Admin
Admin
Број порука : 903
Points : 4638
Reputation : 94
Join date : 07.06.2009
Age : 34
Локација : Smederevo
|
 Наслов: I-Worm.Lentin 3/7/2009, 17:45 |
|
|
VIRUS INFO
Naziv virusa: I-Worm.Lentin
Alias: I-Worm.Lentif.f, W32/Lentin.E, Lentin.F, W32.Yaha.F@mm, W32/Yaha.E, I-Worm.Yaha.A
Tip: worm
Način širenja: e-mailom
Veličina: 29,839 bajtova
Destruktivan:
ne
Datum aktiviranja: startovanjem pristiglog attachmenta
Otkriven: 17.06.2002.
OBJAŠNJENJE
Stiže kao e-mail od nekoga ko ima Vašu e-mail adresu na svom računaru.
Ovaj virus, napisan u programskom jeziku C++ kompresovan sa UPX-om, stiže u 2 varijante.
Subject: Melt the Heart of your Valentine with this beautiful Screen saver
Telo poruke:
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
This e-mail is never sent unsolicited. If you need to unsubscribe,
follow the instructions at the bottom of the message.
***********************************************************
Melt the Heart of your loved ones with these beautiful Screen saver from www.screensaverin.com
* To remove yourself from this mailing list, point your browser to:
http://screensaverin.com/remove?freescreensaver
* Enter your email address (%EmailAddress%) in the field provided and click "Unsubscribe".
OR...
* Reply to this message with the word "remove" in the subjt line.
This message was sent to address %EmailAddress%
X-PMG-Recipient:
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
ili,
Subject: Fw: Melt the Heart of your Valentine with this beautiful Screen saver
Telo poruke:
Hi
Check this screen saver
Happy Valentines day
See u
----- Original Message -----
From: "Screen Saver" <screensaver@screensaverin.com>
To: <%EmailAddress%>
Sent: Friday, February 11, 2002 8:38 PM
Subject: Melt the Heart of your Valentine with this beautiful Screen saver
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
This e-mail is never sent unsolicited. If you need to unsubscribe,
follow the instructions at the bottom of the message.
***********************************************************
Melt the Heart of your loved ones with these beautiful Screen saver from www.screensaverin.com
* To remove yourself from this mailing list, point your browser to:
http://screensaverin.com/remove?freescreensaver
* Enter your email address (%EmailAddress%) in the field provided and click "Unsubscribe".
OR...
* Reply to this message with the word "remove" in the subjt line.
This message was sent to address %EmailAddress%
X-PMG-Recipient:
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
gde je %EmailAddress% e-mail adresa od koga je stigao e-mail.
Kao attachment, korisnik može da dobije i fajl sa nekim od sledećih naziva:
SCREENSAVER, SCREENSAVER4U, SCREENSAVER4U, SCREENSAVERFORU, FREESCREENSAVER, LOVE, LOVERS, LOVESCR, LOVERSCREENSAVER, LOVERSGANG, LOVESHORE, LOVE4U, LOVERS, ENJOYLOVE, SHARELOVE, i, CHECKFRIENDS, URFRIEND, FRIENDSCIRCLE, FRIENDSHIP, FRIENDS, FRIENDSCR, FRIENDS, FRIENDS4U, FRIENDSHIP4U, FRIENDSHIPBIRD, FRIENDSHIPFORU, FRIENDSWORLD, WERFRIENDS, PASSION, BULLSHITSCR, SHAKEIT, SHAKESCR, SHAKINGLOVE, SHAKINGFRIENDSHIP, PASSIONUP, RISHTHA, GREETINGS, LOVEGREETINGS, FRIENDSGREETINGS, FRIENDSEARCH, LOVEFINDER, TRUEFRIENDS, TRUELOVERS ili FUCKER mada je primećeno da koristi i attachmente sa dvostrukom ekstenzijom u sledećim nazivima fajlova: LOVELETTER, RESUME, BIODATA, DAILYREPORT, MOUNTAN, GOLDFISH, WEEKLYREPORT, REPORT ili LOVE.
Kao prva ekstenzija se koristi: DOC, MP3, XLS, WAV, TXT, JPG, GIF, DAT, BMP, HTM, MPG, MDB ili ZIP a kao druga: PIF, BAT ili SCR.
Kada korisnik startuje pristigli fajl, crv se iskopira u direktorijum C:\RECYCLED kao fajl MSMDM.EXE i MSSCRA.EXE i promeni sadržaj Registry baze:
HKEY_CLASSES_ROOT \exefile\shell\open\command (Default) = c:\recycled\naziv_fajla%1 %*.
gde je naziv_fajla, fajl koji se startuje svaki put kada korisnik startuje neki EXE fajl, startovaće i samog virusa.
Virus će promeniti i sadržaj WIN.INI fajla, gde će postaviti da se svaki put startuje i MSTASKMON.EXE.
Da bi sakrio svoje aktivnosti, crv ponekad napravi malu šalu sa korisnikovom radnom površinom. (+)
Virus kreira dva tekstualna fajla sa sledećim sadržininama:
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
W32.YAHA-III
Author :H^H,h2h@achayans.com
Origin :India,Kerala
I like Klez,Sircam,But i hate the bullshit payloads
Is i am a good coder?? still i have dout huhh!!!
Beware Indian Hackers..Tomarrow is ours!!!
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
i,
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
iNDian sNakes pResents yAha.E
iNDian hACkers,Vxers c0me & w0Rk wITh uS & fuCk tHE GFORCE-pAK shites
bY
sNAkeeYes,c0Bra
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
Virus kreira i jedan DLL fajl, nasumičnim odabirom slova i znakova, u koji smešta sve e-mail adrese koje pronađe u:
Windows Address Book, MSN /.NET Messenger, Yahoo Pager List, ICQ List (*.UIN fajlovi), *.HT* fajlovi u Temporary Internet Files folderu, *Hotmail*.*ht*, *.DOC i *.TXT fajlovima.
Kada zarazi korisnikov računar, virus koristi SMTP protokol i šalje se na sve e-mail adrese koje je zebeležio u svoj DLL fajl.
E-mailove koje virus šalje, HTML formatirani, izgledaju ovako:
Subject: Melt the Heart of your Valentine with this beautiful Screen saver
Telo poruke:
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message.
**************************************************
Melt the Heart of your loved ones with these beautiful Screen saver from www.screensaverin.com
* To remove yourself from this mailing list, point your browser to:
http://screensaverin.com/remove?freescreensaver
* Enter your email address (%EmailAddress%) in the field provided and click "Unsubscribe".
OR...
* Reply to this message with the word "remove" in the subjt line.
This message was sent to address %EmailAddress%
X-PMG-Recipient:
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
Attachment: VALENTIN.SCR
ili,
Subject: Fw: Melt the Heart of your Valentine with this beautiful Screen saver
Telo poruke:
Hi
Check this screen saver
Happy Valentines day
See u
----- Original Message -----
From: "Screen Saver"
To:
Sent: Friday, February 11, 2002 8:38 PM
Subject: Melt the Heart of your Valentine with this beautiful Screen saver
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message.
**************************************************
Melt the Heart of your loved ones with these beautiful Screen saver from www.screensaverin.com
* To remove yourself from this mailing list, point your browser to:
http://screensaverin.com/remove?freescreensaver
* Enter your email address (%EmailAddress%) in the field provided and click "Unsubscribe".
OR...
* Reply to this message with the word "remove" in the subjt line.
This message was sent to address %EmailAddress%
X-PMG-Recipient: <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
Attachment: VALENTIN.SCR
gde je %EmailAddress% e-mail adresa od koga je stigao e-mail.
Virus skenira sve procese koji su startovani na korisnikovom računaru i ako neki odgovara listi, jednostavno ga zatvori. Lista je sledeća:
ANTIVIR, MCAFEE, NORTON, NVC95, FP-WIN, IOMON98, PCCWIN98, F-PROT95, F-STOPW, PVIEW95, NAVWNT, NAVRUNR, NAVLU32, NAVAPSVC, NISUM, SYMPROXYSVC, RESCUE32, NISSERV, ATRACK, IAMAPP, LUCOMSERVER, LUALL, NMAIN, NAVW32, NAVAPW32, WEBTRAP, POP3TRAP, PCCMAIN, PCCIOMON, SCAM32, WEBSCANX, SAFEWEB, ICMON, CFINET, CFINET32, AVP.EXE, LOCKDOWN2000, AVP32, ZONEALARM, WINK i SIRC32.
REŠENJE
Preuzmite cleaner za ovaj virus. Zbog varijacija virusa, ako prethodni cleaner ne radi posao, preporučujem da preuzmete onda ovaj cleaner
|
|
Calendar
