program KaAzA. It also copies itself over all mapped drives.
The worm arrives through e-mail in one of the following formats:
Subject: Your Success Is Guranteed!
Body: The Mastercard Stored Value Card is good anywhere in the world that
Mastercard is accepted! APPLY NOW AND GET $20 FREE!!
Download it Now And Get free Bonus!
Attachment: FFAMEMBERS.EXE
or
Subject: Confirmation Email - Required !
Body: ATTENTION: THIS PROGRAM IS EXPLODING WORLDWIDE. THOUSANDS OF PEOPLE ARE
SIGNING UP EVERY DAY CREATING ONE OF THE LARGEST MEMBERSHIP BASES IN THE
WORLD!
Attachment: FFAMEMBERS.EXE
If executed, the worm copies itself in the \windows\ directory under the filenames "kernelw32.exe"and "blank.scr". It will also copy itself under "c:\recycled\de3.exe.scr" and "c:\pictures.exe". Additionally, the following files are added:
- c:\zip.com
- c:\freepic.zip (zip file with the packed 'pictures.exe')
- c:\windows\t.bat
So that it gets run each time a user restart their computer the following registry key gets added:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"Kernelw"="C:\\WINDOWS\\Kernelw32.exe"
In order to use the mIRC network it modifies the mirc.ini file in the MIRC directory. It will then copy itself under random files names with a .exe file extension to the My Shared Folder directory in the Kazaa directory making itself available for download through the file sharing application. Then, the worm copy itself using the same filenames of all .EXE, .HTM and .DOC files in locates in the same directory in all local drives and directories. For example:
ASD.EXE (orginal file) --->> ASD.EXE.SCR (virus file)
INDEX.HTM (orginal file) --->> INDEX.HTM.EXE (virus file)
INDEX.HTM.EXE (virus file) --->> INDEX.HTM.EXE.SCR (virus file)
HELP.DOC (orginal file) --->> HELP.DOC.EXE (virus file)
HELP.DOC.EXE (virus file) --->> HELP.DOC.EXE.SCR (virus file)
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...