Interface Design Mailingliste: Re: Antwort: [Interface] Nzkwwxzodccdjon

Autor: th. (allside_at_allside.de)
Datum: Mit 28 Jan 2004 - 14:09:22 CET



Ist ein Virus!!!!

Gruß Thomas

  Hallo,

  ihr habt heute diese Mail per Newsletter verteilt.

  Schon von diesem Virus gehört? Sieht verdächtig danach aus. Vielleicht prüft ihr das bei euch auch noch mal.

  Falls das nur falscher Alarm war, wäre eine kurze Info sehr nett, dass ich den Anhang doch öffnen kann.

  Grüße

  Julie Woletz

  julie.woletz_at_orgaplan.de

        --------------------------------------Virusinfo------------------------------------------------------ Virus Name  Risk Assessment  
                    W32/Mydoom_at_MM  
                          Corporate User  :  High-Outbreak  
                          Home User  :  High-Outbreak  

                   

                    Virus Information  
                    Discovery Date:  01/26/2004  
                    Origin:  Unknown  
                    Length:  22,528 bytes  
                    Type:  Virus  
                    SubType:  E-mail  
                    Minimum DAT:
                    Release Date:  4319
                    01/26/2004  
                    Minimum Engine:  4.2.40  
                    Description Added:  01/26/2004  
                    Description Modified:  01/26/2004 9:48 PM (PT)  

             
                   
                   
                   
                   
                   
                   
                   
                   
                   
                   
                   

             

             
                    Virus Characteristics:  
                    This is a mass-mailing and peer-to-peer file-sharing worm that arrives in an email message as follows: 
                    From: (spoofed email sender)
                    Subject: (Varies, such as) 

                      a.. Error 
                      b.. Status 
                      c.. Server Report 
                      d.. Mail Transaction Failed 
                      e.. Mail Delivery System 
                      f.. hello 
                      g.. hi 
                      Body:  (Varies, such as)  

                        a.. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. 
                        b.. The message contains Unicode characters and has been sent as a binary attachment. 
                        c.. Mail transaction failed. Partial message is available. 
                        Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes) 

                          a.. examples (common names, but can be random) 
                          b.. doc.bat 
                          c.. document.zip 
                          d.. message.zip 
                          e.. readme.zip 
                          f.. text.pif 
                          g.. hello.cmd 
                          h.. body.scr 
                          i.. test.htm.pif 
                          j.. data.txt.exe 
                          k.. file.scr 
                          The icon used by the file tries to make it appear as if the attachment is a text file: 

                           

                          When this file is run, it copies itself to the WINDOWS SYSTEM directory as taskmon.exe 

                            a..  %SysDir%\taskmon.exe 
                            (Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM) 

                            It creates the following registry entry to hook Windows startup: 

                              a.. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
                              CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe 
                              The virus uses a DLL that it creates in the Windows System directory: 

                                a..  %SysDir%\shimgapi.dll (4,096 bytes) 
                                This DLL is injected into the EXPLORER.EXE upon reboot via this registry key: 

                                a.. HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir%\shimgapi.dll 
                                Peer To Peer Propagation
                                The worm copies itself to the KaZaa Shared Directory with the following filenames: 

                                a.. nuke2004 
                                b.. office_crack 
                                c.. rootkitXP 
                                d.. strip-girl-2.0bdcom_patches 
                                e.. activation_crack 
                                f.. icq2004-final 
                                g.. winamp 
                                Remote Access Component
                                The worm opens a connection on TCP port 3127 suggesting remote access capabilities. 

                                Denial of Service Payload
                                On the first system startup on February 1st or later, the worm changes its behavior from mass mailing to initiating a denial of service attack against the sco.com domain. This denial of service attack will stop on the first system startup of February 12th or later, and thereafter the worm's only behavior is to continue listening on TCP port 3127.
                   

                    Symptoms  
                    Upon executing the virus, Notepad is opened, filled with nonsense characters. 
                     

                      a.. Existence of the files and registry entry listed above 
                   


                    Method Of Infection  
                    This file tries to spread via email and by copying itself to the shared directory for Kazaa clients if they are present. 
                    The mailing component harvests address from the local system.  Files with the following extensions are targeted: 

                      a.. wab 
                      b.. adb 
                      c.. tbb 
                      d.. dbx 
                      e.. asp 
                      f.. php 
                      g.. sht 
                      h.. htm 
                      i.. txt 
                      Additionally, the worm contains strings, which it uses to randomly generate, or guess, addresses. 

                      Harvested addresses are sent the virus via SMTP.  The worm guesses at the recipient email server, prepending the target domain name with the following strings: 

                        a.. mx. 
                        b.. mail. 
                        c.. smtp. 
                        d.. mx1. 
                        e.. mxs. 
                        f.. mail1. 
                        g.. relay. 
                        h.. ns. 
                   

              -----------------------------------------------------------------Virusinfo Ende---------------------------------------------------------------- 

       





____________________________________________________________________________
Archiv: http://kisd.de/~marian/interface/