-
June 21st, 2002, 11:30 AM
#1
Another Virus Heads Up... or 6 mth old Defs won't cut it!
Another Virus Heads Up... or 6 mth old Defs won't cut it..
I notice Sonic has been doing an excellent job with Virus heads up.. Here are a few from my mailings today..
from http://support.centralcommand.com/cg...=020617-000007
Name: W32/Yaha.E (aka. Worm/Lentin.F)
Alias: Worm/Yaha.E
Type: Internet Worm
Discovered: June 17, 2002
Size: 29.948KB
ITW: Unknown
Description:
W32/Yaha.E is a modification of Worm/Lentin (Valentine.scr), an
Internet worm that spreads by retrieving e-mail addresses from
the Windows Address Book, as well as, from addresses found in
cached webpages. In addition, to these methods, W32/Yaha.E also
can spread through contacts it finds in the MSM Messanger and the
ICQ database list.
It scans all files with the extension HTM, HTML and HTA
This variant arrives as another friendship screen saver
The subject is randomly selected from a pre-determined list
The name of the Attachment begins with one of the following names:
loveletter
resume
love
weeklyreport
goldfish
report
mountan
biodata
dailyreport
lovegreetings
shakingfriendship
is followed by:
.wav
.doc
.mp3
.bmp
.jpg
.gif
.txt
.xls
.htm
.mpg
.zip
.dat
and ends with one of these extentions:
.pif
.bat
.scr
If executed, the worm copies itself in the \Recycled\ directory
under a random filename (ie. "kiek.exe". Additionally, a text
file (using the same random characters) is also created in the
/windows/ directory. This text file contains the following:
It also modifies the following registry key:
HKEY_CLASSES_ROOT\exefile\shell\open\command
<default> = "c:\recycler\kiek" %1 %*
**This modification allows it to run each time another executable
file is ran.
Running the worm will display a screensaver with a multicolor
screensaver message that shakes the screen after it is complete.
The display messages are:
- True Love never Ends
- U r My Best Friend
- U r so cute today #!#!
The version f is also listed with Symantec...
And
http://securityresponse.symantec.com...lw.kazmor.html
W32.HLLW.Kazmor is a worm that has backdoor Trojan capability, which allows a hacker to gain control of the compromised computer. W32.HLLW.Kazmor spreads across a local network using shared drives. The worm also attempts to spread across KaZaA file-sharing networks.
The worm disguises itself as movies, games, or porno-related programs, or as software files to trick KaZaA users into downloading the program and opening it. W32.HLLW.Kazmor is written in the Borland Delphi programming language.
Type: Trojan Horse, Worm
Infection Length: 55,808 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Windows 3.x, Microsoft IIS, Macintosh, Unix, Linux
Backdoor.NetControle is a Trojan horse that allows a hacker to remotely control an infected computer. It is written in the Visual Basic programming language. It will listen for connections on TCP/UDP port 1772.
NOTE: Virus definitions dated prior to June 20, 2002, may detect this threat as Backdoor.Trojan.
Also Known As: Backdoor.VB.o, Troj/Bdoor-VBO, Backdoor.Trojan
Type: Trojan Horse
Infection Length: 40,960
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, Unix, Linux
Wild
Number of infections: 0 - 49
Number of sites: More than 10
Geographical distribution: Low
Threat containment: Easy
Removal: Easy
W32.Kwbot.Worm has backdoor Trojan capability, which allows a hacker to gain control of the compromised computer. The worm can update itself by checking for newer versions over the Internet. W32.Kwbot.Worm disguises itself as popular movie, game, or software files, and it attempts to spread across KaZaA file-sharing networks by tricking KaZaA users into downloading the program and opening it.
Type: Trojan Horse, Worm
Infection Length: 19,600
Wild
Number of infections: 0 - 49
Number of sites: 3 - 9
Geographical distribution: Low
Threat containment: Easy
Removal: Easy
Distribution
Ports: random changed
Target of infection: KaZaZ Shared folder
Enough for this Post.
Cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
June 21st, 2002, 12:19 PM
#2
cheers for the heads up und3ertak3r
By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
The 20th century pharoes have the slaves demanding work
http://muaythaiscotland.com/
-
July 6th, 2002, 03:18 PM
#3
This probably sounds really dumb, I was just wondering how restricted the Benjamin Worm is, because on this site [http://antivirus.about.com/library/weekly/aa052002a.htm] it says
According to F-Secure, the Benjamin worm spreads only to and from computers that have the KaZaa network clients software installed
which is fair enough. But the MP3 downloads I get are from grokster which also downloads from KaZaa users, without me having installed KaZaa, so does that mean I could get it? I mean it sounds like obviously yes, I would, but I don't like assuming stuff and because it doesn't say I wondered if you knew? Although from what I have read the virus only replicates the most popular downloads, none of which would constitute my collection...!
XXX
The Owls Are Not What They Seem
-
July 6th, 2002, 08:20 PM
#4
Uhm... how are these so new and unique that: "6 mth old Defs won't cut it!"?
[HvC]Terr: L33T Technical Proficiency
-
July 7th, 2002, 07:48 AM
#5
Junior Member
how do i get rid of the kwbot virus??
i have the kwbot how do i remove it??
-
July 7th, 2002, 07:55 AM
#6
Banned
Yaha is fairly old and has been discussed in previous threads.
-
July 8th, 2002, 11:22 AM
#7
Terr:
Uhm... how are these so new and unique that: "6 mth old Defs won't cut it!"?
probably not a well worded subject.. i must admitt.
From my experience .. If you haven't updated your "Defs" for six months or more, you probably haven't even run a full scan of you system. Let alone letting the AV use heuristics during its scanns/ or during "auto protect".. or even bother with any security measures..
What do you mean my computer has a virus?!!!
is the common reply from my clients
and this is the usual justification..
my computer came with a virus programm
and the clincher
when i bought it 3 years ago
so if you fall into that group.. six month old defs won't cut it...
Cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
July 8th, 2002, 01:31 PM
#8
Thanks for the info, Und3ertak3r.
-
July 11th, 2002, 01:06 PM
#9
I try not to realize the harsh fact that people out there think that just because they have NAV or some other anti-virus installed that it protects against everything forever. Automated updates for these people are a must, as they don't know, and haven't found out, that they need to update them weekly.
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|