:strip_icc():strip_exif()/u/4711/BellePerez3.jpg?f=community)
Tijdens een maandelijks controle van mijn harddisk, kwam er ineens een vreemde file tevoorschijn 
, nl network.vbs
Ik meteen gekeken of dit een virus was.
hier kwam inderdaad het een en ander boven water...
Alleen bij die info stond nog meer:
==========Virus Name
VBS/NetLog.worm.c
Variants
None
Date Added
4/6/00
Virus Information
Discovery Date: 3/13/00
Origin: Internet connection
Length: 2,333
Type: Trojan
SubType: VbScript
Risk Assessment: Low
Minimum Dat: 4073
Minimum Engine: 4.0.25
Virus Characteristics
This is a trojan written in VB Script and designed to run on systems where Windows Scripting Host is installed. This trojan's main objective is to spread to systems where an open share exists. It does this by scanning IP addresses using Windows NetBIOS to look for open shares called "C". These are shared drives that users intended to share with their local network, but inadvertently shared over the entire Internet. It then tries to map the remote drive as drive "J:".
If it succeeds it writes
"Copying files to : [Network name of remote drive]"
to the "c:\network.log" file.
First as a test, it copies itself to the root directory of the remote drive and checks to see whether the copy was successful. If it was, it writes
"Successful copy to : [Network name of remote drive]"
to the "c:\network.log" file. Then it will copy the network.vbs file to these directories:
"j:\windows\startm~1\programs\startup\"
"j:\windows\"
"j:\windows\start menu\programs\startup\"
"j:\win95\start menu\programs\startup\"
"j:\win95\startm~1\programs\startup\"
"j:\wind95\"
where J: is the remote drive C: the virus mapped earlier. This means that the worm gets control next time the victim starts their computer since J: actually means drive C:.
This variant copies the a program written and released by "Distributed.net" to the WINDOWS folder as DNETC.EXE and DNETC.INI when it finds an system available as an open share. It then copies a shortcut file named "microsoft_office.lnk" to the startup folder of the open computer. The file microsoft_office.lnk runs the copy of DNETC.EXE from the Windows folder when it is run.
Symptoms
Existence of the files NETWORK.VBS, DNETC.EXE and DNETC.INI on the local system.
Although the copying of the files dnetc.exe and dnetc.ini are part of the payload, they are not virus/trojan files. The existence of the files do not mean that they have been placed by a trojan. Some users who have permission to run this application may install the client in the windows directory. Deleting the .vbs and .lnk files are sufficient.
==========
Wie kan hier meer over vertellen ???
Cornholio
, nl network.vbsIk meteen gekeken of dit een virus was.
hier kwam inderdaad het een en ander boven water...
Alleen bij die info stond nog meer:
==========Virus Name
VBS/NetLog.worm.c
Variants
None
Date Added
4/6/00
Virus Information
Discovery Date: 3/13/00
Origin: Internet connection
Length: 2,333
Type: Trojan
SubType: VbScript
Risk Assessment: Low
Minimum Dat: 4073
Minimum Engine: 4.0.25
Virus Characteristics
This is a trojan written in VB Script and designed to run on systems where Windows Scripting Host is installed. This trojan's main objective is to spread to systems where an open share exists. It does this by scanning IP addresses using Windows NetBIOS to look for open shares called "C". These are shared drives that users intended to share with their local network, but inadvertently shared over the entire Internet. It then tries to map the remote drive as drive "J:".
If it succeeds it writes
"Copying files to : [Network name of remote drive]"
to the "c:\network.log" file.
First as a test, it copies itself to the root directory of the remote drive and checks to see whether the copy was successful. If it was, it writes
"Successful copy to : [Network name of remote drive]"
to the "c:\network.log" file. Then it will copy the network.vbs file to these directories:
"j:\windows\startm~1\programs\startup\"
"j:\windows\"
"j:\windows\start menu\programs\startup\"
"j:\win95\start menu\programs\startup\"
"j:\win95\startm~1\programs\startup\"
"j:\wind95\"
where J: is the remote drive C: the virus mapped earlier. This means that the worm gets control next time the victim starts their computer since J: actually means drive C:.
This variant copies the a program written and released by "Distributed.net" to the WINDOWS folder as DNETC.EXE and DNETC.INI when it finds an system available as an open share. It then copies a shortcut file named "microsoft_office.lnk" to the startup folder of the open computer. The file microsoft_office.lnk runs the copy of DNETC.EXE from the Windows folder when it is run.
Symptoms
Existence of the files NETWORK.VBS, DNETC.EXE and DNETC.INI on the local system.
Although the copying of the files dnetc.exe and dnetc.ini are part of the payload, they are not virus/trojan files. The existence of the files do not mean that they have been placed by a trojan. Some users who have permission to run this application may install the client in the windows directory. Deleting the .vbs and .lnk files are sufficient.
==========
Wie kan hier meer over vertellen ???
Cornholio
Vroeger, toen de kratten bier nog van hout waren, en je moest doorzuipen om de kachel warm te houden....
:strip_icc():strip_exif()/u/3550/S2462.jpg?f=community)
:strip_icc():strip_exif()/u/849/ricci1.jpg?f=community)
:strip_exif()/u/1449/shin_animated.gif?f=community)
:strip_icc():strip_exif()/u/3514/Bricktop.jpg?f=community)
:strip_exif()/u/4828/gigi.gif?f=community)
