-
December 30th, 2001, 07:53 AM
#1
Worm-ZOHER.A
The newest virus to be sent out is called Zoher.A . In the subject line is Welcome to Yahoo!Mail in the message line is Welcome to Yahoo!Mail then there is an attachment that reads Read me.txt_____PIF If someone opens this the worm executes a program which connects to a web site where it downloads a worm to propagate,which vary. The email message is in MIME format and in it is an embedded copy of the worm itself. The worm propagates by sending an email to all addresses listed in Windows Address Book via the default SMTP server. It uses a known vulnerability in Internet Explore- based email clients to execute the file attachment automatically. This vulnerability is also known as Automatic Execution of Embedded MIME. type. This worm is classed as low risk.
No good deed goes unpunished.
-
December 30th, 2001, 08:16 AM
#2
Is this the same one(or a mutation) as what you are talking about?http://securityresponse.symantec.com....zoher@mm.html
Thanks,
IchNiSan
-
December 30th, 2001, 08:19 AM
#3
Junior Member
Hello,
To be a bit more specific and informational about the virus we are discussing and informing users about..
This virus named "Zoher", was discovered on 12/24/2001. The virus's origin is believed to be somewhere out in italy.. Most anti-virus vendors have released DAT files and similar updates for they're software so your not to rely on hueristics.
The "Zoher" virus uses a newly discovered vulnerability in internet explorer 5.0 and 6* also the outlook mail software OPTIONALLY installed with this browser package. Microsoft has released a patch for this problem which would in effect. You can find more information on that at
http://www.microsoft.com/technet/tre...n/MS01-020.asp
This mass mailing worm uses a text file grabbed from the address http://banners.interfree.it to like many other worms/virii it propagates by sending itself to EVERYONE in your address book.
An example email might look like.
Subject: Fw: Scherzo!
Body:
Con questa mail ti e stata spedita la FortUna; non la
fortuna e basta, e neanche la Fortuna con la F
maiuscola, ma addirittura la FortUna con la F e la U
maiuscole. Qui non badiamo a spese. Da oggi avrai
buona fortuna, ma solo ed esclusivamente se ti liberi
di questa mail e la spedisci a tutti quelli che conosci.
Se lo farai potrai:
- produrti in prestazioni sessuali degne di King Kong
per il resto della tua vita
- beccherai sempre il verde o al massimo il giallo ai semafori
- catturerai tutti e centocinquantuno i Pokemon incluso
l'elusivo Mew
- (per lui) quando andrai a pescare, invece della solita
trota tirerai su una sirena tettona nata per sbaglio con gambe umane
- (per lei) lui sara talmente innamorato di te che ti
come una sirena tettona nata per sbaglio con le gambe
Se invece non mandi questa mail a tutta la tua list
entro quaranta secondi,allora la tua esistenza diventera
una
grottesca sequela di eventi tragicomici, una colossale
barzelletta che suscitera il riso del resto del pianeta,
e ticondurra ad una morte orribile, precoce e solitaria...
No, dai, ho esagerato: hai sessanta secondi.
Cascaci: e' tutto vero.
Puddu Polipu, un grossista di aurore boreali
cagliaritano, spedi' questa mail a tutta la sua lista
ed il giorno dopo vinse il Potere Temporale della Chiesa
alla lotteria della parrocchia.
Ciccillo Pizzapasta, un cosmonauta campano che
soffriva di calcoli, si preoccupo di diffondere
questa mail: quando fu operato si scopri' che i suoi
calcoli erano in realta diamanti grezzi.
GianMarco Minaccia, un domatore di fiumi del Molise
che non aveva fatto circolare questa mail,
perse entrambe le mani in un incidente subito dopo
aver comprato un paio di guanti.
Erode Scannabelve, un pediatra mannaro di
Trieste,non spedi a nessuno questa mail: dei suoi tre figli
uno comincio a drogarsi,
il secondo entro in Forza Italia
e il terzo si iscrisse a Ingegneria.
Attachment: Javascript.exe
YOU DO NOT HAVE TO DOWNLOAD JAVASCRIPT.EXE TO BECOME INFECTED.
That is if your unpatched to the MIME vulnerability and running the appropriate software. Most AV software will prevent this infection anyhow.
--------------------------
Also most recently discovered on 12/29/2001, A worm named "Maldal".
Maldal is a windows based virus, It will only infect windows machine which means its most likely coded in Microsoft C.
This mass-mailing worm gathers email addresses from cached web pages and deletes files and software. It arrives in a email message containing the following random information:
Subject: %Computer Name%
The computer name is changed to ZaCker by the virus, but email messages are likely to go out with the existing computer name as the subject line prior to change taking effect. After the name change the subject is ZaCker
Body: Test this game body
or Body: I wish u like it
or Body: I have got this file for you
or Body: Surprise !!!
or Body: download this game & have fun
or Body: desktop maker ,you may need it
or Body: have you ever got a gift !?
or Body: What women wants !
or Body: Don't waste any time ,Subscribe now
or Body: Make your pc funny !
or Body: new program from my fun groups
or Body: Map of the world
or Body: Create your Ecard ( looooooooooooooooool
or Body: Send it to everybody you love " Its made by me
or Body: Our symbol
or Body: If you have an elegant taste
or Body: Test your mind
or Body: 1 + 1 = 3 !!!
or Body: See this file
or Body: Singer , searsh for any song and sing
or Body: For everybody wants to marry a woman that he doesn't love !
or Body: nowadays , there is no womanhood !! :P
or Body: Just Try to fix it
or Body: Keep these advertisements run and earn 0.25 $ per 10 minute
When you run this attachment, A fake popup is displayed.. The guy who coded this piece of work failed to change the title of the box though so its still a default (Project1). The worm copies itself as WIN.EXE in the windows/system directory.
All files with the extensions bat com, dat, doc, htm, html, ini, jpg, lnk, mdb, mpeg, php, ppt, txt, xls, zip
FYI
-
December 30th, 2001, 09:09 AM
#4
Re: Worm-ZOHER.A
Originally posted by lostit44
The newest virus to be sent out is called Zoher.A .
I hate to burst your bubble but this worm is old news. It was first reported by VirusList on the 12th of December...
Anyway, it's good to see worm updates at AntiOnline...
Now who looks stupid!? I apologize, red priest. I didn't read your post before replying...That'll teach me.
-
December 30th, 2001, 12:31 PM
#5
OUTLOOK
Stupid outlook viruses,
that's why I keep a !0000 name in my adressbook without an email adress, as soon as someone on this PC get's a worm, it don't get sent to friends.
untill some worm starts at the bottom of the list
....
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
December 30th, 2001, 05:25 PM
#6
!00000
The !0000 trick doesn't work (sorry)
Viruses/worms will continue past !000 or pick addresses at random.
http://vmyths.com/fas/fas1.cfm
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|