![[RSS]](http://tweakimg.net/g/if/v2/icons/rss_small.png){kind=icon}
Door: 
Op dit moment is er weer een zeer agressief virus bezig met zich verspreiden. Op dit moment is er nog weinig info over, en alleen McAfee heeft momenteel enige informatie die van nut is:
http://vil.nai.com/vil/content/v_100983.htm
Vermoedelijk is dit de Symantec-link: http://securityresponse.s...data/w32.novarg.a@mm.html (maar hier is nog niks te vinden qua nuttige info).
Op dit moment heeft in ieder geval McAfee nog geen DAT-file, maar wel een tijdelijke EXTRA.DAT: hier (ik denk dat er binnen nu en een paar uur wel een volwaardige DAT-file zal zijn, gezien de enorme verspreidingsgraad momenteel).
quote:
This is a mass-mailing and peer-to-peer file-sharing worm that bears the following characteristics:
* contains its own SMTP engine to construct outgoing messages
* contains a backdoor component (see below)
* contains a Denial of Service payload
The virus arrives in an email message as follows:
From: (Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.
Subject: (Varies, such as)
* Error
* Status
* Server Report
* Mail Transaction Failed
* Mail Delivery System
* hello
* hi
Body: (Varies, such as)
* The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
* The message contains Unicode characters and has been sent as a binary attachment.
* Mail transaction failed. Partial message is available.
Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes)
* examples (common names, but can be random)
* doc.bat
* document.zip
* message.zip
* readme.zip
* text.pif
* hello.cmd
* body.scr
* test.htm.pif
* data.txt.exe
* file.scr
In the case of two file extensions, multiple spaces may be inserted as well, for example:
* document.htm (many spaces) .pif
The icon used by the file tries to make it appear as if the attachment is a text file:
When this file is run (manually), it copies itself to the WINDOWS SYSTEM directory as taskmon.exe
* %SysDir%\taskmon.exe
(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)
It creates the following registry entry to hook Windows startup:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe
The virus uses a DLL that it creates in the Windows System directory:
* %SysDir%\shimgapi.dll (4,096 bytes)
This DLL is injected into the EXPLORER.EXE upon reboot via this registry key:
* HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir%\shimgapi.dll
The virus will not replicate on the 12th February or later (although the DLL will still be installed).
Peer To Peer Propagation
The worm copies itself to the KaZaa Shared Directory with the following filenames:
* nuke2004
* office_crack
* rootkitXP
* strip-girl-2.0bdcom_patches
* activation_crack
* icq2004-final
* winamp
Remote Access Component
The worm (this functionality is in the dropped DLL) opens a connection on TCP port 3127 (if that fails it opens next available port up to port 3198). The worm can accept specially crafted TCP transmissions.
* On receipt of one kind of such a transmission it will save the embedded binary into a temporary file and execute it. Then the temporary file is deleted.
* On receipt of another kind it can relay TCP packets thus providing IP spoofing capabilities (possibly to facilitate SPAM distribution)
Denial of Service Payload
On the first system startup on February 1st or later, the worm changes its behavior from mass mailing to initiating a denial of service attack against the sco.com domain. This denial of service attack will stop on the first system startup of February 12th or later, and thereafter the worm's only behavior is to continue listening on TCP port 3127.
http://vil.nai.com/vil/content/v_100983.htm
Vermoedelijk is dit de Symantec-link: http://securityresponse.s...data/w32.novarg.a@mm.html (maar hier is nog niks te vinden qua nuttige info).
Op dit moment heeft in ieder geval McAfee nog geen DAT-file, maar wel een tijdelijke EXTRA.DAT: hier (ik denk dat er binnen nu en een paar uur wel een volwaardige DAT-file zal zijn, gezien de enorme verspreidingsgraad momenteel).
wildhagen wijzigde dit bericht 27-01-2004 22:16 (62%)
Virussen? Scan ze hier! | Anti-spam? Stichting Spamvrij.nl Stop vuurwerk overlast
Door: 
)
. Blijkbaar heb ik het emailtje met het virus toch verstuurd. Hopelijk vind die scantool wat.
@ mensen die sneller kunnen typen dan ik.
, dat Flash dingetje in de post van AcouSE is wel grappig. Kan je aangeven dat je het infectie percentage van alle virussen in de hele wereld wil zien. Nederland doet het met 15,nogiets procent weer erg goed. Zie geen overzicht staan gesorteerd op grootte van dat percentage, maar volgens mij zit NL wel in de top 5 van meest geinfecteerde landen.
