| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News |
[cut-n-paste from sophos.com]
W32/Fizzer-A
Aliases
I-Worm.Fizzer, W32/Fizzer.gen{at}MM, W32.HLLW.Fizzer{at}mm, WORM_FIZZER.A
Type
Win32 worm
Detection
Sophos has received many reports of this worm from the wild.
Description
W32/Fizzer-A is a worm with IRC backdoor Trojan functionality.
The worm spreads by file sharing on KaZaA shared networks and by
emailing itself to contacts in the Microsoft Outlook and Windows address
books and also to random email addresses at the following domains:
msn.com
hotmail.com
yahoo.com
aol.com
earthlink.net
gte.net
juno.com
netzero.com
The email subject line, message text and attachment name are randomly
constructed using long lists of strings.
The worm may spoof the From: field of emails, replacing the sender's
address with a randomly chosen name.
Example message text strings are:
"So how are you?"
"Check it out"
"There is only one good, knowledge, and on evil, ignorance"
"I sent this program (sparky) from anonymous places on the net"
"you must not show this to anyone"
"Today is a good day to die"
"thought I'd let you know"
"The way to gain a good reputation is to endeavor to be what you
desire ..."
"Filth is a death"
"wie geht es Ihnen?"
"Philosophy imputes, reinterprets faith"
"If you don't like it, just delete it"
"delete this as soon as you lokk at it"
"Did you ever stop to think that viruses are good for the economy? ..."
"the incredibly bright faith"
"you don't have to if you don't want to"
"I wonder what can be so bad ..."
"Watchin' the game, having a bud."
"the attachment is only for you to look at"
"Let me know what you think of this..."
Attachments names have an extension of EXE, COM, PIF or SCR and may be
combined with INI to give a double extension of INI.EXE, INI.COM,
INI.PIF or INI.SCR.
When run W32/Fizzer-A drops the following files to the Windows folder:
initbak.dat
iservc.dll
iservc.exe
ProgOp.exe
and creates the registry entries
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemInit
= %WINDOWS%\iservc.exe
HKCR\txtfile\shell\open\command
= %WINDOWS%\ProgOp.exe 0 7 ' %1'
so that iservc.exe is run automatically each time the computer is
restarted and ProgOp.exe is run whenever a file with an extension of TXT
is opened. ProgOp.exe launches iservc.exe and then the default text
editor.
The following files may also be created in the Windows folder:
Uninstall.pky
iservc.klg
data1-2.cab
upd.bin
iservc.exe connects to a remote IRC server, joins a specific channel and
then runs continuously in the background listening for commands being
sent to the channel.
A remote intruder will then be able to gain access and control over the
computer using a regular IRC client.
The remote intruder will be able to carry out a variety of actions,
including a Denial-of-Service flooder attack.
iservc.dll is a keylogger component which may be used to log user
keystrokes to the log file iservc.klg.
W32/Fizzer-A provides similar access and control via AOL Instant
Messenger channels by logging onto a remote AOL chat server using a
random username.
The worm attempts to spread via file sharing on P2P networks by copying
itself to the KaZaA shared folder.
W32/Fizzer-A attempts to terminate processes whose names contain any of
the following strings:
NAV
SCAN
AVP
TASKM
VIRUS
F-PROT
VSHW
ANTIV
VSS
NMAIN
W32/Lovgate-I
Type
Win32 worm
Detection
Sophos has received several reports of this worm from the wild.
Description
W32/Lovgate-I is a minor variant of W32/Lovgate-J.
W32/Winur-D
Aliases
W32.HLLW.Purol, W32/Winur.worm.d, WORM_PUROL.A, Worm.P2P.Purol.b
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Winur-D is a worm that exploits peer-to-peer networks such as
BearShare, Morpheus, eDonkey2000, Gnucleus, KaZaA, KaZaA Lite and
LimeWire and also the file sharing capabilites of the ICQ messaging
system.
When executed the worm copies itself to the Windows folder with the
filenames lorupscr.scr, winstart32.exe and hwinfoq.com and sets the
following registry entries:
HKCU\Control Panel\Desktop
"ScreenSaveTimeOut"="300"
"SCRNSAVE.EXE"="C:\\windows\\lorupscr.scr
HKCU\Software\Microsoft\CurrentVersion\Run
"Winstart"="C:\\windows\\winstart32.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
"Winstart"="C:\\windows\\winstart32.exe"
"HWINFOQ"="C:\\windows\\HWINFOQ.com"
The worm attempts to deletes all files from the following folders:
C:\Progra~1\eSafe\Protect\
C:\Progra~1\McAfee VirusScan\
C:\PROGRA~1\NORTON~1\
C:\Progra~1\Acceleration Software\Anti-Virus\
C:\Progra~1\F-prot\
C:\Progra~1\Mcafee\
C:\Progra~1\Kasper~1\
C:\Progra~1\Avpersonal\
C:\progra~1\Bullguard\
W32/Winur-D creates a C:\Windows\MyShares folder and copies the
following files into it:
C:\Windows\Temporary Internet Files\*.txt
C:\Documents And Settings\Local Settings\Temp\*.doc
\My Chat Logs\*.*
C:\Windows\*.pwl
C:\Windows\*.ini
C:\Windows\temp\*.doc
C:\Windows\Temp\*.txt
C:\Windows\Temp\*.rtf
W32/Winur-D also creates more than 500 copies of itself in the following
folders using the filenames from a list and from the current folder:
\Windows\MyShares
\Program Files\Icq\Shared Files
\Program Files\Bearshare\Shared
\Program Files\Morpheus\My Shared Folder
\Program Files\Edonkey2000\Incoming
\Program Files\Gnucleus\Downloads
\Program Files\Gnucleus\Downloads\Incoming
\Program Files\Kazaa\My Shared Folder
\Program Files\Kazaa Lite\My Shared Folder
\Program Files\Limewire\Shared
To be able to propagate through the networks the worm sets registry
entries, e.g. setting C:\\windows\\MyShares folder as a My Shared Folder
and enabling sharing.
Every 10 seconds the worm attempts to initiate a DDOS attack via
W32/Randon-I
Type
Win32 worm
Detection
At the time of writing Sophos has received just one report of this worm
from the wild.
Description
W32/Randon-I is a complex multipartite worm that spreads through IRC
channels and shares, targeting computers with poorly configured
usernames and passwords.
The worm is usually distributed as a self-extracting archive which when
executed installs the worm components to the Windows system folder. The
following files are dropped:
AlmIRC.ini
bla.txt
bnc.dll
config.hfg
crazy.exe
cscan.dat
dtkode.txt
empavms.exe
EXPL32.EXE
impvms.dll
ipservers.txt
lan.bat
Libparse.exe
miconfig.exe
moo.dll
msccl.dll
newuser.bat
nhtml.dll
nicks.txt
nvdrv.ocx
psexec.exe
ratsou.exe
reg.xpl
remote.ini
restart.exe
script1.dll
spig.txt
systboot.dll
syste32.dll
system.exe
temp
unicod_look
unicod_ready
werty.bat
wincmd34.bat
wind.dll
The worm may set the attributes of some extracted files hidden. Some of
these files are used by the worm for hacking/spreading/running purposes
hence are detected as W32/Randon-I.
W32/Randon-I initiates the main executable part, that is EXPL32.exe
(detected as Troj/Mirchack), as a background process. This allows
unauthorised access and control of the computer over IRC channels. The
worm then sets the following registry keys to make sure this file will
be executed at the next restart and upon running an IRC client software:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
=""
HKLM\Software\CLASSES\ChatFile\DefaultIcon
=""
HKLM\Software\CLASSES\ChatFile\Shell\open\command
=""
HKLM\Software\CLASSES\irc\DefaultIcon
=""
HKLM\Software\CLASSES\irc\Shell\open\command
=""
When installed the background process connects to an IRC server and
executes its scripts, allowing itself to function as a DoS attacker and
IRC flooder.
The worm also scans for open ports (445), searching for possible victims
with poorly configured username and passwords, by running a batch file
that attempts to locate and connect to a shared resource.
To gain further access and control over the computer the worm uses a
number of legitimate applications (some of the them listed below) that
come packed with the worm components in the archive:
Empavms.exe ("HideWindow" application)
Libparse.exe ("PrcView" application)
psexec.exe ("PsExec" application)
Troj/Boa-A
Aliases
W32.Boa.Worm
Type
Trojan
Detection
At the time of writing Sophos has received just one report of this
Trojan from the wild.
Description
Troj/Boa-A is a keylogging Trojan. The Trojan monitors keypresses and
other system activity and periodically sends an email to the attacker
containing a log of the actions monitored on the victim's machine.
When Troj/Boa-A is first executed a copy will be created in the System
folder with the filename msnet.exe and the following two registry files
will be created so that the Trojan is run when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msnet
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\msnet
Troj/Boa-A also fills up the user's hard disk with JPG files in the
Windows system folder with the filenames file000.jpg, file001.jpg,
file002.jpg, etc. These JPG files contain snapshots of parts of the
user's Desktop and are intended to be emailed to the attacker along
with the other logs.
W32/Kickin-A
Aliases
W32/Kickin{at}MM, I-Worm.Cydog.c
Type
Win32 worm
Detection
At the time of writing Sophos has received no reports from users
affected by this worm. However, we have issued this advisory following
enquiries to our support department from customers.
Description
W32/Kickin-A is a worm that will send itself to addresses found from a
variety of sources including the Windows address book and HTML and XML
files.
W32/Kickin-A is intended to arrive in an email with one of the
following sets of characteristics, but in practice the subject line may
be missing or different.
Subject line: Feel the reason why we fall in love...
Message text: It takes One minute to find someone special
One hour to like someone
1 Day to fall in love with someone
But it takes a lifetime to forget someone.
If you have ever been in love then you'll know about what i am talking.
If you wanne have that same old feeling then open the lovescreensaver
and realise why we fall in love all the time...
Attached file: Love.scr
Subject line: Api Hooking Tutorial...
Message text: Did you wanted to learn how to api hook?
Here your chance!This tutorial explains all the basics AND moderate Api
Hookings Starting by hooking Registry Keys,Till hiding files from view
in Windows Explorer After reading this tut you can even start Windows
RootKit Programming but ofcourse thats up to you to decide...
The Tutorial attached in this e-mail is for privat use only and may
never be distributed under any curcumstances
Provided to you by: Webmaster and
www.planet-source-code.com
Attached file: Api Hooking-Tutorial.exe
Subject line: Fwd:Fwd:Whats really happening in bagdad
Message text: ORIGINAL MESSAGE BODY:
FROM:
DATE:Tuesday, May 06, 2003 13:37:31
TO:
SUBJECT:Fwd:Whats really happening in bagdad
Someone of the britisch army has made some Secret Spy Cam pics,and
uploaded it to the internet!!
The pics show you exactly whats reall happened in Irak!Its really not
what you've seen on tv!
Check out the attached file and forward this to as much friends so that
they can all see what has really happened in Irak.
FlipBabe xxx
Attached file: Saddam-the real pics.scr
Subject line: Get the new Msn 5.1!
Message text: Tired of the little nicknames in Msn,tired of all the
limits?
Well we've got news for you,Msn 5.1 is the newest and best msn messenger
ever!
It allows nicknames up to 500 characters and has many new functions who
will make your cyberlife easyier and better!
Msn Messenger 5.1 is avaible for following Operating Systems:
Windows Xp
Windows ME and 2000
Windows 98 and NT
Is not avaible for:Windows 95
This version of msn messenger supports also Api's in Windows Xp so you
can make your own addons.
To download Msn Messenger 5.1 install the attached Root Setup.
WARNING:MSN MESSENGER IS NOT AVAIBLE FOR DOWNLOAD AT OUR WEBSITE DUE TO
JURIDICAL RESTRICTIONS,IF YOU WANT IT YOU'LL HAVE TO INSTALL THE ROOT
SETUP. If you don't want to install it then you'll have to wait for
another 5 weeks because of the juridical restricions.
Please do not forward this email.Every user who has Msn Messenger
installed will receive this email sooner or later,so its up to them to
decide to use the new version of not
Sincerely yours:
The Msn Messenger Team
The Hotmail Team
Attached file: MsnMsgs.exe
Subject line: Do you remember last summer
Message text: hi
Do you remember we met last summer?
We became very good friends at the end huh!
Well i looked a bit over internet and i encountered your Email,so i
thought why not send him the pics from last summer
I've attached them in this email,there in ScreenSaver format,pls reply
to me if you liked them
See you soon again xxx
Love ya...
Attached file: Last Summer.scr
Subject line: Christina Aguilera:The most beautiful girl on earth
Message text: Don't you think Christina Aguilera is the most beautiful
girl on earth?
She is soo nice!!!
That clip was amazing...
If you wanne see some hidden pics of that videoclip then check out this
screensaver
Its nice...Very nice,if you get what i mean ;)
Webmaster{at}beautifulgirls.com
Attached file: Christina Aguilera-The most beautiful girl on earth.scr
Subject line: u wanted to hack?
Message text: hi there,so you wanted to hack your friends hotmail
account huh,well use this xss-exploit tool to find his password within 3
minutes!!
Simply open it and enter your victims email ID and select
This will also work on Yahoo and Icq accounts
Admin{at}hackers.com
Attached file: Hotmail Hacker.exe
Subject line: Fwd:Fwd:Fwd:Soccer...
Message text: Ever wanted to see the best goals,the most beautiful
freekicks etc.with just 2 clicks with your mouse?
Ever wanted to acces the largest Soccer Database on the internet where
all goals from more then 25 international competitions from the past 15
years are stored?
Here is your chance,this program has instant acces it,so you can enjoy
how Diego Maradonna scored ,or how Johan Cruyff
curled that ball into the goal...Enjoy!
The database contains goals from countries like:Spain,Italy,France,
Germany,England,Belgium,The Netherlands,Sweden,Finland and much more
Also forward this to all football fans you know so they can enjoy this
to.
Attached file: Soccer Database.exe
Subject line: Fwd:Fwd:Fwd:Sit back and be surprised...
Message text: ORIGINAL MESSAGE BODY:
FROM:
DATE:Tuesday, May 06, 2003 13:37:31
TO:
SUBJECT:Fwd:Fwd:Sit back and be surprised...
Magic in CyberSpace,its almost unbelievable!
1)Pick 3 numbers and write them down on a paper.
2)Add one of the following values to the 3 numbers:Love,Friendship and
Sex.Write these values next to the number
3)Pick 1 additional number and say it out loud 5 times
4)Now the sticky part:Choose 3 names of girls/boys who you like and
write them below on that paper.
5)Now open the Magical screensaver i attached,wrap the paper in your
left hand and close your eyes until you here the beep.
6)Open your eyes again and look at the screen.What the screensaver
displayed will be personal,so you'll have to be alone in your room.
Everything the screensaver displays will come tru within the next 2
months,Only the Sex part will come tru when your above 16.
You don't have to forward this email but then your friends won't get the
chance to make their dreams come tru,So if you want your friends to be
happe,simply mail them the magic...
Be aware!No cheating allowed,Once you have written those names and
values on your paper you cannot chance them!!!
Attached file: Magical-Screensaver.scr
Subject line: The Virtual Joke...
Message text:Have you seen it yet?
You should because its soooooo funny,i wish the real jokes where that
funny :)
Check out the attached screensaver and enjoy the pleasure of laughing...
Attached file: Virtual Joke.scr
Subject line: Windows Hotfix!
Message text: Attached is the HotFix for several bugs in Windows
Operating Systems.
The following Windows versions are vulnerable:
Windows Xp home and Pro edition (with/without SP1)
Windows ME,2000 and NT Home and Pro Edition(With/without SP)
Windows 98 Home,Pro and Special Edition(With/without SP)
The following Windows Operating Systems are not vulnerable:
Windows 95(All editions With or Without Sp
Microsoft IIS(all versions)
If your Operating System is one of the vulnerable systems listed above
then Microsoft Corp. recommends you to install this HotFix
If you for some reason didn't install this hotfix,then your pc will be
vulnerable to this bugs allowing an attacker to Remote Control your pc,
or beeing infected with the infamous SqlSlammer.
Because this is an critical bug,Microsoft Corp. has send this HotFix to
all of his customors who use one of the OS's.
For more information about this bug or about Microsoft Corp.,please
visit www.microsoft.com
Presented to you by:Microsoft HelpDesk
Attached file: Q30215HOTFIX.pif
Subject line: Outwar is proud to present you:Outwar InterActive
Message text: After beeing succesfull for quit some years now and having
more then 20000 clients,it was time for something new.
Thats why we decided to take our OutWar into the game market and
developed OurWar InterActive
This game will be in shops late summer and will cost about 36$.
It will be avaible across the Usa,Europe,Australia and Asia.Our release
for Africa is scheduled early 2004.
Because this will mean a lot of waiting,we developed the first Official
OutWar Int. Demo!
The attached file contains Installation Packet for the downloader.
Install it and download the game from our Private FTP servers,and then
enjoy it on your home pc!.
Sincerely yours
Webmaster{at}outwar.com
Attached file: OutWar Demo.exe
Subject line: Fwd:How to protect yourself against SARS
Message text: ORIGINAL MESSAGE BODY:
FROM:
DATE:Tuesday, May 06, 2003 11:37:31
TO:
SUBJECT:Fwd:How to protect yourself against SARS
SARS aka. Severe Acute Respiratory Syndrome is a worldwide health
threat.
It was first discovered in China
But now,it has become a very big thread to all people in this world
If no vaccin is found,soon more then 500.000 people will be infected
with it This vaccin is not yet made,so within this time the ONLY
protection humans have is prevention of infection
Thats why we of HealthCare launched a project in which we will send
newsletters with information about SARS and with prevention rules.
Symptoms:High Fever(<38=B0C) AND one or more respiratory symptoms
including cough, shortness of breath, difficulty breathing
Also be aware of the following:close contact with a person who has been
diagnosed with SARS AND a recent history of travel to areas reporting
cases of SARS
In addition to fever and respiratory symptoms, SARS may be associated
with other symptoms including: headache, muscular stiffness, loss of
appetite, malaise, confusion, rash, and diarrhea.
Until more is known about the cause of these outbreaks, WHO (World
Health Organization) recommends that all people read the attached
instructions of howto prevent beeing infected with SARS and what to do
when infection has occurred
For more information contact:
Dick Thompson - Communication Officer
Communicable Disease Prevention, Control and Eradication WHO, Geneva
Telephone: (+41 22) 791 26 84
Email: thompsond{at}who.int
Attached file: SARS-Guide.scr
Subject line: Saddam alive and kickin'
Message text: The whole world wants to know it,is saddam a live,or
death?
Well somedays a go the britisch took secret spy cam pics,and luckely
someone has uploaded this pics to the internet,and now their avaible!
You won't believe what you see!its amazing!!!The spy cam was hidden
inside a tower in Bagdad and it took pics from saddam and his sons,they
our 250m beneath the ground!
Check out the pics i attached,you won't believe what you see!
Attached file: Saddam-the real pics.scr
W32/Kickin-A copies itself to folders shared by the peer-to-peer
applications using some of the following filenames:
AIM Remote Password Cracker.exe
Chaos Ip Spoof 2003.exe
FTP Cracker-2003(Crack the password of ANY FTP server with this tool!).exe
Hotmail Exploiter 2003.exe
Msn Messenger Remote Password Cracker 2003.exe
Netbios hacker.exe
Ultimate HackProg.exe
WebAttack-DoS Tool.exe
XNuker 2003.exe
Yahoo Remote Password Cracker Deluxe 2003.exe
W32/Kickin-A will create the following registry entries:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System
= :\\Kernel32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CyberWolf = :\ \CyberWolf.exe
Windows Kernel = :\\Kernel32.exe
and will modify the following entries:
HKCR\exefile\shell\open\command =
:\ * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.