Jump to content
WnSoft Forums

Current Virus


ronwil

Recommended Posts

By the way, I have removed my website details from my profile as it contains my e-mail address. This last week I have been assailed by the current virus and on more than one occasion it has come through alongside apparent visitors to this forum in the USA. One such was from South Carolina, with a reliable looking website, purporting to contain a screensaver. I had to delete it because Norton located the virus in the other mail. Better safe than sorry. Since then, last Wednesday, there have been others which have been blocked. I have removed my e-mail address book from Outlook Express for the time being.

There is some useful information on MSN UK Homepage-Microsoft Internet Explorer.

Ron [uK]

Link to comment
Share on other sites

Our public address support@wnsoft.com received 1500 emails with virus Sobig every day during past August :)

Michel,

These are emails from users who ever wrote you and now infected by MyDoom/Navarg virus. If you start new email box, you will give your new address to all again and in a next epidemic you receive viruses again.

Probably it better to have patience during this period. Changing of email address inevitably when email box receives many spams (but we can't replace support@wnsoft.com which receive 100-200 spam emails every day).

Link to comment
Share on other sites

the following is a quote from Trend Micro weekly newsletter

ken

2. Gloom and Doom - WORM_MYDOOM.A (Medium Risk)

WORM_MYDOOM.A is a mass-mailing worm that is currently circulating in-the-wild, and affects computers running Windows 95, 98, ME, NT, 2000, and XP.

This worm selects from a pre-determined list of email subjects, message bodies, and attachment file names that it uses for the email messages it sends. It spoofs the sender name of its messages, so that the messages appear to have been sent by different users instead of the actual users of infected machines. WORM_MYDOOM.A also propagates through the Kazaa peer-to-peer file-sharing network.

WORM_MYDOOM.A performs a denial of service (DoS) attack against the Web site www.sco.com. It attacks the site if the infected computer system date is February 1, 2004 or later. It ceases attacking the site and running most of its routines on February 12, 2004. It also runs a backdoor component, which it drops as the file SHIMGAPI.DLL. This backdoor component allows remote users to access and manipulate infected systems. Note that it allows remote access even after February 12, 2004.

Upon execution, this worm drops two files:

SHIMGAPI.DLL - a backdoor DLL component of this worm

TASKMON.EXE - a copy of this worm (Note: A legitimate Windows utility with the same file name can be found in the Windows folder on some systems)

It also adds a registry entry that allows it to automatically execute at every Windows startup. If the registry entry already exists, the worm overwrites the entry. It also adds a registry entry that allows its backdoor DLL file component to automatically execute at startup. This registry entry injects SHIMGAPI.DLL into EXPLORER.EXE during startup.

This worm uses Simple Mail Transfer Protocol (SMTP) to send email and to propagate. It gathers recipient email addresses using the following three methods:

the Windows Address Book

by searching for email addresses and domain names from files with specific file extensions, located in the Temporary Internet Files folder (please read the Technical Details section of the virus description for more detailed information on the specific file extensions)

by constructing additional email addresses by prepending specific strings from obtained domain names (please read the Technical Details section of the virus description for more detailed information on the specific strings)

It sends email with the following details:

From: (any of the following)

Spoofed email address taken from list of harvested and generated addresses

Random characters

Blank

Subject: (any of the following)

<blank>

<random characters>

Error

Status

Server Report

Mail Transaction Failed

Mail Delivery System

hello

hi

test

Message Body: (any of the following)

<blank>

<garbage data>

The message contains Unicode characters and has been sent as a binary attachment.

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Mail transaction failed. Partial message is available.

test

Attachment: (The attachment may arrive as a .ZIP file. If it does not, then the attachment name is taken from any of several specific combinations of filenames and extension names. Please read the Technical Details section of the virus description for more detailed information on the specific filenames and extensions: )

This worm also has the capability to spread via Kazaa, a peer-to-peer file sharing application, by dropping a copy of itself in the Kazaa shared folder.

In addition, the worm performs a Denial of Service (DoS) attack on the Web site www.sco.com. The DoS attack is triggered if the system date is greater than, or equal to, February 1, 2004. During the DoS attack, the worm creates 63 threads that continuously request the main page of www.sco.com. The DoS attack continues until February 12, 2004. On this date, the worm stops most of its routines, except for its backdoor functionalities. This backdoor component, which is dropped as the file SHIMGAPI.DLL, allows remote users to manipulate infected machines into downloading and executing arbitrary files.

If you would like to scan your computer for WORM_MYDOOM.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_MYDOOM.A is detected and cleaned by Trend Micro pattern file #745 and above.

Link to comment
Share on other sites

Hi all!

I wish to add that there is a free and fast McAfee stand-alone utility which is able to detect and remove Mydoom and all its known variants. You can download it ("Stinger.exe", 723,463 bytes) from http://vil.nai.com/vil/stinger/

Another interesting tool: if you have your e-mail address on a website, you can hide it from spam robots, spiders and hunters by a simple Java encryption software (Hixus.com, $9.95, €8,57).

Link to comment
Share on other sites

The latest thing I am getting on this is advice that certain of my e-mails have been blocked because they contained the virus. The point however is that I did not send the e-mails and I do not know the addressees. I have discarded the advice messages like a hot potato, just in case they too are not genuine.

Ron [uK]

Link to comment
Share on other sites

Ken

I have been using these checks since Microsoft added their advice on MSN last week and I have received a clean bill of health.

Ron [uK]

Link to comment
Share on other sites

I have noticed that during the last 2 or 3 days, the messages in this forum take longer to load and appear. Does anyone know if this is result of web traffice due to virus or could it be the new server Igor switched to, is being troubled? I have not observed such a slow down on other sites.

Link to comment
Share on other sites

Dear Ron, I'm sure all of us believe you are perfectly "clean".

But I wish to repeat (to all) the advice I gave some days ago, because I think it can be very useful for most PTE forum members, about the little Hixus Javascript:

if you have your e-mail address on a website, you can hide it from spam robots, spiders and hunters by a simple Java encryption software (Hixus.com, $9.95, €8,57)
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...