Aktuelle Virenwarnungen (KW4)

#0
25.01.2003, 07:49
Ehrenmitglied
Avatar Robert

Beiträge: 2283
#1 Worm/Ainjo.E

Name: Worm/Ainjo.e
Alias: Win32.Hunch.A@mm
Type: Internet Worm
Discovered: January 23, 2003
Size: 127.488 KB
Platform: Microsoft Windows 95/98/Me/NT/2000/XP


Description:
------------
Worm/Ainjo.e is an Internet worm that spreads through e-mail by using addresses it collects in the Microsoft Outlook Address Book, as well as, through the use of the mIRC network and through the file-sharing program KaAzA. It also copies itself over all mapped drives.

The worm arrives through e-mail in one of the following formats:

Subject: Your Success Is Guranteed!
Body: The Mastercard Stored Value Card is good anywhere in the world that
Mastercard is accepted! APPLY NOW AND GET $20 FREE!!
Download it Now And Get free Bonus!
Attachment: FFAMEMBERS.EXE

or

Subject: Confirmation Email - Required !
Body: ATTENTION: THIS PROGRAM IS EXPLODING WORLDWIDE. THOUSANDS OF PEOPLE ARE
SIGNING UP EVERY DAY CREATING ONE OF THE LARGEST MEMBERSHIP BASES IN THE
WORLD!
Attachment: FFAMEMBERS.EXE

If executed, the worm copies itself in the \windows\ directory under the filenames "kernelw32.exe"and "blank.scr". It will also copy itself under "c:\recycled\de3.exe.scr" and "c:\pictures.exe". Additionally, the following files are added:

- c:\zip.com
- c:\freepic.zip (zip file with the packed 'pictures.exe')
- c:\windows\t.bat

So that it gets run each time a user restart their computer the following registry key gets added:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"Kernelw"="C:\\WINDOWS\\Kernelw32.exe"

In order to use the mIRC network it modifies the mirc.ini file in the MIRC directory. It will then copy itself under random files names with a .exe file extension to the My Shared Folder directory in the Kazaa directory making itself available for download through the file sharing application. Then, the worm copy itself using the same filenames of all .EXE, .HTM and .DOC files in locates in the same directory in all local drives and directories. For example:

ASD.EXE (orginal file) --->> ASD.EXE.SCR (virus file)

INDEX.HTM (orginal file) --->> INDEX.HTM.EXE (virus file)
INDEX.HTM.EXE (virus file) --->> INDEX.HTM.EXE.SCR (virus file)

HELP.DOC (orginal file) --->> HELP.DOC.EXE (virus file)
HELP.DOC.EXE (virus file) --->> HELP.DOC.EXE.SCR (virus file)
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...
Seitenanfang Seitenende
25.01.2003, 07:50
Ehrenmitglied
Themenstarter
Avatar Robert

Beiträge: 2283
#2 Worm/Jeem

Name: Worm/Jeem
Alias: Downloader-BO.dr
Type: Trojan
Discovered: November 19, 2002
Platform: Microsoft Windows 95/98/Me/NT/2000/XP
Size: 13.380KB


Description:
------------
Worm/Jeem arrives through e-mail in the following format:

Subject: FAILED DELIVERY
Body: Unfortunately, it was not possible to deliver one or more of your messages. For more information, take a look in the attachment.

or

Body: Your message, attached did not reach the reciepent. <xxxxxx@recipient domain>. #5.5.0 smtp; 550 Requested action not taken: mailbox unavailable.

** where xxxxxx = selected numbers

Attachment: Mail.hta

If executed, the attachment will display a false advertisement for Perfection by Paradise skin cream.




So that it gets run each time a user restart their computer the following registry key gets added:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"System Service"="C:\\WINDOWS\\SYSTEM\\MSREXE.EXE"

It also adds:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Swartax
"ImagePath"="C:\\WINDOWS\\SYSTEM\\MSREXE.EXE"

It will then drop the following files:

- C:\Windows\System\MSREXE.EXE
- C:\Windows\Desktop\Output.exe
- C:\Program Files\Outlook Express\Outl32.scr



-------------------
Updated: message.hta
-------------------

Details:
--------
Name: Worm/Jeem
Alias: Downloader-BO.dr
Type: Trojan
Discovered: UPDATED on January 21, 2003
Platform: Microsoft Windows 95/98/Me/NT/2000/XP


Description:
------------
"Message.hta" will be detected as Worm/Jeem, which was updated for on November 19, 2002. "Message.hta" contains encrypted code for an .exe file. If executed, a trojan downloader will be installed to c:\mware.exe. If mware.exe is then executed, it will download a keylogger that Vexira Antivirus already detects as Tr/TweakPan, it will install itself to the following location, :\windows\system\mskhpk.exe. A second file will be created in c:\windows\system\mskhpk.dll. This is the file used to log the keystrokes.

So that it gets run each time a user restart their computer the following registry key gets added:

- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"TwkCplDaemon"="C:\\WINDOWS\\SYSTEM\\mskhpk.exe"

The following blank website is displayed titled "!":
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...
Seitenanfang Seitenende
25.01.2003, 07:50
Ehrenmitglied
Themenstarter
Avatar Robert

Beiträge: 2283
#3 BDS/AntiPC

Name: BDS/AntiPC
Size: 114.688 KB
Type: Backdoor Server
Platform: Microsoft Windows 95/98/Me/NT/2000/XP
Discovered: January 16, 2003


Description:
--------------
Like other backdoor programs, BDS/AntiPC would potentially allow someone with malicious intent backdoor access to your computer. Once executed, BDS/AntiPC remains in memory. It does not create or modify any registry keys.

It was originally received as "Server.exe".
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: