[Virenwarnungen] im Monat JuniThema ist geschlossen! |
||
---|---|---|
Thema ist geschlossen! |
||
#0
| ||
02.06.2003, 13:56
Ehrenmitglied
Beiträge: 2283 |
||
|
||
05.06.2003, 07:25
Ehrenmitglied
Themenstarter Beiträge: 2283 |
#2
Bat/Mumu-A
Aliases Worm.Win32.Muma, BAT.Muma, Bat/Mumu.worm, BAT.Mumu.A.Worm, BAT_SPYBOT.A Type Batch file worm Detection A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the July 2003 (3.71) release of Sophos Anti-Virus. At the time of writing Sophos has received no reports from users affected by this virus. However, we have issued this advisory following enquiries to our support department from customers. Note: This IDE file includes detection for Troj/Hacline-A. Description Bat/Mumu-A is a worm which spreads by copying its constituent parts to IPC$ and ADMIN$ shares on remote computers which have weak passwords. The worm is mainly composed of the following BAT files which it copies across to the shares: 10.BAT HACK.BAT IPC.BAT MUMA.BAT NEAR.BAT RANDOM.BAT REPLACE.BAT START.BAT The worm uses another also uses a file name hfind.exe, detected by Sophos Anti-Virus as Troj/Hacline-A, to scan potential victim IP addresses and copies this file along with IPCPASS.TXT. IPCPASS.TXT contains a list of passwords used by Troj/Hacline-A when attempting the copy. In addition Bat/Mumu-A attempts to copy several non-malicious files along with it. These include: NWIZ.EXE (A video card utility called NView) NWIZ.IN_ (A configuration file for NView) PSEXEC.EXE (A networking utility) REP.EXE (A string manipulation utility) PCMSG.DLL (A legitimate utility associated with logging keystrokes) Once the worm has copied all the files across to the shares it uses PSEXEC to run the file START.BAT on the remote computer. This starts the entire process again. Quelle: http://www.sophos.com/virusinfo/analyses/batmumua.html __________ powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ... |
|
|
||
05.06.2003, 07:26
Ehrenmitglied
Themenstarter Beiträge: 2283 |
#3
Troj/Tunnel-A
Aliases Backdoor.Checkesp Type Trojan Detection A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the July 2003 (3.71) release of Sophos Anti-Virus. At the time of writing Sophos has received just one report of this Trojan from the wild. Description Troj/Tunnel-A is a backdoor Trojan. When the Trojan is first executed a copy will be created in the system folder with the filename sys64.exe and the following registry entry will be created so that the Trojan is run when Windows starts up: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\tunelling = sys64.exe Troj/Tunnel-A begins by connecting to a site run by the attacker to inform them that the computer has been compromised. The Trojan will then listen for commands from the attacker. The Trojan also listens on port 80, the default HTTP port, and redirects network traffic on that port to the attacker. Quelle: http://www.sophos.com/virusinfo/analyses/trojtunnela.html __________ powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ... |
|
|
||
05.06.2003, 20:09
Moderator
Beiträge: 6466 |
#4
Es gibt zahlreiche Meldungen über eine neue Variante von Bugbear /Tanatos .
W32.Bugbear.B@mm ist eine Variante von W32.Bugbear@mm. Der Massen-Mail-Wurm W32.Bugbear.B@mm verbreitet sich auch über Netzwerkfreigaben. Der Wurm ist polymorph und infiziert zudem eine Auswahl ausführbarer Dateien. Der Wurm kann Tastenanschläge mitprotokollieren und eine sogenannte "Backdoor" (Hintertür) einrichten. Darüber hinaus versucht er, die Prozesse verschiedener Antivirus- und Firewall-Programme zu beenden. Der Wurm nutzt die Sicherheitslücke Incorrect MIME Header Can Cause IE to Execute E-mail Attachment[ http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp ] aus, um auf Systemen ohne Patch beim einfachen Lesen einer infizierten Nachricht oder bei deren Anzeigen in der Vorschau den Wurm automatisch auszuführen [Quelle Symantec] __________ Durchsuchen --> Aussuchen --> Untersuchen |
|
|
||
06.06.2003, 06:53
Ehrenmitglied
Themenstarter Beiträge: 2283 |
#5
Name: W32.Bugbear.B@mm
Alias: Win32.Bugbear.B[CA] W32/Bugbear.b@MM [McAfee] Bugbear.B[F-Secure] Art: Wurm Groesse des Anhangs: Betriebssystem: Microsoft Windows 32Bit Art der Verbreitung: Massenmailing, Netzwerk Verbreitung: mittel Risiko: mittel Schadensfunktion: Massenmail, Trojanisches Pferd, Keylogger, deaktivieren von Sicherheitsprogrammen und infizieren von ausfuehrbaren Dateien. Spezielle Entfernung: keine bekannt seit: 05. Juni 2003 Beschreibung: W32.Bugbear.B@mm ist eine Variante von W32.Bugbear@mm. Es ist ein Massenmailer, der sich zusaetzlich ueber Netzwerkfreigaben verbreitet. Der Wurm verfuegt ueber ein Backdoor und hat eine Komponente, die Tastatureingaben aufzeichnet. W32.Bugbear.B@mm versucht die Prozesse vieler Antivirus-Produkte und Firewalls zu beenden. Der Wurm ist polymorph und kann ausfuehrbare Programme infizieren. Der Wurm terminiert folgende Prozesse: ZONEALARM.EXE WFINDV32.EXE WEBSCANX.EXE VSSTAT.EXE VSHWIN32.EXE VSECOMR.EXE VSCAN40.EXE VETTRAY.EXE VET95.EXE TDS2-NT.EXE TDS2-98.EXE TCA.EXE TBSCAN.EXE SWEEP95.EXE SPHINX.EXE SMC.EXE SERV95.EXE SCRSCAN.EXE SCANPM.EXE SCAN95.EXE SCAN32.EXE SAFEWEB.EXE RESCUE.EXE RAV7WIN.EXE RAV7.EXE PERSFW.EXE PCFWALLICON.EXE PCCWIN98.EXE PAVW.EXE PAVSCHED.EXE PAVCL.EXE PADMIN.EOUTPOST.EXE NVC95.EXE NUPGRADE.EXE NORMIST.EXE NMAIN.EXE NISUM.EXE NAVWNT.EXE NAVW32.EXE NAVNT.EXE NAVLU32.EXE NAVAPW32.EXE N32SCANW.EXE MPFTRAY.EXE MOOLIVE.EXE LUALL.EXE LOOKOUT.EXE LOCKDOWN2000.EXE JEDI.EXE IOMON98.EXE IFACE.EXE ICSUPPNT.EXE ICSUPP95.EXE ICMON.EXE ICLOADNT.EXE ICLOAD95.EXE IBMAVSP.EXE IBMASN.EXE IAMSERV.EXE IAMAPP.EXE FRW.EXE FPROT.EXE FP-WIN.EXE FINDVIRU.EXE F-STOPW.EXE F-PROT95.EXE F-PROT.EXE F-AGNT95.EXE ESPWATCH.EXE ESAFE.EXE ECENGINE.EXE DVP95_0.EXE DVP95.EXE CLEANER3.EXE CLEANER.EXE CLAW95CF.EXE CLAW95.EXE CFINET32.EXE CFINET.EXE CFIAUDIT.EXE CFIADMIN.EXE BLACKICE.EXE BLACKD.EXE AVWUPD32.EXE AVWIN95.EXE AVSCHED32.EXE AVPUPD.EXE AVPTC32.EXE AVPM.EXE AVPDOS32.EXE AVPCC.EXE AVP32.EXE AVP.EXE AVNT.EXE AVKSERV.EXE AVGCTRL.EXE AVE32.EXE AVCONSOL.EXE AUTODOWN.EXE APVXDWIN.EXE ANTI-TROJAN.EXE ACKWIN32.EXE _AVPM.EXE _AVPCC.EXE _AVP32.EXE E-Mail-Verbreitung Der Wurm sendet sich selbst an alle E-Mail-Adressen die er im Posteingang findet. Er verwendet dazu seine eigene SMTP-Maschine. Ebenso duchsucht er Dateien nach E-Mail-Adressen mit folgenden Endungen: .mmf .nch .mbx .eml .tbb .dbx .ocs Von: Absenderadressen konstruiert der Wurm aus den gefundenen E-Mail-Adressen. Dabei werden Benutzername und Domaenenname vertauscht. Er setzt teilweise auch echte E-Mail-Adressen ein. Betreff: W32.Bugbear.B@mm erzeugt neue E-Mails als Antwortschreiben auf existierende E-Mails. Ebenso verwendet er Weiterleitungen. Zusaetzlich benutzt er als Betreffzeile eine der folgenden Eintraege: Hello! update hmm.. Payment notices Just a reminder Correction of errors history screen Announcement various Introduction Interesting... I need help about script!!! Stats Please Help... Report Membership Confirmation Get a FREE gift! Today Only New Contests Lost & Found bad news wow! fantastic click on this! Market Update Report empty account My eBay ads Cows 25 merchants and rising CALL FOR INFORMATION! new reading Sponsors needed SCAM alert!!! Warning! its easy free shipping! News Daily Email Reminder Tools For Your Online Business New bonus in your cash account Your Gift Re: $150 FREE Bonus! Your News Alert Hi! Get 8 FREE issues - no risk! Greets! Anhang: Der Dateiname wird aus dem Dokumentverzeichnis des infizierten Rechners entnommen, die angehaengte Datei hat zwei Erweiterungen: 1. Erweiterung .reg .ini .bat .diz .txt .cpp .html .htm .jpeg .jpg .gif .cpl .dll .vxd .sys .com .exe .bmp 2. Erweiterung (diese wird unter Umstaenden nicht angezeigt) .scr .pif .exe Netzwerkverbreitung: Der Wurm versucht sich ueber Netzwerkfreigaben zu verbreiten. Findet er auf Freigaben eine der folgenden Dateien, werden diese infiziert. scandskw.exe regedit.exe mplayer.exe hh.exe notepad.exe winhelp.exe Internet Explorer\iexplore.exe adobe\acrobat 5.0\reader\acrord32.exe WinRAR\WinRAR.exe Windows Media Player\mplayer2.exe Real\RealPlayer\realplay.exe Outlook Express\msimn.exe Far\Far.exe CuteFTP\cutftp32.exe Adobe\Acrobat 4.0\Reader\AcroRd32.exe ACDSee32\ACDSee32.exe MSN Messenger\msnmsgr.exe WS_FTP\WS_FTP95.exe QuickTime\QuickTimePlayer.exe StreamCast\Morpheus\Morpheus.exe Zone Labs\ZoneAlarm\ZoneAlarm.exe Trillian\Trillian.exe Lavasoft\Ad-aware 6\Ad-aware.exe AIM95\aim.exe Winamp\winamp.exe DAP\DAP.exe ICQ\Icq.exe kazaa\kazaa.exe winzip\winzip32.exe Entfernungstool: http://vil.nai.com/vil/stinger __________ powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ... |
|
|
||
10.06.2003, 07:08
Ehrenmitglied
Themenstarter Beiträge: 2283 |
#6
Dial/PecDial-B
Type - Dialler Description Dial/PecDial-B is a premium rate porn dialler which runs in the background as a service process. The dialler may attempt to download a file from dialer.pecdialer.com. Dial/PecDial-B creates a folder called windialup in the Windows system folder and within that creates the folder <version number> containing the files <version number>.exe and launch.ini ----- W32/Mofei-A Aliases - WORM_MOFEI.B Type - Win32 worm Description W32/Mofei-A is a worm which spreads via network shares and contains a backdoor Trojan which allows remote access and control over the computer. When first run W32/Mofei-A copies itself to the Windows System32 folder as Scardsvr32.exe and drops the file Scardsvr32.dll to the System32 folder. W32/Mofei-A may also drop the files MoFei.dat and MoFei.VER to the System32 folder. When W32/Mofei-A is run on Microsoft Windows 9x it creates the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SCardDrv = %WINDOWS%\SYSTEM32\Scardsvr32.exe -v so that Scardsvr32.exe is run automatically each time Windows is started. When W32/Mofei-A is run on Microsoft Windows NT, 2000 or XP, it replaces the "Smart Card Helper" service and configures this service to run automatically upon startup. Quelle: sophos.com __________ powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ... |
|
|
||
12.06.2003, 07:13
Ehrenmitglied
Themenstarter Beiträge: 2283 |
#7
-Worm.BatzBack.i, WORM_BACKZAT.A
Type Win32 worm Description W32/Backzat-K spreads via mIRC, AIM95 and the KaZaA file-sharing network. Upon execution the worm copies itself as BatzBack.scr to the Windows and Windows System folders and sets the following registry entry with the path to the copy in the Windows folder: HKLM\Software\Microsoft\Windows\Current Version\Run\BatzBack To spread through the KaZaA file-sharing network and AIM95 the worm attempts to copy itself as EnimEmSpearsBritney.scr and BuddyShare.exe to the KaZaA shared folder and Program Files\AIM95 respectively. To spread through IRC the worm modifies or creates script.ini so that Batzback.scr is sent to other users who join the current channel. --------------- W32/Jeefo-A Aliases PE_JEEFO.A, W32/Jeefo, W32.Jeefo Type Win32 worm Description W32/Jeefo-A may create the following registry entries upon execution, so that it is run every time the computer restarts: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\PowerManager = "<full file path>" HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\PowerManager = "C:\<Windows>\SVCHOST.EXE" -------------- W32/Kifie-D Aliases WORM_KIRBO.A Type Win32 worm Description W32/Kifie-D spreads via email, P2P, IRC, AIM and local drives. The worm copies itself to all local drives as kirbster.exe and to the Windows system folder as tasksystemdll.exe and cutekriby.scr. W32/Kifie-D sets the following registry entry to point to tasksystemdll.exe: HKCU\Control Panel\Desktop\Scrnsave.exe In addition the worm drops the file %sysdir%\CuteKirby.Scr and registers it as the Desktop wallpaper. W32/Kifie-D displays a message box with the text "There was a critical error in the application the video driver could not load. If you continue to experience problems try restarting your computer". In order to be executed automatically on system startup the worm copies itself to the file <Windows system>\TaskSystemDll.Exe and sets the following registry entry to point to this file: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinsysStartUpWKbLw W32/Kifie-D attempts to copy itself to the KaZaA download folder as Rage Against The Machine - Sleep Now In This Fire.Mp3.Exe and to the following locations: \Program Files\Morpheus\My Shared Folder\ PennyWise - Land Of The Free.Mp3.Exe \Program Files\BearShare\Shared\Therion - Nifelheim.Mp3.Exe \Program Files\EDonkey2000\Incoming\Feeder - Under The Weather.Mp3.Exe \My Downloads\ePs2e - PS2 Emulator.Exe \Program Files\ICQ\Shared Files\WinIso - Iso Ripper.Exe \Program Files\Grokster\My Grokster\AFI - 6 To 8.Mp3.Exe \Program Files\AIM95\CutiePinkKirby.Scr. W32/Kifie-D attempts to spread via the IRC network by overwriting the initialization file of an existing mIRC installation. The worm may overwrite all EXE files in the Windows folder and create the file KirbyWins.mp3. On Sundays the worm creates kirbyflood.vbs and kirbyflood.bat in the Windows folder. Kirbyflood.vbs creates message boxes in a loop containing the text "Are you ready? W32.Kirby.Fl00der By L0new0lf"; kirbyflood.bat runs the VBScript file and displays the message "l0new0lf strikes again W32.Kirby.Fl00der By L0new0lf". Also on Sundays, W32/Kifie-D overwrites all TXT and DOC files in the Windows, Windows system and Windows system32 folders and attempts to delete various anti-virus related files. The worm then creates and executes the file kirbymail.vbs that sends the worm as an email attachment to all entries in the Microsoft Outlook address book. The email will have the following characteristics: Subject line: Fw: hello there Message text: Hey, I just received a screen saver in the mail and it is really cute. Take a look Quelle: sophos.com __________ powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ... |
|
|
||
Code
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...