Worm-ZOHER.A
Results 1 to 6 of 6

Thread: Worm-ZOHER.A

  1. #1
    Senior Member
    Join Date
    Aug 2001
    Posts
    262

    Worm-ZOHER.A

    The newest virus to be sent out is called Zoher.A . In the subject line is Welcome to Yahoo!Mail in the message line is Welcome to Yahoo!Mail then there is an attachment that reads Read me.txt_____PIF If someone opens this the worm executes a program which connects to a web site where it downloads a worm to propagate,which vary. The email message is in MIME format and in it is an embedded copy of the worm itself. The worm propagates by sending an email to all addresses listed in Windows Address Book via the default SMTP server. It uses a known vulnerability in Internet Explore- based email clients to execute the file attachment automatically. This vulnerability is also known as Automatic Execution of Embedded MIME. type. This worm is classed as low risk.
    No good deed goes unpunished.
    Share on Google+

  2. #2
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    Is this the same one(or a mutation) as what you are talking about?http://securityresponse.symantec.com....zoher@mm.html

    Thanks,

    IchNiSan
    Share on Google+

  3. #3
    Junior Member
    Join Date
    Aug 2001
    Location
    Boston
    Posts
    13

    Thumbs down

    Hello,

    To be a bit more specific and informational about the virus we are discussing and informing users about..

    This virus named "Zoher", was discovered on 12/24/2001. The virus's origin is believed to be somewhere out in italy.. Most anti-virus vendors have released DAT files and similar updates for they're software so your not to rely on hueristics.

    The "Zoher" virus uses a newly discovered vulnerability in internet explorer 5.0 and 6* also the outlook mail software OPTIONALLY installed with this browser package. Microsoft has released a patch for this problem which would in effect. You can find more information on that at

    http://www.microsoft.com/technet/tre...n/MS01-020.asp


    This mass mailing worm uses a text file grabbed from the address http://banners.interfree.it to like many other worms/virii it propagates by sending itself to EVERYONE in your address book.

    An example email might look like.


    Subject: Fw: Scherzo!
    Body:

    Con questa mail ti e stata spedita la FortUna; non la
    fortuna e basta, e neanche la Fortuna con la F
    maiuscola, ma addirittura la FortUna con la F e la U
    maiuscole. Qui non badiamo a spese. Da oggi avrai
    buona fortuna, ma solo ed esclusivamente se ti liberi
    di questa mail e la spedisci a tutti quelli che conosci.
    Se lo farai potrai:
    - produrti in prestazioni sessuali degne di King Kong
    per il resto della tua vita
    - beccherai sempre il verde o al massimo il giallo ai semafori
    - catturerai tutti e centocinquantuno i Pokemon incluso
    l'elusivo Mew
    - (per lui) quando andrai a pescare, invece della solita
    trota tirerai su una sirena tettona nata per sbaglio con gambe umane
    - (per lei) lui sara talmente innamorato di te che ti
    come una sirena tettona nata per sbaglio con le gambe
    Se invece non mandi questa mail a tutta la tua list
    entro quaranta secondi,allora la tua esistenza diventera
    una
    grottesca sequela di eventi tragicomici, una colossale
    barzelletta che suscitera il riso del resto del pianeta,
    e ticondurra ad una morte orribile, precoce e solitaria...
    No, dai, ho esagerato: hai sessanta secondi.
    Cascaci: e' tutto vero.
    Puddu Polipu, un grossista di aurore boreali
    cagliaritano, spedi' questa mail a tutta la sua lista
    ed il giorno dopo vinse il Potere Temporale della Chiesa
    alla lotteria della parrocchia.
    Ciccillo Pizzapasta, un cosmonauta campano che
    soffriva di calcoli, si preoccupo di diffondere
    questa mail: quando fu operato si scopri' che i suoi
    calcoli erano in realta diamanti grezzi.
    GianMarco Minaccia, un domatore di fiumi del Molise
    che non aveva fatto circolare questa mail,
    perse entrambe le mani in un incidente subito dopo
    aver comprato un paio di guanti.
    Erode Scannabelve, un pediatra mannaro di
    Trieste,non spedi a nessuno questa mail: dei suoi tre figli
    uno comincio a drogarsi,
    il secondo entro in Forza Italia
    e il terzo si iscrisse a Ingegneria.

    Attachment: Javascript.exe


    YOU DO NOT HAVE TO DOWNLOAD JAVASCRIPT.EXE TO BECOME INFECTED.

    That is if your unpatched to the MIME vulnerability and running the appropriate software. Most AV software will prevent this infection anyhow.


    --------------------------

    Also most recently discovered on 12/29/2001, A worm named "Maldal".

    Maldal is a windows based virus, It will only infect windows machine which means its most likely coded in Microsoft C.

    This mass-mailing worm gathers email addresses from cached web pages and deletes files and software. It arrives in a email message containing the following random information:


    Subject: %Computer Name%
    The computer name is changed to ZaCker by the virus, but email messages are likely to go out with the existing computer name as the subject line prior to change taking effect. After the name change the subject is ZaCker

    Body: Test this game body
    or Body: I wish u like it
    or Body: I have got this file for you
    or Body: Surprise !!!
    or Body: download this game & have fun
    or Body: desktop maker ,you may need it
    or Body: have you ever got a gift !?
    or Body: What women wants !
    or Body: Don't waste any time ,Subscribe now
    or Body: Make your pc funny !
    or Body: new program from my fun groups
    or Body: Map of the world
    or Body: Create your Ecard ( looooooooooooooooool
    or Body: Send it to everybody you love " Its made by me
    or Body: Our symbol
    or Body: If you have an elegant taste
    or Body: Test your mind
    or Body: 1 + 1 = 3 !!!
    or Body: See this file
    or Body: Singer , searsh for any song and sing
    or Body: For everybody wants to marry a woman that he doesn't love !
    or Body: nowadays , there is no womanhood !! :P
    or Body: Just Try to fix it
    or Body: Keep these advertisements run and earn 0.25 $ per 10 minute


    When you run this attachment, A fake popup is displayed.. The guy who coded this piece of work failed to change the title of the box though so its still a default (Project1). The worm copies itself as WIN.EXE in the windows/system directory.

    All files with the extensions bat com, dat, doc, htm, html, ini, jpg, lnk, mdb, mpeg, php, ppt, txt, xls, zip


    FYI
    Opinions founded on prejudice are always sustained with the greatest violence.

    -Matt Chambers
    Share on Google+

  4. #4

    Re: Worm-ZOHER.A

    Originally posted by lostit44
    The newest virus to be sent out is called Zoher.A .

    I hate to burst your bubble but this worm is old news. It was first reported by VirusList on the 12th of December...


    Anyway, it's good to see worm updates at AntiOnline...




    Now who looks stupid!? I apologize, red priest. I didn't read your post before replying...That'll teach me.
    Share on Google+

  5. #5
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534

    OUTLOOK

    Stupid outlook viruses,

    that's why I keep a !0000 name in my adressbook without an email adress, as soon as someone on this PC get's a worm, it don't get sent to friends.

    untill some worm starts at the bottom of the list
    ....
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !
    Share on Google+

  6. #6
    Senior Member
    Join Date
    Aug 2001
    Posts
    267

    !00000

    The !0000 trick doesn't work (sorry)

    Viruses/worms will continue past !000 or pick addresses at random.

    http://vmyths.com/fas/fas1.cfm
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •