Heads Up

[DjM]

The following was posted on the SANS Internet Storm Center.

We have a report that a new virus may be making the rounds being distributed via AOL chat.

Details are sketchy so far but we have the following thanks to Alan and Chris.

McAfee deletes the viruses but every time the user logs of and back onto the system it regenerates the batch file.

User gets a chat via AOL

"Checkout this JPEG" with a link

After clicking the link it sends to everyone on their buddy list and creates the file

C:xz.bat

Contents of the file: it is set to disable MS security, firewall

Creates 3 registry entries one of which is a service

Hkey_local_machineSoftwareMicrosoftWindowsCurrent VersionRun

Name :Strtax Data: lock.exe (Delete)

Hkey_local_machineSoftwareMicrosoftWindowsCurrent VersionRun Services

Name :Strtax Data: lock.exe (Delete)

Hkey_UserSoftwareMicrosoftWindowsCurrent VersionRun Services

Name :Strtax Data: lock.exe (Delete)

After deleting those three keys and a reboot the xz.bat file stopped trying to reload itself.

We have plenty of copies! Thanks!

I haven't found any other info on this (but I haven't looked very hard)

Cheers:

[Info Tech Geek]

People are going back to batch files.... interesting.

[MrBabis]

Yes, cuz it is very simple to create them. (and disassemble, and understand, and modife)


//It is first step to creating of first prog//

[foxyloxley]

What would be a reason to go back ???

When AV systems update, and the 'old' signatures are also updated, then does the AV no longer check for that particular vuln ??

That is, is there a time limit on signatures, or else how do they stop the D/B for your AV going into multi GB size ???

I know what I mean to say, the trick is ............. do YOU

DAMN that wine :hic:

[rapier57]

There is an update on ISC, and they say the infection is an SDBot or Opanki worm variant(s). Both McAfee and Symantec pick 'em up, so far.

Foxy, you just need better wine.