Jump to content

A Nasty Worm! Read Carefully!


francois

Recommended Posts

hi'

here is a resume of a recent alert and as I saw no one talking about here it is:

Virus

Blackmal. E

Blackmal. E a virus which propagates by e-mail and via the network sharings. it appears under the shape of a message among which the title and the body are random, accompanied with an attached file the extension of which is variable (95 in 135 Kb),

by trying be been supposed to be for an image or a document to be seen. If this file is run, the virus tries to delete or to deactivate certain antiviruses and software of security(firewall), then it sends en masse at addresses harvested on the hard disk. 3rd of every month, it clears certain files.

PREVENTION:

The concerned users have to update their antivirus. Generally speaking, even if the name is attractive you should not run an attached file without having analyzed it beforehand with an antivirus up to date. It is also necessary to delete the sharings of useless resources and to protect the others by password to prevent any distribution of the virus.

DISINFECTION:

Before beginning the disinfection, it is imperative to make sure to have applied the precautionary measures above to prevent any reinfection of the computer by the virus. The users not having an antivirus can use free of charge the utility of disinfection FixBmalE to seek and eliminate the virus.

TYPE:

Worm

SYSTEMS CONCERNED:

Windows 95

Windows 98

Windows Me

Windows NT

Windows 2000

Windows XP

Windows 2003

ALIAS:

Win32. Blackmal. F (CA)

W32 / Kapser. A@mm ( F-Prot)

VB.bi ( F-Secure)

Nyxem. E ( F-Secure)

W32 / MyWife.d@MM ( McAfee)

W32 / Tearec. A.worm (Panda Software)

W32 / Nyxem-D ( Sophos)

W32.Blackmal.E@mm (Symantec)

WORM_GREW.A ( Trend Micro)

Kama Sutra Worm

CME-24

SIZE:

From 95 to 135 Kb Kb

DISCOVERY:

17/01/2006

DETAILED DESCRIPTION:

The virus Blackmal. E appears under the shape of a message among which the title, the body and the name of the attached file

are random.

The titles of message:

* *Hot Movie*

* To Great Video

* Arab sex DSC-00465.jpg

* eBook.pdf

* Fw:

* Fw: DSC-00465.jpg

* Fw: Funny:)

* Fw: Picturs

* Fw: Real show

* Fw: SeX.mpg

* Fw: sexy

* Fwd: Crazy illegal Sex!

* Fwd: image.jpg

* Fwd: photo

* Give has me kiss

* Beauty queen Lebanon 2006

* My photos

* Part 1 of 6 Video clipe

* Photos

* Re:

* School chorus girl fantasies gone bad

* Word takes off

The body of the message is a short text in English intended to incite the internet user to open the attached file:

* Note: attached message forwarded.

* You Must View This Videoclip!

> > message forwarded

* Re: Sex Video

* I just any one see my photos.

* Of It Free:)

* The Best Videoclip Ever

* Hot XXX Yahoo Groups

* f*ckin Kama Sutra peaks

* Ready to be f*ckED;)

* Attached message forwarded.

* VIDEOS! FREE! ($US 0,00)

* What?

* I send the take off.

* Helloi attached the details.

* Thank you

* The take off i send the details

* Hello,

* Please see the take off.

* How are you?

* I send the details.

The attached document is generally an executable file possessing a random name and a variable extension (from 95 to 135 Kb), trying be been supposed to be for an image or an attractive document:

* 007.pif

* 392315089702606E-02.scR

* 677.pif

* Adults_9, zip.sCR

* ATT01.zip.sCR

* Attachments 001, B64.sCr

* Clipe, to zip.sCr

* Document.pif

* DSC-00465. Pif

* DSC-00465.pIf

* EBook. PIF

* Image04.pif

* New Video, zip

* New_Document_file.pif

* Photo.pif

* Photos, zip.sCR

* School.pif

* SeX, zip.scR

* WinZip, zip.scR

* WinZip. BHX

* WinZip.zip.sCR

* Word XP.zip.sCR

* Word.zip.sCR

* 04.pif

* DSC-00465. Pif

* DSC-00465.pIf

* Image04.pif

It can also be a MIME file containing an executable file:

* 3.92315089702606E02. UUE

* Attachments [001] .B64

* Attachments00. HQX

* Attachments001. BHX

* EBook. Uu

* Original Message. B64

* Sex.mim

* SeX.mim

* Video_part.mim

* WinZip. BHX

* Word_Document.hqx

* Word_Document.uu

If this file is run, the virus copies in the Windows directory under the name Rundll16.exe and in the directory System under names scanregw.exe, Winzip.exe, Update.exe, WINZIP_TMP.EXE, SAMPLE.ZIP and WinZip New File.exe, then it modifies the registry to be run in every starting up of the computer, tries to delete or to deactivate certain antiviruses and firewalls (among which Symantec, Mc Afee, Trend Micro, Kaspersky, avast! And AVG), then it sends automatically in e-mail addresses representing in the Windows and different address book the other files of the hard disk, by using sender's usurped or falsified address. it tries finally to propagate via the network sharings under the name WINZIP_TMP.EXE. If it is run the 3rd day of every month, the virus deletes all the files containing an extension .doc.xls.mdb.mde.ppt.pps.zip, to .rar.pdf.psd and

.d Dmp the by replacing their contents by " DATED Error [47 0F 94 93 F4 K5] ".

that's it ...

you noticed that the antivirus from softwin BitDefender is not on the list ...

neither ZoneAlarm ...

francois

Link to comment
Share on other sites

Simple rule.................Never open email attachments unless you know the sender and you know what it is, also....never hit an "OK" Dialog box when surfing unless you know exactly what it is.

simple

PS I have never had a virus on my machine in 5 years.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...