| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 25453 | 2002-10-03 23:24:00 | Help me win a bet - viruses | honeylaser (814) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 85889 | 2002-10-04 00:12:00 | Well, the only way to find that out would be to expose yourself to the virus wouldn't it? Surely if you received a file via these means, any sensible person would delete it. I think once you opened the attachment and your firewall and AV closed down the last thing you would be interested in would be to examine the files more closely. | Danger (287) | ||
| 85890 | 2002-10-04 00:12:00 | Just wanted to add that the attachment is always 50688b.. so does that say anything? | honeylaser (814) | ||
| 85891 | 2002-10-04 00:31:00 | It's not easy to identify Bugbear. The worm arrives in e-mail bearing assorted subject headers. The name of the infected attachment can also vary but NEARLY ALWAYS has the file size of 50,688 bytes. Bugbear also can pick up old e-mail messages stored on an infected system and send them to random addresses. This means that private e-mail could be disclosed to third parties. |
Danger (287) | ||
| 85892 | 2002-10-04 00:32:00 | It's not easy to identify Bugbear . The worm arrives in e-mail bearing assorted subject headers . The name of the infected attachment can also vary but NEARLY ALWAYS has the file size of 50,688 bytes . Bugbear also can pick up old e-mail messages stored on an infected system and send them to random addresses . This means that private e-mail could be disclosed to third parties . . wired . com/news/technology/0,1282,55532,00 . html" target="_blank">www . wired . com |
Danger (287) | ||
| 85893 | 2002-10-04 00:33:00 | Here is a virus that emails a random doc file (which it renames) along with another attachment (the virus itself) to addresses in the address book. When it is executed, this worm performs the following actions: 1. The worm searches for a random folder on drive C. 2. It creates a script file that uses that folder's name and the current time (in numeric format) as the file name, with the .js extension. Into this file it writes a short script that attempts to delete all files on drive C. 3. It adds a value that refers to this newly created script file to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run so that the script runs each time that Windows starts. 4. It searches drive C for a file with a .doc extension. 5. It checks for version information of the Microsoft Outlook program. If the version information exists, it uses the MAPI Personal Address Book to locate email addresses; otherwise, it uses the addresses from the MAPI Contacts folder. 6. For each of the addresses that it finds, the worm sends an email using the following format: Subject: <no subject> (The subject line actually contains the text "<no subject>") Message: Some body (The message actually consists of the text "Some body") Attachments: This worm sends two attachments: A copy of the worm itself as the file "Some very cool thing I made.js" A copy of the randomly selected .doc file as the file "This 1 is very cool too.doc" 7. It restarts the computer so that the dropped script file--which tries to delete all files on drive C--will run. It's about a year old, so probably isn't seen much anymore. Mike. |
Mike (15) | ||
| 85894 | 2002-10-04 01:57:00 | w32 . klez . h@mm ( . symantec . com/avcenter/venc/data/w32 . klez . h@mm . html" target="_blank">securityresponse . symantec . com) definitely sends a random file (uninfected) from the infected machine as well as an infected executable file . An excerpt from this page states: * Releases confidential info: Worm randomly chooses a file from the machine to send along with the worm to recipients . So files with the extensions: " . mp8" or " . txt" or " . htm" or " . html" or " . wab" or " . asp" or " . doc" or " . rtf" or " . xls" or " . jpg" or " . cpp" or " . pas" or " . mpg" or " . mpeg" or " . bak" or " . mp3" or " . pdf" would be attached to e-mail messages along with the viral attachment . I've personally received several emails infected with klez and they did have uninfected files with personal information as attachments as well as the infected executable attachment . NAV certainly saved me from being infected every time, thankfully . |
Rod J (451) | ||
| 85895 | 2002-10-04 02:25:00 | Don't forget Sircam (www.symantec.com) It was responsible for quite a few documents being sent (including from the FBI IIRC). A search of www.theregister.co.uk or http: should turn up some of the interesting stuff that it sent from infected system. |
bmason (508) | ||
| 85896 | 2002-10-04 02:31:00 | OK - so we can assume that there are viruses out there which are capable of this. But Bugbear ain't one of them..? | honeylaser (814) | ||
| 85897 | 2002-10-04 02:34:00 | Yes Honeylaser, I believe there are some but the variant of Bugbear I saw wasn't one. I recall seeing one a couple of years age, where an Excel file was sent. I saw the result but it wasnt on my system so no idea what the virus was. Enjoy the free drinks. |
godfather (25) | ||
| 85898 | 2002-10-04 07:34:00 | Having just nipped another one, Klez, its interesting to see: The worm may send a clean document in addition to an infected file . A document found on the hard disk, that contains one of the following extensions, is sent: . txt . htm . html . wab . asp . doc . rtf . xls . jpg . cpp . c . pas . mpg . mpeg . bak . mp3 This payload can result in confidental information being sent to others . So, have a double Honeylaser! |
godfather (25) | ||
| 1 2 3 | |||||