Results 1 to 2 of 2

Thread: Heads Up**VBS.DDV.B

  1. #1
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744

    Exclamation Heads Up**VBS.DDV.B

    Hi Guys..
    As per my usual Heads up.. only Higher risk Threats are listed here.. ie Symantec's Cat 2 or higher..
    Neither MS or the AV companies have come up with a patch to protect our computers from the id10T
    Symantec Info Page

    VBS.DDV.B

    This ones entry is due to its damage capability and Distribution Capability.

    Threat Assesment
    Wild:- Low
    Damage:- Medium
    Distribution:- High

    Payload:
    Large scale e-mailing: Emails itself to all the contacts in the Outlook address book.
    Causes system instability: Disables the system through registry modifications.
    Distribution

    Subject of email: ½ñÍ*ÄãÀ´Âð£¿
    Name of attachment: Win32system.vbs or Winsystem32.vbs
    Size of attachment: 3-4k
    Summary of Threat
    VBS.DDV.B is a Visual Basic Script (VBS) worm that attempts to spread to all the contacts in the Microsoft Outlook address book.

    The worm is similar to VBS.DDV, but makes additional destructive modifications to the registry.

    NOTE: Virus definitions dated prior to August 8th may detect this worm as VBS.DDV.



    Variants: VBS.DDV
    Type: Worm
    Infection Length: 3-4K



    Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
    Technical Details
    Copies itself as Win32system.vbs or Winsystem32.vbs to the following locations:

    %Windir%
    %System%
    %Windir%\Start Menu\Programs\Æô¶_\

    NOTES:
    %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
    %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    I have seen comments regarding the installation of windows into another folder other than "Windows" or "WinNT" to prevent these virii from infecting.. BUT as you can see from this virii and many others they look to the registry for the install folder of the os or the system folder.. So that idea is a crock of shite.. like the dummy address in your address book..

    Advice:
    Keep your MS patches uptodate
    Keep your antivirus Defs uptodate
    Have your firewall block ALL un-needed Ports
    Checkout Registry monitoring Software (I am not 100% on some of these yet)
    Be Aware of Social Engineering approaches..

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Good advice as usual, I particularly liked the comment about the ID10T....................hey what sane person is going to open a e-mail with the subject:

    ½ñÍ*ÄãÀ´Âð£¿

    As the saying goes "some of them won't never learn"

    It amazes me that these .vbs and other straightforward scripting viruses are still so prevalent. OK it doesn't help that M$ ships its OSes with the default to hide known file extensions (hint: reset to display all extensions, AND hidden files), but people do seem to be their own worst enemies?

    I am still in favour of complementary software such as Scrip Trap, and AnaloX's Script Defender......At least thay give you a final warning that you are going to run a script...

    I remember about 4 years ago writing a little 4 line .reg file that made VB scripts open in Notepad.............not so long after the "loveletter" virus hit the scene............I was amazed at the number of ID10Ts that rang up and asked what the "funny e-mail" they had just opened was all about [Please don't mess with the Registry unless you are sure of what you are doing............and make a backup]

    We have mentioned the claims of modern AVs to intercept hostile scripts, but I still haven't seen hard evidence of their effectiveness.............if they are that good, how come this stuff is still a threat?................they should be as obsolete as floppy disk borne stuff?

    Be Safe...Stay Safe

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •