vir na BAT

From: Sokol (sokol00@atlas.cz)
Date: 23. 04. 2001, 22:48 CEST

Previous message: crudo: "Re: Co s navrcholu.cz a rozpisem volani"
Next in thread: Marek Mikus: "Re: vir na BAT"
Reply: Marek Mikus: "Re: vir na BAT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ahoj ,

    objevil se novej worm, ktery se siri pod BATem
    tohle je popis od Kaspersky Lab

> Technical Details
> 
> This Internet-worm utilizes the e-mail client “The Bat!” in order to spread. It gains access to the database, searches for the e-mail addresses contained there, and sends out its copy to them in the form of an attachment to an e-mail. 
> 
> The worm’s copy contains the name “photo1.jpg.pif” and contains the photo of an unknown young woman sitting next to a likeness of the well-known MacDonald’s restaurant mascot, Ronald MacDonald. The message body is written in Russian in the Cyrillic alphabet. 
> 
> The translated text appears as follows: 
> 
> Hello! 
> Your address was given to me by a common friend of ours (the first address that came to his mind)
> I am a newcomer to the Internet and have just got this mailbox!
> So this is the very first time I am writing an e-mail!!!
> He said that if I had any questions, I could ask you...
> I am pretty cute and sociable.
> (have a look at the photo)
> I'm waiting for a reply from you!!!
> Write me a bit about yourself and what you would like to know about me.
> Good bye! Good bye!
> :)))))))))
> Sveta Kovaleva 
> 
> The worm also:
> 
> 1. As a companion virus, it infects the following files in the Windows directory: 
> 
> MPLAYER.EXE, WINHLP32.EXE, NOTEPAD.EXE, CONTROL.EXE, SCANREGW.EXE
> 
> Upon infection, the original file is renamed as a .VXD extension, and then the worm copies itself instead of the original file with an .EXE extension. 
> 
> 2. The virus copies itself to the Windows system catalogue under the names of SCANREGW_EXE and LOADPE.COM, and in the main Windows directory under the name of IFNHLP.SYS. The LOADPE.COM file then is registered in the auto-run Registry key: 
> 
> HKCR\exefile\shell\open\command = LOADPE.COM
> 
> As a result, during start-up of any Win32 .EXE file, the .EXE file is automatically activated and infected by the worm’s copy, which in turn infects the triggered file in the same way as the renamed .VXD file as described above. 
> 
> 3. The worm then sends out password and login information to the local network, and also hook-up information to the Internet.

dalsi informace jsou tady
http://www.viruslist.com/eng/viruslist.asp?id=4188&key=00001000130000100072

-- 
Zdravi
 Sokol                


E-mail: sokol00@atlas.cz
ICQ #65208171

'We are all immortal
    until we die'
Flitzanu the Silly

Previous message: crudo: "Re: Co s navrcholu.cz a rozpisem volani"
Next in thread: Marek Mikus: "Re: vir na BAT"
Reply: Marek Mikus: "Re: vir na BAT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.2 : 04. 09. 2001, 06:36 CEST