Yet Another Bulletin Board

Welcome, Guest. Please Login or Register.
Nov 22nd, 2024, 9:34pm

Home Home Help Help Search Search Members Members Member Map Member Map Login Login Register Register
Clusterheadaches.com Message Board « VIRUSWARNING AGAIN »


   Clusterheadaches.com Message Board
   New Message Board Archives
   2003 Posts
(Moderator: DJ)
   VIRUSWARNING AGAIN
« Previous topic | Next topic »
Pages: 1  Reply Reply Notify of replies Notify of replies Send Topic Send Topic Print Print
   Author  Topic: VIRUSWARNING AGAIN  (Read 444 times)
The  mad viking
CH.com Alumnus
New Board Hall of Famer
Norway 
*****




Always Look on The Bright Side of Life

  svennthorn2003@yahoo.no  
WWW Email

Gender: male
Posts: 3135
VIRUSWARNING AGAIN
« on: Jan 10th, 2003, 7:20am »
Quote Quote Modify Modify

 
 
F-Secure Virus Descriptions
 
 
  Alphabetical Index  
 Select from the list A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0 Other Latest 50  
 
 
 
Radar Alert LEVEL 2  
NAME: Sobig  
VARIANT: Sobig.A  
 
 
 
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER F-SECURE RADAR.  
For more information, see: http://www.F-Secure.com/products/radar/  
 
The Sobig worm was found in the wild on January 9th. The worm spreads via email and network shared drives. It also tries to download other files from web pages located on a geocities site.  
 
Mass-mailing  
 
Email addresses are collected from files with various extensions:  
 
 
 '.WAB'
 '.DBX'
 '.HML'
 '.HTML'
 '.EML'
 '.TXT'
 
The sender address is fixed, it is always 'big@boss.com'.  
 
Subjects are randomly chosen from the following list:  
 
 
 'Re: Here is that sample'
 'Re: Document'
 'Re: Sample'
 'Re: Movies'
 
The message body says:  
 
 
 'Attached file:'
 
The message contains an executable attachment. The attachment name can be one of the following:  
 
 
 'Sample.pif'
 'Untitled1.pif'
 'Document003.pif'
 'Movie_0074.mpeg.pif'
 
 
 
The infected emails are sent using the worm's own STMP engine that is independent from the user's email settings.  
 
Local Area Network propagation  
 
Sobig lists all the network shares available to the infected computer and tries to copy itself to either of these directories:  
 
 
 'Windows\All Users\Start Menu\Programs\StartUp'
 
 
 or
 
 
 'Documents and Settings\All Users\Start Menu\Programs\Startup'
 
These are the default startup folders for Windows 9x and NT/XP based systems. If the worm is copied there Windows will run it next time the user logs in. This way the system gets infected.  
 
System infection  
 
When the worm is run on a system for the first time it copies itself to the Windows System Directory using the name 'winmgm32.exe'. After this a new value, pointing to this file is added to the registry as  
 
 
 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsMGM'
 
This way the worm will be started every time Windows starts.  
 
Backdoor downloader  
 
Sobig contains a routine that downloads a text file from a website. The content of the file is used as a URL to download some program and run it on the infected machine.  
 
At the time of writing this description this feature is inactive, the file points to a non-exisiting location.  
 
Detection  
 
Detection in F-Secure Anti-Virus was published on January 9th, 2003 in update:  
 
[FSAV_Database_Version]  
 
Version=2003-01-09_04  
 
[Analysis: Gergely Erdelyi; F-Secure Corp.; January 9th, 2003]  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  Anti-Virus Trials
F-Secure Radar
Virus Screen Shots
Disable VBS
Avoiding Computer Worms
Virus Glossary
 
 
 
 
 
 
 
 
 
   
 
 
 
   
   
   
   
 
 
 
 
 
 
 
 
 
 
   
 
 
 
   
   
   
   
 
 
 
 
IP Logged

Always Look on The Bright Side of Life
The  mad viking
CH.com Alumnus
New Board Hall of Famer
Norway 
*****




Always Look on The Bright Side of Life

  svennthorn2003@yahoo.no  
WWW Email

Gender: male
Posts: 3135
Re: VIRUSWARNING AGAIN
« Reply #1 on: Jan 10th, 2003, 7:20am »
Quote Quote Modify Modify

 
 
F-Secure Virus Descriptions
 
 
  Alphabetical Index  
 Select from the list A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0 Other Latest 50  
 
 
 
Radar Alert LEVEL 2  
NAME: Sobig  
VARIANT: Sobig.A  
 
 
 
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER F-SECURE RADAR.  
For more information, see: http://www.F-Secure.com/products/radar/  
 
The Sobig worm was found in the wild on January 9th. The worm spreads via email and network shared drives. It also tries to download other files from web pages located on a geocities site.  
 
Mass-mailing  
 
Email addresses are collected from files with various extensions:  
 
 
 '.WAB'
 '.DBX'
 '.HML'
 '.HTML'
 '.EML'
 '.TXT'
 
The sender address is fixed, it is always 'big@boss.com'.  
 
Subjects are randomly chosen from the following list:  
 
 
 'Re: Here is that sample'
 'Re: Document'
 'Re: Sample'
 'Re: Movies'
 
The message body says:  
 
 
 'Attached file:'
 
The message contains an executable attachment. The attachment name can be one of the following:  
 
 
 'Sample.pif'
 'Untitled1.pif'
 'Document003.pif'
 'Movie_0074.mpeg.pif'
 
 
 
The infected emails are sent using the worm's own STMP engine that is independent from the user's email settings.  
 
Local Area Network propagation  
 
Sobig lists all the network shares available to the infected computer and tries to copy itself to either of these directories:  
 
 
 'Windows\All Users\Start Menu\Programs\StartUp'
 
 
 or
 
 
 'Documents and Settings\All Users\Start Menu\Programs\Startup'
 
These are the default startup folders for Windows 9x and NT/XP based systems. If the worm is copied there Windows will run it next time the user logs in. This way the system gets infected.  
 
System infection  
 
When the worm is run on a system for the first time it copies itself to the Windows System Directory using the name 'winmgm32.exe'. After this a new value, pointing to this file is added to the registry as  
 
 
 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsMGM'
 
This way the worm will be started every time Windows starts.  
 
Backdoor downloader  
 
Sobig contains a routine that downloads a text file from a website. The content of the file is used as a URL to download some program and run it on the infected machine.  
 
At the time of writing this description this feature is inactive, the file points to a non-exisiting location.  
 
Detection  
 
Detection in F-Secure Anti-Virus was published on January 9th, 2003 in update:  
 
[FSAV_Database_Version]  
 
Version=2003-01-09_04  
 
[Analysis: Gergely Erdelyi; F-Secure Corp.; January 9th, 2003]  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  Anti-Virus Trials
F-Secure Radar
Virus Screen Shots
Disable VBS
Avoiding Computer Worms
Virus Glossary
 
 
 
 
 
 
   
 
 
 
   
   
   
   
 
 
 
 
IP Logged

Always Look on The Bright Side of Life
The  mad viking
CH.com Alumnus
New Board Hall of Famer
Norway 
*****




Always Look on The Bright Side of Life

  svennthorn2003@yahoo.no  
WWW Email

Gender: male
Posts: 3135
Re: VIRUSWARNING AGAIN
« Reply #2 on: Jan 10th, 2003, 7:22am »
Quote Quote Modify Modify

 
 
 
Global ExploreZip Worm Information Center
 
Information and remedy for the ExploreZip / ZippedFiles Internet Worm  
 
ExploreZip is an internet worm which was first found in June 1999. The original version (ExploreZip.A) spread all over the globe within days of initial discovery, becoming first of the really widespread internet worms. After this, several modified version of the worms have been found.  
 
On the 8th of January, 2003 - three and half years after the virus was first found - another new version was found. This version is now known as ExploreZip.E (or as ExploreZi-N). This version is compressed so that it was undetectable by current anti-virus programs on the time of the release of the virus. The worm functionality has stayed the same.  
 
All of the ExploreZip variants spread as an e-mail attachment and activate by destroying document and source code files. The worm infects your computer and modifies it so that the worm will reply to unread e-mails, sending dummy reponses with an infected attachment.  
 
 
More information  
 
Questions & Answers on the ExploreZip worm
Technical description of ExploreZip.E (from 2003)
Technical description of ExploreZip.A (from 1999)
 
 
Press Release Archive  
 
 
New Variant of ExploreZip Worm Wreaks Havoc Across Corporate Networks
(December 1, 1999)
New Discovery in the ZippedFiles Internet Worm
(June 14, 1999)
A new e-mail worm spreading globally  
This Press Release was made six hours after receiving the initial sample of ExploreZip.A.
(June 10, 1999)  
 
Updates for F-Secure Anti-Virus to detect ExploreZip.E  
 
Web site:
http://www.europe.f-secure.com/download-purchase/updates.shtml  
 
Ftp site:
ftp://ftp.europe.f-secure.com/anti-virus/updates/fsupdate.exe  
 
CONTACT  
 
Support Anti-Virus e-mail: Anti-Virus-Support@F-Secure.com  
Support hotline phone number: +358 9 2520 5050  
F-Secure Contact Info  
F-Secure Partner Contact Info  
MEDIA CONTACTS
For media comments and interviews, please contact:  
 
Mikko Hypponen, Manager, Anti-Virus Research
F-Secure Corporation
Tel. +358 9 2520 5513
Email: Mikko.Hypponen@F-Secure.com
 
 
Tony Magallanez, Systems Engineer
F-Secure Inc.
Tel +1 (40Cool 350-2321
E-mail Tony.Magallanez@F-Secure.com  
 
F-Secure Support hotline phone number: +358 9 2520 5050  
 
 
   
 
 
 
 
 
 
 
 
 
 
 
 
  Anti-Virus
SSH
Distributed Firewall
Handhelds
Catalog
 
------------------------------------------------------------------------ --------
Order Support
Renewals&upgrades
Download manuals
Purchase terms
License terms
Request a large license
Offers & Features
 
 
 
 
 
   
 
 
 
   
   
   
   
 
 
 
 
IP Logged

Always Look on The Bright Side of Life
firebrix
New Board Hall of Famer
New_Zealand 
*****



I must never weaken.

   


Gender: female
Posts: 683
Re: VIRUSWARNING AGAIN
« Reply #3 on: Jan 11th, 2003, 12:48am »
Quote Quote Modify Modify

Thank you Svenn
 
Really appreciate these warnings - you seem to hear of these things earlier than we do.
Will my Norton 2003 take care of it if I get it?
Personally I wouldn't open anything from big bosses!!!
I will be careful anyway
Thanx again
firebrix
IP Logged

"All that it takes for the triumph of evil is for good men to do nothing."
Edmund Burke
The  mad viking
CH.com Alumnus
New Board Hall of Famer
Norway 
*****




Always Look on The Bright Side of Life

  svennthorn2003@yahoo.no  
WWW Email

Gender: male
Posts: 3135
Re: VIRUSWARNING AGAIN
« Reply #4 on: Jan 11th, 2003, 6:05am »
Quote Quote Modify Modify

Fire
 
Just keep your antivirus updated and you should be safe.
Everybody should have that and a firewall too.
 
The reason that i get this info is that i am one of many that tests symantecproducts for Symantec and get the infoes that way
 
Be well
 
Svenn
IP Logged

Always Look on The Bright Side of Life
SommelierCH
New Board Hall of Famer
USA 
*****




I’m awed by the amazing resiliency that we possess

   
Email

Gender: male
Posts: 606
Re: VIRUSWARNING AGAIN
« Reply #5 on: Jan 11th, 2003, 8:32am »
Quote Quote Modify Modify

Thanks Svenn,
 
I'm a Norton guy (person) too. I would only add 2 things:
 
 "Zone Alarm" basic fire wall is free. Everyone should at least get that good working freebee. Here is the link, then work your way through a questionier, keep following the word "free". It's not prominent.
 
http://www.zonelabs.com/store/content/home.jsp
 
Also, if you have Symantec’s, Norton AntiVirus with Live Update--open the program, and click on “Live Update”, when you get a warning like this from overseas. If you run your computer 24/7, “Live Update” might only check in once a week. You should manually check in everyday, as part of the routine.
 
David J.  
IP Logged

Wine is a little like love. When the right one comes along, you know it!
Pages: 1  Reply Reply Notify of replies Notify of replies Send Topic Send Topic Print Print

« Previous topic | Next topic »


Clusterheadaches.com Message Board » Powered by YaBB 1 Gold - SP 1.3.1!
YaBB © 2000-2003. All Rights Reserved.


©1998-2010 Web Vision Enterprises All rights reserved. All information on this site is protected by international copyright laws. You may not re-distribute any information from this site without written permission from Web Vision Enterprises and the webmaster of this site. Violators will be prosecuted.
You may view our privacy policy and financial disclosure statement here

test rss