Results 1 to 9 of 9

Thread: Another Virus Heads Up... or 6 mth old Defs won't cut it!

  1. #1
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744

    Another Virus Heads Up... or 6 mth old Defs won't cut it!

    Another Virus Heads Up... or 6 mth old Defs won't cut it..

    I notice Sonic has been doing an excellent job with Virus heads up.. Here are a few from my mailings today..

    from http://support.centralcommand.com/cg...=020617-000007
    Name: W32/Yaha.E (aka. Worm/Lentin.F)
    Alias: Worm/Yaha.E
    Type: Internet Worm
    Discovered: June 17, 2002
    Size: 29.948KB
    ITW: Unknown

    Description:

    W32/Yaha.E is a modification of Worm/Lentin (Valentine.scr), an
    Internet worm that spreads by retrieving e-mail addresses from
    the Windows Address Book, as well as, from addresses found in
    cached webpages. In addition, to these methods, W32/Yaha.E also
    can spread through contacts it finds in the MSM Messanger and the
    ICQ database list.

    It scans all files with the extension HTM, HTML and HTA

    This variant arrives as another friendship screen saver

    The subject is randomly selected from a pre-determined list

    The name of the Attachment begins with one of the following names:
    loveletter
    resume
    love
    weeklyreport
    goldfish
    report
    mountan
    biodata
    dailyreport
    lovegreetings
    shakingfriendship

    is followed by:
    .wav
    .doc
    .mp3
    .bmp
    .jpg
    .gif
    .txt
    .xls
    .htm
    .mpg
    .zip
    .dat

    and ends with one of these extentions:
    .pif
    .bat
    .scr

    If executed, the worm copies itself in the \Recycled\ directory
    under a random filename (ie. "kiek.exe". Additionally, a text
    file (using the same random characters) is also created in the
    /windows/ directory. This text file contains the following:

    It also modifies the following registry key:

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    <default> = "c:\recycler\kiek" %1 %*

    **This modification allows it to run each time another executable
    file is ran.

    Running the worm will display a screensaver with a multicolor
    screensaver message that shakes the screen after it is complete.
    The display messages are:

    - True Love never Ends
    - U r My Best Friend
    - U r so cute today #!#!
    The version f is also listed with Symantec...

    And
    http://securityresponse.symantec.com...lw.kazmor.html

    W32.HLLW.Kazmor is a worm that has backdoor Trojan capability, which allows a hacker to gain control of the compromised computer. W32.HLLW.Kazmor spreads across a local network using shared drives. The worm also attempts to spread across KaZaA file-sharing networks.

    The worm disguises itself as movies, games, or porno-related programs, or as software files to trick KaZaA users into downloading the program and opening it. W32.HLLW.Kazmor is written in the Borland Delphi programming language.




    Type: Trojan Horse, Worm
    Infection Length: 55,808 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Windows 3.x, Microsoft IIS, Macintosh, Unix, Linux
    Backdoor.NetControle is a Trojan horse that allows a hacker to remotely control an infected computer. It is written in the Visual Basic programming language. It will listen for connections on TCP/UDP port 1772.

    NOTE: Virus definitions dated prior to June 20, 2002, may detect this threat as Backdoor.Trojan.



    Also Known As: Backdoor.VB.o, Troj/Bdoor-VBO, Backdoor.Trojan
    Type: Trojan Horse
    Infection Length: 40,960
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Macintosh, Unix, Linux

    Wild

    Number of infections: 0 - 49
    Number of sites: More than 10
    Geographical distribution: Low
    Threat containment: Easy
    Removal: Easy
    W32.Kwbot.Worm has backdoor Trojan capability, which allows a hacker to gain control of the compromised computer. The worm can update itself by checking for newer versions over the Internet. W32.Kwbot.Worm disguises itself as popular movie, game, or software files, and it attempts to spread across KaZaA file-sharing networks by tricking KaZaA users into downloading the program and opening it.


    Type: Trojan Horse, Worm
    Infection Length: 19,600

    Wild

    Number of infections: 0 - 49
    Number of sites: 3 - 9
    Geographical distribution: Low
    Threat containment: Easy
    Removal: Easy

    Distribution

    Ports: random changed
    Target of infection: KaZaZ Shared folder

    Enough for this Post.

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    cheers for the heads up und3ertak3r
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  3. #3
    Senior Member Lady HaxX0r's Avatar
    Join Date
    Jun 2002
    Posts
    107
    This probably sounds really dumb, I was just wondering how restricted the Benjamin Worm is, because on this site [http://antivirus.about.com/library/weekly/aa052002a.htm] it says
    According to F-Secure, the Benjamin worm spreads only to and from computers that have the KaZaa network clients software installed
    which is fair enough. But the MP3 downloads I get are from grokster which also downloads from KaZaa users, without me having installed KaZaa, so does that mean I could get it? I mean it sounds like obviously yes, I would, but I don't like assuming stuff and because it doesn't say I wondered if you knew? Although from what I have read the virus only replicates the most popular downloads, none of which would constitute my collection...!

    XXX
    The Owls Are Not What They Seem

  4. #4
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    Uhm... how are these so new and unique that: "6 mth old Defs won't cut it!"?
    [HvC]Terr: L33T Technical Proficiency

  5. #5
    Junior Member
    Join Date
    Mar 2002
    Posts
    3

    how do i get rid of the kwbot virus??

    i have the kwbot how do i remove it??

  6. #6
    Yaha is fairly old and has been discussed in previous threads.

  7. #7
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Terr:

    Uhm... how are these so new and unique that: "6 mth old Defs won't cut it!"?
    probably not a well worded subject.. i must admitt.

    From my experience .. If you haven't updated your "Defs" for six months or more, you probably haven't even run a full scan of you system. Let alone letting the AV use heuristics during its scanns/ or during "auto protect".. or even bother with any security measures..

    What do you mean my computer has a virus?!!!
    is the common reply from my clients
    and this is the usual justification..
    my computer came with a virus programm
    and the clincher
    when i bought it 3 years ago
    so if you fall into that group.. six month old defs won't cut it...


    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  8. #8
    Banned
    Join Date
    Jun 2002
    Posts
    119
    Thanks for the info, Und3ertak3r.

  9. #9
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    I try not to realize the harsh fact that people out there think that just because they have NAV or some other anti-virus installed that it protects against everything forever. Automated updates for these people are a must, as they don't know, and haven't found out, that they need to update them weekly.
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •