|
|||
Interface Design Mailingliste: Re: Antwort: [Interface] Nzkwwxzodccdjon
Autor: th. (allside_at_allside.de)
Gruß Thomas
Hallo, ihr habt heute diese Mail per Newsletter verteilt. Schon von diesem Virus gehört? Sieht verdächtig danach aus. Vielleicht prüft ihr das bei euch auch noch mal. Falls das nur falscher Alarm war, wäre eine kurze Info sehr nett, dass ich den Anhang doch öffnen kann. Grüße Julie Woletz --------------------------------------Virusinfo------------------------------------------------------ Virus Name Risk Assessment W32/Mydoom_at_MM Corporate User : High-Outbreak Home User : High-Outbreak Virus Information Discovery Date: 01/26/2004 Origin: Unknown Length: 22,528 bytes Type: Virus SubType: E-mail Minimum DAT: Release Date: 4319 01/26/2004 Minimum Engine: 4.2.40 Description Added: 01/26/2004 Description Modified: 01/26/2004 9:48 PM (PT) Virus Characteristics: This is a mass-mailing and peer-to-peer file-sharing worm that arrives in an email message as follows: From: (spoofed email sender) Subject: (Varies, such as) a.. Error b.. Status c.. Server Report d.. Mail Transaction Failed e.. Mail Delivery System f.. hello g.. hi Body: (Varies, such as) a.. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. b.. The message contains Unicode characters and has been sent as a binary attachment. c.. Mail transaction failed. Partial message is available. Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes) a.. examples (common names, but can be random) b.. doc.bat c.. document.zip d.. message.zip e.. readme.zip f.. text.pif g.. hello.cmd h.. body.scr i.. test.htm.pif j.. data.txt.exe k.. file.scr The icon used by the file tries to make it appear as if the attachment is a text file: When this file is run, it copies itself to the WINDOWS SYSTEM directory as taskmon.exe a.. %SysDir%\taskmon.exe (Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM) It creates the following registry entry to hook Windows startup: a.. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe The virus uses a DLL that it creates in the Windows System directory: a.. %SysDir%\shimgapi.dll (4,096 bytes) This DLL is injected into the EXPLORER.EXE upon reboot via this registry key: a.. HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir%\shimgapi.dll Peer To Peer Propagation The worm copies itself to the KaZaa Shared Directory with the following filenames: a.. nuke2004 b.. office_crack c.. rootkitXP d.. strip-girl-2.0bdcom_patches e.. activation_crack f.. icq2004-final g.. winamp Remote Access Component The worm opens a connection on TCP port 3127 suggesting remote access capabilities. Denial of Service Payload On the first system startup on February 1st or later, the worm changes its behavior from mass mailing to initiating a denial of service attack against the sco.com domain. This denial of service attack will stop on the first system startup of February 12th or later, and thereafter the worm's only behavior is to continue listening on TCP port 3127. Symptoms Upon executing the virus, Notepad is opened, filled with nonsense characters. a.. Existence of the files and registry entry listed above Method Of Infection This file tries to spread via email and by copying itself to the shared directory for Kazaa clients if they are present. The mailing component harvests address from the local system. Files with the following extensions are targeted: a.. wab b.. adb c.. tbb d.. dbx e.. asp f.. php g.. sht h.. htm i.. txt Additionally, the worm contains strings, which it uses to randomly generate, or guess, addresses. Harvested addresses are sent the virus via SMTP. The worm guesses at the recipient email server, prepending the target domain name with the following strings: a.. mx. b.. mail. c.. smtp. d.. mx1. e.. mxs. f.. mail1. g.. relay. h.. ns. -----------------------------------------------------------------Virusinfo Ende---------------------------------------------------------------- ____________________________________________________________________________Archiv: http://kisd.de/~marian/interface/
|
|||
Letzte Aktualisierung: Son 04 Jul 2004 - 14:33:25 CEST KISD - Köln International School of Design: http://kisd.de/ Subscribe der Mailingliste: Majordomo@kisd.de?body=subscribe+interface mit subscribe interface im Body. |