CDROM-Guide forums

Go Back   CDROM-Guide forums > Main Forums > Open to All Computer Related Topics > Computer Networking & Security
FAQ Calendar Mark Forums Read
Open   CSec   Data   DevDrv   CoOp   Audio   CDRW   CDG   VCD   DVD   HD DVD   Mac   VGB   PS2   DC   Xbox  


 
 
Thread Tools Display Modes
  #1  
Old Feb 02, 2002, 10:52 PM
FREEVIEW FREEVIEW is offline
Banned
 
Join Date: Jan 2002
Location: in a house
Posts: 51
Default ===EMAIL VIRUSE's==read in====

sponsored links

 
Type: JavaScript virus
Description:
JS/Gigger-A is a JavaScript virus which arrives as an email message with one of the following sets of characteristics:

Subject: Outlook Express Update
Message: MSNSofware Co.
Attachment: Mmsn_offline.htm

or

Subject: recipient@Address, i.e. the email address of the recipient
Message: Microsoft Outlook 98.
Attachment: Mmsn_offline.htm

If the virus is executed, it will attempt to drop the following files:

C:\Bla.hta
C:\B.htm
C:\Windows\Samples\Wsh\Charts.js


Type: JavaScript virus
Description:
JS/Gigger-A is a JavaScript virus which arrives as an email message with one of the following sets of characteristics:

Subject: Outlook Express Update
Message: MSNSofware Co.
Attachment: Mmsn_offline.htm

or

Subject: recipient@Address, i.e. the email address of the recipient
Message: Microsoft Outlook 98.
Attachment: Mmsn_offline.htm

If the virus is executed, it will attempt to drop the following files:

C:\Bla.hta
C:\B.htm
C:\Windows\Samples\Wsh\Charts.js
C:\Windows\Samples\Wsh\Charts.vbs
C:\Windows\Help\Mmsn_offline.htm

It will also create files called Script.ini in folders containing a file with the extension INI or HLP. These files will be detected as mIRC/Simp-Fam. The virus will infect HTM, HTML and ASP files and attempts to add the line

Echo y|format c:

to C:\Autoexec.bat. This will have the effect of attempting to format drive C: on restart in versions of Windows which use the character Y for Yes.
JS/Gigger-A creates the following registry keys:
HKCU\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKCU\Software\TheGrave\badUsers\v2.0

and adds the value 'NAV DefAlert' to the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

The virus contains the text "This virus is donation from all Bulgarians".


C:\Windows\Samples\Wsh\Charts.vbs
C:\Windows\Help\Mmsn_offline.htm

It will also create files called Script.ini in folders containing a file with the extension INI or HLP. These files will be detected as mIRC/Simp-Fam. The virus will infect HTM, HTML and ASP files and attempts to add the line

Echo y|format c:

to C:\Autoexec.bat. This will have the effect of attempting to format drive C: on restart in versions of Windows which use the character Y for Yes.
JS/Gigger-A creates the following registry keys:
HKCU\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKCU\Software\TheGrave\badUsers\v2.0

and adds the value 'NAV DefAlert' to the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

The virus contains the text "This virus is donation from all Bulgarians".
Aliases: Troj/Senecs, W32/Lastscene@mm, TROJ_SCENES
Type: Visual Basic Script worm and Backdoor Trojan horse


At the time of writing Sophos has received just one report of the worm from the wild.

Description:
This notification includes information about a Visual Basic Script worm and a Backdoor Trojan horse that can be downloaded by the worm.
VBS/RTF-Senecs is a Visual Basic script worm that arrives in an email message with the following characteristics:
Subject: "Scene from last weekend"
Message body: "Please do not forward"
Attached filename: scenes.zip.

The attached ZIP file contains an RTF document scenes.wri. If the document is opened, two icons are displayed for two embedded objects. Both icons appear to be icons of an image file but the actual embedded object is an executable. Sophos Anti-Virus detects this executable as Troj/Senecs.
If the embedded executable is launched, it drops and runs a VBS file which attempts to send scenes.zip to all contacts in the Microsoft Outlook address book. Troj/Senecs also drops two additional Trojans (detected by Sophos Anti-Virus as Troj/Optix-03-C and Troj/WebDL-E).
Troj/Optix-03-C is a backdoor Trojan horse that will run in the background as a server process, allowing a remote user (using a client program) to gain access and control over the machine. When first run, it creates the subdirectory:

\OleFiles\,

moves itself there and creates the Registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\exp lorer\User Shell Folders\Common Startup = \OleFiles\.

This ensures that the server process is run automatically each time the machine is restarted. Troj/WebDL-E attempts to download and run a program from a website hosted at tripod.com. The downloaded program is the Troj/Sub7-21-I Backdoor Trojan horse. Troj/WebDL-E will also attempt to send a notification message of its success to an ICQ account. After running, the Trojan horse removes itself from the system.
Troj/Sub7-21-I is a backdoor Trojan horse. When the server program is installed, the computer is exposed to security attacks from remote locations. Once the connection is established, the attacker can acquire sensitive information such as passwords and take control over the infected computer.
  #2  
Old Feb 04, 2002, 03:52 PM
Tafsir Tafsir is offline
Veteran
 
Join Date: Jun 2001
Location: uk
Posts: 1,138
Default

nice info m8

keep this at the top for everybody to read

have a on me
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -5. The time now is 11:29 PM.



Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Copyright 1996-2009 CDROM-Guide.com. All rights reserved