Info taken from http://www.trendmicro.com/vinfo/grayware/graywareDetails.asp?SNAME=SPYW_GATOR.D
Description:
This spyware program may be downloaded onto affected systems by other malware already installed on the said machines. It has the capability to download an updated copy of itself without the users' knowledge.
Programs of this type affects users' privacy by stealing confidential information and monitoring browsing behavior without consent.
Important Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.
Users running other Windows versions can proceed with the succeeding procedure sets.
Running Trend Micro Antivirus
Download the latest spyware pattern file and scan your system. Then, delete all files detected as SPYW_GATOR.D.
Details:
This spyware program may be downloaded onto affected systems by other malware already installed on the said machines. It has the capability to download an updated copy of itself without the users' knowledge.
Programs of this type affects users' privacy by stealing confidential information and monitoring browsing behavior without consent.
This is Trend Micro's detection for Dynamic Link Library (DLL) used by the Gator spyware.
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows
SPYW_GATOR.D
February 27, 2005, 1:43 amTroj/Lineage-D
February 19, 2005, 5:29 pm
Taken From: http://www.sophos.com/virusinfo/analyses/trojlineaged.html
Description:
Troj/Lineage-D is a password-stealing Trojan for the Windows platform.
Troj/Lineage-D logs keystrokes for the game Lineage II and emails the author with the results.
Affected operating systems:
* Windows
Side effects:
* Steals information
* Records keystrokes
* Leaves non-infected files on computer
Technical Details:
Troj/Lineage-D is a password-stealing Trojan for the Windows platform.
Troj/Lineage-D logs keystrokes for the game Lineage II and emails the author with the results.
Troj/Lineage-D copies itself to the Windows system folder as "ttplorer.exe" and creates a DLL keylogging component "ttinject.dll" as well as the text file "ttdata32.dll" to keep the keylog results.
Troj/Lineage-D creates the following registry entry to run itself automatically on system login or startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Scvhost
<Windows system>\ttplorer.exe
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows
Description:
Troj/Lineage-D is a password-stealing Trojan for the Windows platform.
Troj/Lineage-D logs keystrokes for the game Lineage II and emails the author with the results.
Affected operating systems:
* Windows
Side effects:
* Steals information
* Records keystrokes
* Leaves non-infected files on computer
Technical Details:
Troj/Lineage-D is a password-stealing Trojan for the Windows platform.
Troj/Lineage-D logs keystrokes for the game Lineage II and emails the author with the results.
Troj/Lineage-D copies itself to the Windows system folder as "ttplorer.exe" and creates a DLL keylogging component "ttinject.dll" as well as the text file "ttdata32.dll" to keep the keylog results.
Troj/Lineage-D creates the following registry entry to run itself automatically on system login or startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Scvhost
<Windows system>\ttplorer.exe
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows
W32/MyDoom-BC
February 19, 2005, 5:27 pm
Taken From http://www.sophos.com/virusinfo/analyses/w32mydoombc.html
Description:
W32/MyDoom-BC is an email worm for the Windows platform.
Email sent by the worm has characteristics similar to the following examples:
Subject line:
hi
error
test
Message could not be delivered
Message body:
Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.
Attached file:
attachment.com
letter.zip
<username>.exe
Side effects:
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases:
* Email-Worm.Win32.Mydoom.am
* W32/Mydoom.bc@MM
* W32/Mydoom.db@MM
* Worm.Mydoom.M-2
Technical Details:
W32/MyDoom-BC is an email worm. When first run, the worm copies itself to either the Windows or Temp folders as java.exe, and adds one of the following registry entries to ensure that the copy is run each time Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
W32/MyDoom-BC also creates a file named services.exe in the Windows or Temp folder and runs the file. Services.exe is a backdoor component.
W32/MyDoom-BC searches the hard disk email addresses. The worm searches files with the extensions PL*, PH*, TX*, HT*, ASP, TBB, SHT*, WAB, ADB and DBX and the Windows address book. In addition the worm may use an internet search engine to find more email addresses. The worm will send a query to the search engine using domain names from email addresses found on the hard disk and then examine the query results, searching for more addresses. The internet search engines used by W32/MyDoom-BC and the percentage chance that each is used are:
www.google.com (45%)
search.lycos.com (22.5%)
search.yahoo.com (20%)
www.altavista.com (12.5%)
When choosing addresses to send itself to W32/MyDoom-BC will avoid addresses which contain any of the following strings:
abuse
accoun
admin
anyone
arin.
avp
bar.
bugs
ca
domain
example
feste
foo
foo.com
gmail
gnu.
gold-certs
google
help
hotmail
info
listserv
mailer-d
master
me
microsoft
msdn.
msn.
no
nobody
noone
not
nothing
ntivi
page
panda
privacycertific
rarsoft
rating
ripe.
sample
sarc.
seclist
secur
sf.net
site
soft
someone
sophos
sourceforge
spam
spersk
submit
support
syma
the.bat
trend
update
uslis
winrar
winzip
yahoo
you
your
The email sent by the worm has a spoofed sender.
The subject line may be blank or one of the following:
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
The message text of the email is constructed from a set of optional strings within the worm. The message sent is blank or similar to one of the following messages:
Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.
The message could not be delivered
The original message was included as attachment
The original message was received at <time> from <address>
----- The following addresses had permanent fatal errors -----
<address>
----- Transcript of the session follows -----
... while talking to host <hostname>:
>>> MAIL From:<address>
<<< 501 User unknown
Session aborted
>>> RCPT To:<address>
<<< 550 MAILBOX NOT FOUND
The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message was not delivered within <number> days:
Mail server <hostname> is not responding.
The following recipients did not receive this message:
<address>
Please reply to postmaster@<domain>
if you feel this message to be in error.
The attached file may be named similarly to the recipient's username or domain
or using one of the following names:
attachment
document
file
instruction
letter
mail
message
readme
text
transcript
with an optional extension of DOC, TXT, HTM, HTML followed by a number of spaces and a final extension of EXE, COM, BAT, CMD, SCR or PIF. The attached file may also be a zip file containing a file named as described.
W32/MyDoom-BC drops a file named services.exe in the Windows or Temp folder and runs the file.
Services.exe adds the following registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
services
<Windows or Temp folder>\services.exe
W32/MyDoom-BC also attempts to download and run files from several websites.
At the time of writing the downloaded files are detected by Sophos's anti-virus products as Troj/Surila-P.
Description:
W32/MyDoom-BC is an email worm for the Windows platform.
Email sent by the worm has characteristics similar to the following examples:
Subject line:
hi
error
test
Message could not be delivered
Message body:
Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.
Attached file:
attachment.com
letter.zip
<username>.exe
Side effects:
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases:
* Email-Worm.Win32.Mydoom.am
* W32/Mydoom.bc@MM
* W32/Mydoom.db@MM
* Worm.Mydoom.M-2
Technical Details:
W32/MyDoom-BC is an email worm. When first run, the worm copies itself to either the Windows or Temp folders as java.exe, and adds one of the following registry entries to ensure that the copy is run each time Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
W32/MyDoom-BC also creates a file named services.exe in the Windows or Temp folder and runs the file. Services.exe is a backdoor component.
W32/MyDoom-BC searches the hard disk email addresses. The worm searches files with the extensions PL*, PH*, TX*, HT*, ASP, TBB, SHT*, WAB, ADB and DBX and the Windows address book. In addition the worm may use an internet search engine to find more email addresses. The worm will send a query to the search engine using domain names from email addresses found on the hard disk and then examine the query results, searching for more addresses. The internet search engines used by W32/MyDoom-BC and the percentage chance that each is used are:
www.google.com (45%)
search.lycos.com (22.5%)
search.yahoo.com (20%)
www.altavista.com (12.5%)
When choosing addresses to send itself to W32/MyDoom-BC will avoid addresses which contain any of the following strings:
abuse
accoun
admin
anyone
arin.
avp
bar.
bugs
ca
domain
example
feste
foo
foo.com
gmail
gnu.
gold-certs
help
hotmail
info
listserv
mailer-d
master
me
microsoft
msdn.
msn.
no
nobody
noone
not
nothing
ntivi
page
panda
privacycertific
rarsoft
rating
ripe.
sample
sarc.
seclist
secur
sf.net
site
soft
someone
sophos
sourceforge
spam
spersk
submit
support
syma
the.bat
trend
update
uslis
winrar
winzip
yahoo
you
your
The email sent by the worm has a spoofed sender.
The subject line may be blank or one of the following:
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
The message text of the email is constructed from a set of optional strings within the worm. The message sent is blank or similar to one of the following messages:
Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.
The message could not be delivered
The original message was included as attachment
The original message was received at <time> from <address>
----- The following addresses had permanent fatal errors -----
<address>
----- Transcript of the session follows -----
... while talking to host <hostname>:
>>> MAIL From:<address>
<<< 501 User unknown
Session aborted
>>> RCPT To:<address>
<<< 550 MAILBOX NOT FOUND
The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message was not delivered within <number> days:
Mail server <hostname> is not responding.
The following recipients did not receive this message:
<address>
Please reply to postmaster@<domain>
if you feel this message to be in error.
The attached file may be named similarly to the recipient's username or domain
or using one of the following names:
attachment
document
file
instruction
letter
message
readme
text
transcript
with an optional extension of DOC, TXT, HTM, HTML followed by a number of spaces and a final extension of EXE, COM, BAT, CMD, SCR or PIF. The attached file may also be a zip file containing a file named as described.
W32/MyDoom-BC drops a file named services.exe in the Windows or Temp folder and runs the file.
Services.exe adds the following registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
services
<Windows or Temp folder>\services.exe
W32/MyDoom-BC also attempts to download and run files from several websites.
At the time of writing the downloaded files are detected by Sophos's anti-virus products as Troj/Surila-P.
Mydoom.AU
February 19, 2005, 5:18 pm
Parts taken from http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.au@mm.html
Description:
W32.Mydoom.AU@mm is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses that it gathers from a compromised computer. This worm is a minor variant of W32.Mydoom.AM@mm.
Also Known As:
Email-Worm.Win32.Mydoom.ak [Kaspersky Lab], W32/Mydoom.ba@MM [McAfee]
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Technical Details:
Once executed, W32.Mydoom.AU@mm performs the following actions:
1. Creates the files:
* %System%\lsasrv.exe
* %System%\version.ini
* [path of execution]\hserv.sys
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Creates the mutex -=RTSW.Smash 0a2a0=-, so that only one instance of the worm runs on the compromised computer.
3. Adds the value:
"lsass" = "%System%\lsasrv.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that it is executed every time Windows starts.
4. Modifies the value:
"Shell" = "explorer.exe %System%\lsasrv.exe"
in the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
so that it is executed every time Windows starts.
5. Creates a text file named %Temp%\Mes#wtelw.txt, which contains only garbage data. The worm uses Notepad to open the file and display the garbage data.
Note: %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
6. Gathers email addresses from the Windows Address Book and from files with the following extensions:
* .wab
* .pl
* .adb
* .tbb
* .dbx
* .asp
* .php
* .sht
* .htm
* .txt
avoids sending itself to an email address that contains one of the following strings:
* accoun
* certific
* listserv
* ntivi
* support
* icrosoft
* admin
* page
* the.bat
* gold-certs
* feste
* submit
* not
* help
* service
* privacy
* somebody
* soft
* contact
* site
* rating
* bugs
* you
* your
* someone
* anyone
* nothing
* nobody
* noone
* webmaster
* postmaster
* samples
* info
* root
* mozilla
* utgers.ed
* tanford.e
* pgp
* acketst
* secur
* isc.o
* isi.e
* ripe.
* arin.
* sendmail
* rfc-ed
* ietf
* iana
* usenet
* fido
* linux
* kernel
* google
* ibm.com
* fsf.
* gnu
* mit.e
* bsd
* math
* unix
* berkeley
* foo.
* .mil
* gov.
* .gov
* ruslis
* nodomai
* mydomai
* example
* inpris
* borlan
* sopho
* panda
* hotmail
* msn.
* icrosof
* syma
* avp
* .edu
* abuse
* www
* fcnz
* spm
7. Uses its own SMTP engine to send itself to the email addresses that it finds. The email will have the following characteristics:
From: Composes a fake address in the format [First name][Random last name]@[Domain]
Where [First name] is one of the following:
* Joseph
* Ronald
* Hannah
* Kimberly
* Maria
* George
* Charles
* Len
* Cissi
* Sandra
* Jennifer
* Hans
* Richard
* Lee
* Emily
* Helen
* Elizabeth
* Donald
* David
* Harris
* Nicholas
* Betty
* Barbara
* Mark
* William
* Martin
* Ethan
* Karen
* Linda
* Paul
* Michael
* Edward
* Cynthia
* Nancy
* Patricia
* Daniel
* Robert
* Olivia
* Angela
* Dorothy
* Kevin
* Christopher
* John
* Josefine
* Melissa
* Susan
* Anthony
* Thomas
* James
and [Domain] is one of the following:
* compuserve.com
* juno.com
* earthlink.net
* yahoo.co.uk
* hotmail.com
* yahoo.com
* msn.com
* aol.com
Subject:
One of the following:
* Attention!!!
* Do not reply to this email
* Error
* Good day
* hello
* Mail Delivery System
* Mail Transaction Failed
* Server Report
* Status
Attachment:
One of the following filenames:
* body
* message
* docs
* data
* file
* rules
* doc
* readme
* document
with one of the following extensions:
* .bat
* .cmd
* .exe
* .scr
* .pif
* .zip
Message Body:
One of the following:
* Mail transaction failed. Partial message is available
* The message contains Unicode characters and has been sent as a binary attachment.
* The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
* Mail transaction failed. Partial message is available.
* Thank you for registering at WORLDXXXPASS.COM
All your payment info, login and password you can find in the attachment file.
It's a real good choise to go to WORLDXXXPASS.COM
* Attention! New self-spreading virus!
Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast via e-mail and P2P networks. It's about two million people infected and it will be more.
To avoid your infection by this virus and to stop it we provide you with full information how to protect yourself against it and also including free remover. Your can find it in the attachment.
c 2004 Networks Associates Technology, Inc. All Rights Reserved
* New terms and conditions for credit card holders
Here a new terms and conditions for credit card holders using a credit cards for making purchase in the Internet in the attachment. Please, read it carefully. If you are not agree with new terms and conditions do not use your credit card in the World Wide Web.
Thank you,
The World Bank Group
c 2004 The World Bank Group, All Rights Reserved
* Attention! Your IP was logged by The Internet Fraud Complaint Center
Your IP was logged by The Internet Fraud Complaint Center. There was a fraud attempt logged by The Internet Fraud Complaint Center from your IP. This is a serious crime, so all records was sent to the FBI. All information you can find in the attachment. Your IP was flagged and if there will be anover attemption you will be busted.
This message is brought to you by the Federal Bureau of Investigation and the National White Collar Crime Center
* You have visited illegal websites
I have a big list of the websites you surfed
* You think it's funny? You are stupid idiot!!! I'll sendthe attachment to your ISP and then I'll be watchinghow you will go to jail, punk!!!
* Your credit card was charged for $500 USD. For additional information see the attachment
* ESMTP [Secure Mail System #334]: Secure message is attached
* Encrypted message is available
* Delivered message is attached
* Can you confirm it?
* Binary message is available
* am shocked about your document!
* Are you a spammer? (I found your email on a spammer website!?!
* Bad Gateway: The message has been attached
* Here is your documents you are requested
8. Copies itself to shared folders of Kazaa, Morpheus, iMesh, eDonkey, or LimeWire. The file has one of the following names with either a bat, pif, scr, or exe extension:
* porno
* NeroBROM6.3.1.27
* avpprokey
* Ad-awareref01R349
* winxp_patch
* adultpasswds
* dcom_patches
* K-LiteCodecPack2.34a
* activation_crack
* icq2004-final
* winamp5
9. Attempts to disable the following processes, including firewall and antivirus applications:
* i11r54n4.exe
* irun4.exe
* d3dupdate.exe
* rate.exe
* ssate.exe
* winsys.exe
* winupd.exe
* SysMonXP.exe
* bbeagle.exe
* Penis32.exe
* teekids.exe
* MSBLAST.exe
* mscvb32.exe
* sysinfo.exe
* PandaAVEngine.exe
* taskmon.exe
* wincfg32.exe
* outpost.exe
* zonealarm.exe
* navapw32.exe
* navw32.exe
* zapro.exe
* msblast.exe
* netstat.exe
10. Appends the following lines to the Hosts file to prevent access to antivirus-related Web sites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 grisoft.com
[B]Removal Instructions:[B]
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan and delete all the files detected as W32.Mydoom.AU@mm.
4. Delete the value that was added to the registry.
For specific details on each of these steps, read the following instructions.
1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
* "How to disable or enable Windows Me System Restore"
* "How to turn off or turn on Windows XP System Restore"
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.
2. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
* Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
* Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).
The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.
Note: If you see an error, such as LU1418, when you try to run LiveUpdate and you cannot get the Web site hosting the Intelligent Updater, it is likely that the worm has modified the Hosts file. You can either download and install LiveUpdate 2.5, which can remove Symantec entries from that file, or you can edit it yourself. See the instructions for both in the "Additional Information" section below.
3. To scan for and delete the infected files
1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
* For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
* For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
2. Run a full system scan.
3. If any files are detected as infected with W32.Mydoom.AU@mm, click Delete.
Note: If your Symantec antivirus product reports that it cannot delete an infected file, Windows may be using the file. To fix this, run the scan in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode." Once you have restarted in Safe mode, run the scan again.
After the files are deleted, restart the computer in Normal mode and proceed with section 4.
4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document, "How to make a backup of the Windows registry," for instructions.
1. Click Start > Run.
2. Type regedit
Then click OK.
3. Navigate to the subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the value:
"lsass" = "%System%\lsasrv.exe"
5. Navigate to the subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
6. In the right pane, delete the value:
"Shell" = "explorer.exe %System%\lsasrv.exe"
7. Exit the Registry Editor.
Description:
W32.Mydoom.AU@mm is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses that it gathers from a compromised computer. This worm is a minor variant of W32.Mydoom.AM@mm.
Also Known As:
Email-Worm.Win32.Mydoom.ak [Kaspersky Lab], W32/Mydoom.ba@MM [McAfee]
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Technical Details:
Once executed, W32.Mydoom.AU@mm performs the following actions:
1. Creates the files:
* %System%\lsasrv.exe
* %System%\version.ini
* [path of execution]\hserv.sys
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Creates the mutex -=RTSW.Smash 0a2a0=-, so that only one instance of the worm runs on the compromised computer.
3. Adds the value:
"lsass" = "%System%\lsasrv.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that it is executed every time Windows starts.
4. Modifies the value:
"Shell" = "explorer.exe %System%\lsasrv.exe"
in the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
so that it is executed every time Windows starts.
5. Creates a text file named %Temp%\Mes#wtelw.txt, which contains only garbage data. The worm uses Notepad to open the file and display the garbage data.
Note: %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
6. Gathers email addresses from the Windows Address Book and from files with the following extensions:
* .wab
* .pl
* .adb
* .tbb
* .dbx
* .asp
* .php
* .sht
* .htm
* .txt
avoids sending itself to an email address that contains one of the following strings:
* accoun
* certific
* listserv
* ntivi
* support
* icrosoft
* admin
* page
* the.bat
* gold-certs
* feste
* submit
* not
* help
* service
* privacy
* somebody
* soft
* contact
* site
* rating
* bugs
* you
* your
* someone
* anyone
* nothing
* nobody
* noone
* webmaster
* postmaster
* samples
* info
* root
* mozilla
* utgers.ed
* tanford.e
* pgp
* acketst
* secur
* isc.o
* isi.e
* ripe.
* arin.
* sendmail
* rfc-ed
* ietf
* iana
* usenet
* fido
* linux
* kernel
* ibm.com
* fsf.
* gnu
* mit.e
* bsd
* math
* unix
* berkeley
* foo.
* .mil
* gov.
* .gov
* ruslis
* nodomai
* mydomai
* example
* inpris
* borlan
* sopho
* panda
* hotmail
* msn.
* icrosof
* syma
* avp
* .edu
* abuse
* www
* fcnz
* spm
7. Uses its own SMTP engine to send itself to the email addresses that it finds. The email will have the following characteristics:
From: Composes a fake address in the format [First name][Random last name]@[Domain]
Where [First name] is one of the following:
* Joseph
* Ronald
* Hannah
* Kimberly
* Maria
* George
* Charles
* Len
* Cissi
* Sandra
* Jennifer
* Hans
* Richard
* Lee
* Emily
* Helen
* Elizabeth
* Donald
* David
* Harris
* Nicholas
* Betty
* Barbara
* Mark
* William
* Martin
* Ethan
* Karen
* Linda
* Paul
* Michael
* Edward
* Cynthia
* Nancy
* Patricia
* Daniel
* Robert
* Olivia
* Angela
* Dorothy
* Kevin
* Christopher
* John
* Josefine
* Melissa
* Susan
* Anthony
* Thomas
* James
and [Domain] is one of the following:
* compuserve.com
* juno.com
* earthlink.net
* yahoo.co.uk
* hotmail.com
* yahoo.com
* msn.com
* aol.com
Subject:
One of the following:
* Attention!!!
* Do not reply to this email
* Error
* Good day
* hello
* Mail Delivery System
* Mail Transaction Failed
* Server Report
* Status
Attachment:
One of the following filenames:
* body
* message
* docs
* data
* file
* rules
* doc
* readme
* document
with one of the following extensions:
* .bat
* .cmd
* .exe
* .scr
* .pif
* .zip
Message Body:
One of the following:
* Mail transaction failed. Partial message is available
* The message contains Unicode characters and has been sent as a binary attachment.
* The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
* Mail transaction failed. Partial message is available.
* Thank you for registering at WORLDXXXPASS.COM
All your payment info, login and password you can find in the attachment file.
It's a real good choise to go to WORLDXXXPASS.COM
* Attention! New self-spreading virus!
Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast via e-mail and P2P networks. It's about two million people infected and it will be more.
To avoid your infection by this virus and to stop it we provide you with full information how to protect yourself against it and also including free remover. Your can find it in the attachment.
c 2004 Networks Associates Technology, Inc. All Rights Reserved
* New terms and conditions for credit card holders
Here a new terms and conditions for credit card holders using a credit cards for making purchase in the Internet in the attachment. Please, read it carefully. If you are not agree with new terms and conditions do not use your credit card in the World Wide Web.
Thank you,
The World Bank Group
c 2004 The World Bank Group, All Rights Reserved
* Attention! Your IP was logged by The Internet Fraud Complaint Center
Your IP was logged by The Internet Fraud Complaint Center. There was a fraud attempt logged by The Internet Fraud Complaint Center from your IP. This is a serious crime, so all records was sent to the FBI. All information you can find in the attachment. Your IP was flagged and if there will be anover attemption you will be busted.
This message is brought to you by the Federal Bureau of Investigation and the National White Collar Crime Center
* You have visited illegal websites
I have a big list of the websites you surfed
* You think it's funny? You are stupid idiot!!! I'll sendthe attachment to your ISP and then I'll be watchinghow you will go to jail, punk!!!
* Your credit card was charged for $500 USD. For additional information see the attachment
* ESMTP [Secure Mail System #334]: Secure message is attached
* Encrypted message is available
* Delivered message is attached
* Can you confirm it?
* Binary message is available
* am shocked about your document!
* Are you a spammer? (I found your email on a spammer website!?!
* Bad Gateway: The message has been attached
* Here is your documents you are requested
8. Copies itself to shared folders of Kazaa, Morpheus, iMesh, eDonkey, or LimeWire. The file has one of the following names with either a bat, pif, scr, or exe extension:
* porno
* NeroBROM6.3.1.27
* avpprokey
* Ad-awareref01R349
* winxp_patch
* adultpasswds
* dcom_patches
* K-LiteCodecPack2.34a
* activation_crack
* icq2004-final
* winamp5
9. Attempts to disable the following processes, including firewall and antivirus applications:
* i11r54n4.exe
* irun4.exe
* d3dupdate.exe
* rate.exe
* ssate.exe
* winsys.exe
* winupd.exe
* SysMonXP.exe
* bbeagle.exe
* Penis32.exe
* teekids.exe
* MSBLAST.exe
* mscvb32.exe
* sysinfo.exe
* PandaAVEngine.exe
* taskmon.exe
* wincfg32.exe
* outpost.exe
* zonealarm.exe
* navapw32.exe
* navw32.exe
* zapro.exe
* msblast.exe
* netstat.exe
10. Appends the following lines to the Hosts file to prevent access to antivirus-related Web sites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 grisoft.com
[B]Removal Instructions:[B]
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan and delete all the files detected as W32.Mydoom.AU@mm.
4. Delete the value that was added to the registry.
For specific details on each of these steps, read the following instructions.
1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
* "How to disable or enable Windows Me System Restore"
* "How to turn off or turn on Windows XP System Restore"
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.
2. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
* Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
* Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).
The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.
Note: If you see an error, such as LU1418, when you try to run LiveUpdate and you cannot get the Web site hosting the Intelligent Updater, it is likely that the worm has modified the Hosts file. You can either download and install LiveUpdate 2.5, which can remove Symantec entries from that file, or you can edit it yourself. See the instructions for both in the "Additional Information" section below.
3. To scan for and delete the infected files
1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
* For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
* For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
2. Run a full system scan.
3. If any files are detected as infected with W32.Mydoom.AU@mm, click Delete.
Note: If your Symantec antivirus product reports that it cannot delete an infected file, Windows may be using the file. To fix this, run the scan in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode." Once you have restarted in Safe mode, run the scan again.
After the files are deleted, restart the computer in Normal mode and proceed with section 4.
4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document, "How to make a backup of the Windows registry," for instructions.
1. Click Start > Run.
2. Type regedit
Then click OK.
3. Navigate to the subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the value:
"lsass" = "%System%\lsasrv.exe"
5. Navigate to the subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
6. In the right pane, delete the value:
"Shell" = "explorer.exe %System%\lsasrv.exe"
7. Exit the Registry Editor.
New Mydoom Worm on the Move
February 19, 2005, 5:08 pm
Description:
Sophos, a security worrier describes:
"W32/MyDoom-AO is a mass-mailing and peer-to-peer worm which emails itself as an attachment to addresses found on the infected computer.
W32/MyDoom-AO will attempt to copy itself to peer-to-peer folders of KaZaa, Morpheus, iMesh, eDonkey2000 and LimeWire.
W32/MyDoom-AO may also create a file hserv.sys in the Windows system folder. This file is non-malicious and can be safely deleted."
http://www.sophos.com/virusinfo/analyses/w32mydoomao.html
W32/MyDoom-AO is another worm which affects Microsoft Windows Operating systems.
This worm can affect computers via email attachments or peer-to-peer connections.
Various Names of this worm:
Email-Worm.Win32.Mydoom.ak [Kaspersky Lab], W32/Mydoom.ba@MM [McAfee], WORM_MYDOOM.AY [Trend Micro]
Side Effects according to Sophos:
# Turns off anti-virus applications
# Sends itself to email addresses found on the infected computer
# Modifies data on the computer
# Forges the sender's email address
# Uses its own emailing engine
Technical Issues:
When W32.Mydoom.AO@mm runs, it does the following:
1. Creates the following files:
* %System%\lsasrv.exe
* %System%\version.ini
* %System%\hserv.sys
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Adds the value:
"lsass" = "%System%\lsasrv.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the worm is executed every time Windows starts.
3. Modifies the value:
"Shell" = "explorer.exe %System%\lsasrv.exe"
in the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
so that the worm is executed every time Windows starts.
4. Creates a mutex named "-=RTSW.Smash 0a2a0=-", so that only one instance of the worm will be executed on the compromised computer.
5. Creates a text file containing garbage data only, called %UserProfile%\Local Settings\Temp\ Mes#wtelw.txt. The worm uses NotePad to open the file and display the garbage text.
Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).
6. Copies itself into the shared folders of Kazaa, Morpheus, iMesh, eDonkey, or LimeWire under one of the following names:
* porno
* NeroBROM6.3.1.27
* avpprokey
* Ad-awareref01R349
* winxp_patch
* adultpasswds
* dcom_patches
* K-LiteCodecPack2.34a
* activation_crack
* icq2004-final
* winamp5
Note: The file has either a bat, pif, scr, or exe extension.
7. Attempts to disable the following processes, which include processes associated with firewall and antivirus applications:
* i11r54n4.exe
* irun4.exe
* d3dupdate.exe
* rate.exe
* ssate.exe
* winsys.exe
* winupd.exe
* SysMonXP.exe
* bbeagle.exe
* Penis32.exe
* teekids.exe
* MSBLAST.exe
* mscvb32.exe
* sysinfo.exe
* PandaAVEngine.exe
* taskmon.exe
* wincfg32.exe
* outpost.exe
* zonealarm.exe
* navapw32.exe
* navw32.exe
* zapro.exe
* msblast.exe
* netstat.exe
8. Downloads a file from the wmspb.net domain. At the time of this writing, the file is 8 bytes in size.
9. Appends the following lines to the file %System%\drivers\etc\hosts to prevent access to security-related domains:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 grisoft.com
10. Gathers email addresses from the Windows Address Book and from files with the following extensions:
* .wab
* .pl
* .adb
* .tbb
* .dbx
* .asp
* .php
* .sht
* .htm
* .txt
It avoids email addresses that contain any of the following strings:
* accoun
* certific
* listserv
* ntivi
* support
* icrosoft
* admin
* page
* the.bat
* gold-certs
* feste
* submit
* not
* help
* service
* privacy
* somebody
* soft
* contact
* site
* rating
* bugs
* you
* your
* someone
* anyone
* nothing
* nobody
* noone
* webmaster
* postmaster
* samples
* info
* root
* mozilla
* utgers.ed
* tanford.e
* pgp
* acketst
* secur
* isc.o
* isi.e
* ripe.
* arin.
* sendmail
* rfc-ed
* ietf
* iana
* usenet
* fido
* linux
* kernel
* google
* ibm.com
* fsf.
* gnu
* mit.e
* bsd
* math
* unix
* berkeley
* foo
* .mil
* gov.
* .gov
* ruslis
* nodomai
* mydomai
* example
* inpris
* borlan
* sopho
* panda
* hotmail
* msn.
* icrosof
* syma
* avp
* .edu
* abuse
* www
* fcnz
* spm
11. Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:
From:
One of the following names:
* Joseph
* Ronald
* Hannah
* Kimberly
* Maria
* George
* Charles
* Len
* Cissi
* Sandra
* Jennifer
* Hans
* Richard
* Lee
* Emily
* Helen
* Elizabeth
* Donald
* David
* Harris
* Nicholas
* Betty
* Barbara
* Mark
* William
* Martin
* Ethan
* Karen
* Linda
* Paul
* Michael
* Edward
* Cynthia
* Nancy
* Patricia
* Daniel
* Robert
* Olivia
* Angela
* Dorothy
* Kevin
* Christopher
* John
* Josefine
* Melissa
* Susan
* Anthony
* Thomas
* James
With one of the following domains:
* compuserve.com
* juno.com
* earthlink.net
* yahoo.co.uk
* hotmail.com
* yahoo.com
* msn.com
* aol.com
Subject:
One of the following:
* Attention!!!
* Do not reply to this email
* Error
* Good day
* hello
* Mail Delivery System
* Mail Transaction Failed
* Server Report
* Status
Message body:
One of the following:
* The message contains Unicode characters and has been sent as a binary attachment.
* The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
* Mail transaction failed. Partial message is available.
* Thank you for registering at WORLDXXXPASS.COM
All your payment info, login and password you can find in the attachment file.
It's a real good choise to go to WORLDXXXPASS.COM
* Attention! New self-spreading virus!
Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast via e-mail and P2P networks. It's about two million people infected and it will be more.
To avoid your infection by this virus and to stop it we provide you with full information how to protect yourself against it and also including free remover. Your can find it in the attachment.
c 2004 Networks Associates Technology, Inc. All Rights Reserved
* New terms and conditions for credit card holders
Here a new terms and conditions for credit card holders using a credit cards for making purchase in the Internet in the attachment. Please, read it carefully. If you are not agree with new terms and conditions do not use your credit card in the World Wide Web.
Thank you,
The World Bank Group
c 2004 The World Bank Group, All Rights Reserved
* Attention! Your IP was logged by The Internet Fraud Complaint Center
Your IP was logged by The Internet Fraud Complaint Center. There was a fraud attempt logged by The Internet Fraud Complaint Center from your IP. This is a serious crime, so all records was sent to the FBI. All information you can find in the attachment. Your IP was flagged and if there will be anover attemption you will be busted.
This message is brought to you by the Federal Bureau of Investigation and the National White Collar Crime Center
Attachment name:
One of the following:
* body
* message
* docs
* data
* file
* rules
* doc
* readme
* document
With one of the following extensions:
* .bat
* .cmd
* .exe
* .pif
* .scr
* .zip
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows
Sophos, a security worrier describes:
"W32/MyDoom-AO is a mass-mailing and peer-to-peer worm which emails itself as an attachment to addresses found on the infected computer.
W32/MyDoom-AO will attempt to copy itself to peer-to-peer folders of KaZaa, Morpheus, iMesh, eDonkey2000 and LimeWire.
W32/MyDoom-AO may also create a file hserv.sys in the Windows system folder. This file is non-malicious and can be safely deleted."
http://www.sophos.com/virusinfo/analyses/w32mydoomao.html
W32/MyDoom-AO is another worm which affects Microsoft Windows Operating systems.
This worm can affect computers via email attachments or peer-to-peer connections.
Various Names of this worm:
Email-Worm.Win32.Mydoom.ak [Kaspersky Lab], W32/Mydoom.ba@MM [McAfee], WORM_MYDOOM.AY [Trend Micro]
Side Effects according to Sophos:
# Turns off anti-virus applications
# Sends itself to email addresses found on the infected computer
# Modifies data on the computer
# Forges the sender's email address
# Uses its own emailing engine
Technical Issues:
When W32.Mydoom.AO@mm runs, it does the following:
1. Creates the following files:
* %System%\lsasrv.exe
* %System%\version.ini
* %System%\hserv.sys
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Adds the value:
"lsass" = "%System%\lsasrv.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the worm is executed every time Windows starts.
3. Modifies the value:
"Shell" = "explorer.exe %System%\lsasrv.exe"
in the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
so that the worm is executed every time Windows starts.
4. Creates a mutex named "-=RTSW.Smash 0a2a0=-", so that only one instance of the worm will be executed on the compromised computer.
5. Creates a text file containing garbage data only, called %UserProfile%\Local Settings\Temp\ Mes#wtelw.txt. The worm uses NotePad to open the file and display the garbage text.
Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).
6. Copies itself into the shared folders of Kazaa, Morpheus, iMesh, eDonkey, or LimeWire under one of the following names:
* porno
* NeroBROM6.3.1.27
* avpprokey
* Ad-awareref01R349
* winxp_patch
* adultpasswds
* dcom_patches
* K-LiteCodecPack2.34a
* activation_crack
* icq2004-final
* winamp5
Note: The file has either a bat, pif, scr, or exe extension.
7. Attempts to disable the following processes, which include processes associated with firewall and antivirus applications:
* i11r54n4.exe
* irun4.exe
* d3dupdate.exe
* rate.exe
* ssate.exe
* winsys.exe
* winupd.exe
* SysMonXP.exe
* bbeagle.exe
* Penis32.exe
* teekids.exe
* MSBLAST.exe
* mscvb32.exe
* sysinfo.exe
* PandaAVEngine.exe
* taskmon.exe
* wincfg32.exe
* outpost.exe
* zonealarm.exe
* navapw32.exe
* navw32.exe
* zapro.exe
* msblast.exe
* netstat.exe
8. Downloads a file from the wmspb.net domain. At the time of this writing, the file is 8 bytes in size.
9. Appends the following lines to the file %System%\drivers\etc\hosts to prevent access to security-related domains:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 grisoft.com
10. Gathers email addresses from the Windows Address Book and from files with the following extensions:
* .wab
* .pl
* .adb
* .tbb
* .dbx
* .asp
* .php
* .sht
* .htm
* .txt
It avoids email addresses that contain any of the following strings:
* accoun
* certific
* listserv
* ntivi
* support
* icrosoft
* admin
* page
* the.bat
* gold-certs
* feste
* submit
* not
* help
* service
* privacy
* somebody
* soft
* contact
* site
* rating
* bugs
* you
* your
* someone
* anyone
* nothing
* nobody
* noone
* webmaster
* postmaster
* samples
* info
* root
* mozilla
* utgers.ed
* tanford.e
* pgp
* acketst
* secur
* isc.o
* isi.e
* ripe.
* arin.
* sendmail
* rfc-ed
* ietf
* iana
* usenet
* fido
* linux
* kernel
* ibm.com
* fsf.
* gnu
* mit.e
* bsd
* math
* unix
* berkeley
* foo
* .mil
* gov.
* .gov
* ruslis
* nodomai
* mydomai
* example
* inpris
* borlan
* sopho
* panda
* hotmail
* msn.
* icrosof
* syma
* avp
* .edu
* abuse
* www
* fcnz
* spm
11. Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:
From:
One of the following names:
* Joseph
* Ronald
* Hannah
* Kimberly
* Maria
* George
* Charles
* Len
* Cissi
* Sandra
* Jennifer
* Hans
* Richard
* Lee
* Emily
* Helen
* Elizabeth
* Donald
* David
* Harris
* Nicholas
* Betty
* Barbara
* Mark
* William
* Martin
* Ethan
* Karen
* Linda
* Paul
* Michael
* Edward
* Cynthia
* Nancy
* Patricia
* Daniel
* Robert
* Olivia
* Angela
* Dorothy
* Kevin
* Christopher
* John
* Josefine
* Melissa
* Susan
* Anthony
* Thomas
* James
With one of the following domains:
* compuserve.com
* juno.com
* earthlink.net
* yahoo.co.uk
* hotmail.com
* yahoo.com
* msn.com
* aol.com
Subject:
One of the following:
* Attention!!!
* Do not reply to this email
* Error
* Good day
* hello
* Mail Delivery System
* Mail Transaction Failed
* Server Report
* Status
Message body:
One of the following:
* The message contains Unicode characters and has been sent as a binary attachment.
* The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
* Mail transaction failed. Partial message is available.
* Thank you for registering at WORLDXXXPASS.COM
All your payment info, login and password you can find in the attachment file.
It's a real good choise to go to WORLDXXXPASS.COM
* Attention! New self-spreading virus!
Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast via e-mail and P2P networks. It's about two million people infected and it will be more.
To avoid your infection by this virus and to stop it we provide you with full information how to protect yourself against it and also including free remover. Your can find it in the attachment.
c 2004 Networks Associates Technology, Inc. All Rights Reserved
* New terms and conditions for credit card holders
Here a new terms and conditions for credit card holders using a credit cards for making purchase in the Internet in the attachment. Please, read it carefully. If you are not agree with new terms and conditions do not use your credit card in the World Wide Web.
Thank you,
The World Bank Group
c 2004 The World Bank Group, All Rights Reserved
* Attention! Your IP was logged by The Internet Fraud Complaint Center
Your IP was logged by The Internet Fraud Complaint Center. There was a fraud attempt logged by The Internet Fraud Complaint Center from your IP. This is a serious crime, so all records was sent to the FBI. All information you can find in the attachment. Your IP was flagged and if there will be anover attemption you will be busted.
This message is brought to you by the Federal Bureau of Investigation and the National White Collar Crime Center
Attachment name:
One of the following:
* body
* message
* docs
* data
* file
* rules
* doc
* readme
* document
With one of the following extensions:
* .bat
* .cmd
* .exe
* .pif
* .scr
* .zip
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan
For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows
local root exploits in Linux kernel
February 12, 2005, 9:32 pm
Problem Description
===================
There exist several vulnerabilities in the Linux kernel, some of
which can be exploited by users to obtain root priviledges.
In detail:
CAN-2004-0814: Multiple race conditions in the terminal layer in Linux 2.4.x,
and 2.6.x before 2.6.9, allow (1) local users to obtain portions of kernel
data, or (2) remote attackers to cause a denial of service (panic).
CAN-2004-1056: Direct Rendering Manager (DRM) driver in Linux kernel 2.6 does
not properly check the DMA lock, which could allow remote attackers or local
users to cause a denial of service (X Server crash) and possibly modify the
video output.
CAN-2004-0883 and CAN-2004-0949: Multiple vulnerabilities in the samba
filesystem (smbfs) in Linux kernel 2.4 and 2.6 allow remote samba servers to
cause a denial of service (crash) or gain sensitive information from kernel
memory via a samba server. Furthermore, The smb_recv_trans2 function call in
the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 does not properly
handle the re-assembly of fragmented packets correctly, which could allow
remote samba servers to (1) read arbitrary kernel information or (2) raise
a counter value to an arbitrary number by sending the first part of the
fragmented packet multiple times.
CAN-2004-1070, 1071, 1072, 1073: The binfmt_elf loader (binfmt_elf.c) in
Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8 , does not properly
check return values from calls to the kernel_read function, which may allow
local users to modify sensitive memory in a setuid program. Furthermore,
the loader does not properly handle a failed call to the mmap function,
which causes an incorrect mapped image. It may also create an interpreter
name string that is not NULL terminated, which could cause strings longer
than PATH_MAX to be used, leading to buffer overflows. Finally, the open_exec
function in the execve functionality allows local users to read non-readable
ELF binaries by using the interpreter (PT_INTERP) functionality. Any of these
vulnerabilities can allow the execution of arbitrary code.
CAN-2004-1074: The binfmt functionality in the Linux kernel, when "memory
overcommit" is enabled, allows local users to cause a denial of service
(kernel oops) via a malformed a.out binary.
CAN-2004-1016: The scm_send function in the scm layer for Linux kernel 2.4.x
up to 2.4.28, and 2.6.x up to 2.6.9, allows local users to cause a denial of
service (system hang) via crafted auxiliary messages that are passed to the
sendmsg function, which causes a deadlock condition.
CAN-2004-1068: A "missing serialization" error in the unix_dgram_recvmsg
function in Linux 2.4.27 and earlier, and 2.6.x up to 2.6.9, allows local
users to gain privileges via a race condition.
CAN-2004-1234: load_elf_binary in Linux before 2.4.26 allows local users to
cause a denial of service (system crash) via an ELF binary in which the
interpreter is NULL.
CAN-2004-1235: Race condition in the (1) load_elf_library and (2) binfmt_aout
function calls for uselib in Linux kernel 2.4 through 2.4.29-rc2 and 2.6
through 2.6.10 allows local users to execute arbitrary code by manipulating
the VMA descriptor.
CAN-2005-0001: Race condition in the page fault handler (fault.c) for Linux
kernel 2.2.x to 2.2.7, 2.4 to 2.4.29-rc1, and 2.6 to 2.6.10, when running on
multiprocessor machines, allows local users to execute arbitrary code via
concurrent threads that share the same virtual memory space and simultaneously
request stack expansion.
Affected Systems
================
All Linux kernel versions 2.4.x, x <= 28 and 2.6.y, y <= 10.
Solution
========
upgrade to linux-2.4.29 or linux-2.6.11 or patched version for your
distribution.
SuSE-8.1
--------
rpm -ivh k_<type>-2.4.21-273.i586.rpm
where <type> is one of deflt, smp, athlon, psmp.
rpm -Fvh kernel-source-2.4.21-273.i586.rpm
SuSE-8.2
--------
rpm -ivh k_<type>-2.4.20.SuSE-129.i586.rpm
where <type> is one of deflt, smp, athlon, psmp.
rpm -Fvh kernel-source-2.4.20.SuSE-129.i586.rpm
SuSE-9.0
--------
rpm -ivh k_<type>-2.4.21-273.i586.rpm
where <type> is one of deflt, smp, athlon.
rpm -Uvh kernel-source-2.4.21-273.i586.rpm
SuSE-9.1
--------
rpm -ivh kernel-<type>-2.6.5-7.145.i586.rpm
where <type> is one of default, smp, bigsmp.
rpm -Fvh kernel-source-2.6.5-7.145.i586.rpm
SuSE-9.2
--------
rpm -ivh kernel-<type>-2.6.8-24.11.i586.rpm
where <type> is one of default, smp, bigsmp, um.
rpm -Fvh kernel-source-2.6.8-24.11.i586.rpm
Fedora 2
--------
rpm -ivh kernel<type>-2.6.10-1.9_FC2.<arch>.rpm
where <type> is either empty or smp and <arch> is either i586 or i686.
rpm -Fvh kernel-sourcecode-2.6.10-1.9_FC2.noarch.rpm \
kernel-doc-2.6.10-1.9_FC2.noarch.rpm
Fedora 3
--------
rpm -ivh kernel<type>-2.6.10-1.741_FC3.<arch>.rpm
where <type> is either empty or smp and <arch> is either i586 or i686.
rpm -Fvh kernel-doc-2.6.10-1.741_FC3.noarch.rpm
RedHat 7.3
----------
(updates available from ftp.sfu.ca/pub/linux/7.3/RPMS)
rpm -ivh kernel<type>-2.4.20-43.7.<arch>.rpm
where <type> is either empty or one of smp, bigmem and <arch> is one
of i386, i586, i686, or athlon.
rpm -Fvh kernel-source-2.4.20-43.7.i386.rpm \
kernel-doc-2.4.20-43.7.i386.rpm
Mandrake 9.2
------------
rpm -ivh kernel<type>-2.4.22.41mdk-1-1mdk.i586.rpm
where <type> is either empty or one of enterprise, i686-up-4GB, p3-smp-64GB,
secure or smp.
rpm -Fvh kernel-source-2.4.22-41mdk.i586.rpm
Mandrake 10.0
-------------
there are 2.4 kernels or 2.6 kernels available.
2.4 kernel:
rpm -ivh kernel<type>-2.4.25.13mdk-1-1mdk.i586.rpm
where <type> is either empty or one of enterprise, i686-up-4GB, p3-smp-64GB,
or smp.
rpm -Fvh kernel-source-2.4.25-13mdk.i586.rpm
2.6 kernel:
rpm -ivh kernel<type>-2.6.3.25mdk-1-1mdk.i586.rpm
where <type> is either empty or one of enterprise, i686-up-4GB, p3-smp-64GB,
secure or smp.
rpm -Fvh module-init-tools-3.0-1.2.1.100mdk.i586.rpm \
kernel-source-2.4.25-13mdk.i586.rpm \
kernel-source-stripped-2.6.3-25mdk.i586.rpm
Mandrake 10.1
-------------
there are 2.4 kernels or 2.6 kernels available.
2.4 kernel:
rpm -ivh kernel<type>-2.4.28.0.rc1.5mdk-1-1mdk.i586.rpm
where <type> is either empty or one of enterprise, i586-up-1GB or smp.
rpm -Fvh kernel-source-2.4-2.4.28-0.rc1.5mdk.i586.rpm
2.6 kernel:
rpm -ivh kernel<type>-2.6.8.1.24mdk-1-1mdk.i586.rpm
where <type> is either empty or one of enterprise, i586-up-1GB, i686-up-64GB,
secure or smp.
rpm -Fvh kernel-source-2.6-2.6.8.1-24mdk.i586.rpm \
kernel-source-stripped-2.6-2.6.8.1-24mdk.i586.rpm
Debian
------
Updated kernel packages do not seem to be available yet.
===================
There exist several vulnerabilities in the Linux kernel, some of
which can be exploited by users to obtain root priviledges.
In detail:
CAN-2004-0814: Multiple race conditions in the terminal layer in Linux 2.4.x,
and 2.6.x before 2.6.9, allow (1) local users to obtain portions of kernel
data, or (2) remote attackers to cause a denial of service (panic).
CAN-2004-1056: Direct Rendering Manager (DRM) driver in Linux kernel 2.6 does
not properly check the DMA lock, which could allow remote attackers or local
users to cause a denial of service (X Server crash) and possibly modify the
video output.
CAN-2004-0883 and CAN-2004-0949: Multiple vulnerabilities in the samba
filesystem (smbfs) in Linux kernel 2.4 and 2.6 allow remote samba servers to
cause a denial of service (crash) or gain sensitive information from kernel
memory via a samba server. Furthermore, The smb_recv_trans2 function call in
the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 does not properly
handle the re-assembly of fragmented packets correctly, which could allow
remote samba servers to (1) read arbitrary kernel information or (2) raise
a counter value to an arbitrary number by sending the first part of the
fragmented packet multiple times.
CAN-2004-1070, 1071, 1072, 1073: The binfmt_elf loader (binfmt_elf.c) in
Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8 , does not properly
check return values from calls to the kernel_read function, which may allow
local users to modify sensitive memory in a setuid program. Furthermore,
the loader does not properly handle a failed call to the mmap function,
which causes an incorrect mapped image. It may also create an interpreter
name string that is not NULL terminated, which could cause strings longer
than PATH_MAX to be used, leading to buffer overflows. Finally, the open_exec
function in the execve functionality allows local users to read non-readable
ELF binaries by using the interpreter (PT_INTERP) functionality. Any of these
vulnerabilities can allow the execution of arbitrary code.
CAN-2004-1074: The binfmt functionality in the Linux kernel, when "memory
overcommit" is enabled, allows local users to cause a denial of service
(kernel oops) via a malformed a.out binary.
CAN-2004-1016: The scm_send function in the scm layer for Linux kernel 2.4.x
up to 2.4.28, and 2.6.x up to 2.6.9, allows local users to cause a denial of
service (system hang) via crafted auxiliary messages that are passed to the
sendmsg function, which causes a deadlock condition.
CAN-2004-1068: A "missing serialization" error in the unix_dgram_recvmsg
function in Linux 2.4.27 and earlier, and 2.6.x up to 2.6.9, allows local
users to gain privileges via a race condition.
CAN-2004-1234: load_elf_binary in Linux before 2.4.26 allows local users to
cause a denial of service (system crash) via an ELF binary in which the
interpreter is NULL.
CAN-2004-1235: Race condition in the (1) load_elf_library and (2) binfmt_aout
function calls for uselib in Linux kernel 2.4 through 2.4.29-rc2 and 2.6
through 2.6.10 allows local users to execute arbitrary code by manipulating
the VMA descriptor.
CAN-2005-0001: Race condition in the page fault handler (fault.c) for Linux
kernel 2.2.x to 2.2.7, 2.4 to 2.4.29-rc1, and 2.6 to 2.6.10, when running on
multiprocessor machines, allows local users to execute arbitrary code via
concurrent threads that share the same virtual memory space and simultaneously
request stack expansion.
Affected Systems
================
All Linux kernel versions 2.4.x, x <= 28 and 2.6.y, y <= 10.
Solution
========
upgrade to linux-2.4.29 or linux-2.6.11 or patched version for your
distribution.
SuSE-8.1
--------
rpm -ivh k_<type>-2.4.21-273.i586.rpm
where <type> is one of deflt, smp, athlon, psmp.
rpm -Fvh kernel-source-2.4.21-273.i586.rpm
SuSE-8.2
--------
rpm -ivh k_<type>-2.4.20.SuSE-129.i586.rpm
where <type> is one of deflt, smp, athlon, psmp.
rpm -Fvh kernel-source-2.4.20.SuSE-129.i586.rpm
SuSE-9.0
--------
rpm -ivh k_<type>-2.4.21-273.i586.rpm
where <type> is one of deflt, smp, athlon.
rpm -Uvh kernel-source-2.4.21-273.i586.rpm
SuSE-9.1
--------
rpm -ivh kernel-<type>-2.6.5-7.145.i586.rpm
where <type> is one of default, smp, bigsmp.
rpm -Fvh kernel-source-2.6.5-7.145.i586.rpm
SuSE-9.2
--------
rpm -ivh kernel-<type>-2.6.8-24.11.i586.rpm
where <type> is one of default, smp, bigsmp, um.
rpm -Fvh kernel-source-2.6.8-24.11.i586.rpm
Fedora 2
--------
rpm -ivh kernel<type>-2.6.10-1.9_FC2.<arch>.rpm
where <type> is either empty or smp and <arch> is either i586 or i686.
rpm -Fvh kernel-sourcecode-2.6.10-1.9_FC2.noarch.rpm \
kernel-doc-2.6.10-1.9_FC2.noarch.rpm
Fedora 3
--------
rpm -ivh kernel<type>-2.6.10-1.741_FC3.<arch>.rpm
where <type> is either empty or smp and <arch> is either i586 or i686.
rpm -Fvh kernel-doc-2.6.10-1.741_FC3.noarch.rpm
RedHat 7.3
----------
(updates available from ftp.sfu.ca/pub/linux/7.3/RPMS)
rpm -ivh kernel<type>-2.4.20-43.7.<arch>.rpm
where <type> is either empty or one of smp, bigmem and <arch> is one
of i386, i586, i686, or athlon.
rpm -Fvh kernel-source-2.4.20-43.7.i386.rpm \
kernel-doc-2.4.20-43.7.i386.rpm
Mandrake 9.2
------------
rpm -ivh kernel<type>-2.4.22.41mdk-1-1mdk.i586.rpm
where <type> is either empty or one of enterprise, i686-up-4GB, p3-smp-64GB,
secure or smp.
rpm -Fvh kernel-source-2.4.22-41mdk.i586.rpm
Mandrake 10.0
-------------
there are 2.4 kernels or 2.6 kernels available.
2.4 kernel:
rpm -ivh kernel<type>-2.4.25.13mdk-1-1mdk.i586.rpm
where <type> is either empty or one of enterprise, i686-up-4GB, p3-smp-64GB,
or smp.
rpm -Fvh kernel-source-2.4.25-13mdk.i586.rpm
2.6 kernel:
rpm -ivh kernel<type>-2.6.3.25mdk-1-1mdk.i586.rpm
where <type> is either empty or one of enterprise, i686-up-4GB, p3-smp-64GB,
secure or smp.
rpm -Fvh module-init-tools-3.0-1.2.1.100mdk.i586.rpm \
kernel-source-2.4.25-13mdk.i586.rpm \
kernel-source-stripped-2.6.3-25mdk.i586.rpm
Mandrake 10.1
-------------
there are 2.4 kernels or 2.6 kernels available.
2.4 kernel:
rpm -ivh kernel<type>-2.4.28.0.rc1.5mdk-1-1mdk.i586.rpm
where <type> is either empty or one of enterprise, i586-up-1GB or smp.
rpm -Fvh kernel-source-2.4-2.4.28-0.rc1.5mdk.i586.rpm
2.6 kernel:
rpm -ivh kernel<type>-2.6.8.1.24mdk-1-1mdk.i586.rpm
where <type> is either empty or one of enterprise, i586-up-1GB, i686-up-64GB,
secure or smp.
rpm -Fvh kernel-source-2.6-2.6.8.1-24mdk.i586.rpm \
kernel-source-stripped-2.6-2.6.8.1-24mdk.i586.rpm
Debian
------
Updated kernel packages do not seem to be available yet.
UDF Worm
February 12, 2005, 12:16 pm
Security Alert 01/27/2005
The UDF Worm is self-propagating code that is finding MySQL servers running on Microsoft Windows with poor firewall and password security.
This worm does not exploit any bugs in MySQL. It does exploit poor security setups for firewalls and passwords.
This worm is Microsoft Windows specific; it is unlikely to infect any Linux or UNIX compatible environments.
The UDF Worm looks for MySQL servers running on Microsoft Windows that have been exposed to the internet and have either weak or no passwords installed on the account named "root". Once it finds an account it installs a UDF, and then uses that machine to infect other machines.
To find out whether you are affected by UDF worm or not:
Run the following SQL statement: SELECT * FROM mysql.func;
If a UDF is found with a name of "app_result" then you have been infected with the worm.
You should look at all UDFs and determine whether or not they are legitimate. The worm is likely to mutate over time and will take on different UDF names.
If you are infected by UDF worm:
You may be able to remove the worm by running the following SQL statement:
DROP FUNCTION app_result;
Removing the worm does not secure a compromised machine. For one discussion of how to secure a compromised Microsoft Windows machine, please see this article.
To prevent the worm from connecting to your database you should verify that all of your current accounts have passwords and that they are strong passwords (i.e. not easily guess-able).
And remember to use firewalls and strong passwords to protect your MySQL Servers.
Please consult your security advisors for the best way to protect your systems.
How to protect yourself from getting infected by UDF worm:
There are 2 basic steps to protect your MySQL Servers:
1. Always use strong passwords on all accounts.
2. Use firewalls to protect your MySQL Servers.
To find out more about Windows security and firewalls, please refer to ARNIT Windows security tips at : http://www.arnit.net/security/sectips.php?platform=windows
The UDF Worm is self-propagating code that is finding MySQL servers running on Microsoft Windows with poor firewall and password security.
This worm does not exploit any bugs in MySQL. It does exploit poor security setups for firewalls and passwords.
This worm is Microsoft Windows specific; it is unlikely to infect any Linux or UNIX compatible environments.
The UDF Worm looks for MySQL servers running on Microsoft Windows that have been exposed to the internet and have either weak or no passwords installed on the account named "root". Once it finds an account it installs a UDF, and then uses that machine to infect other machines.
To find out whether you are affected by UDF worm or not:
Run the following SQL statement: SELECT * FROM mysql.func;
If a UDF is found with a name of "app_result" then you have been infected with the worm.
You should look at all UDFs and determine whether or not they are legitimate. The worm is likely to mutate over time and will take on different UDF names.
If you are infected by UDF worm:
You may be able to remove the worm by running the following SQL statement:
DROP FUNCTION app_result;
Removing the worm does not secure a compromised machine. For one discussion of how to secure a compromised Microsoft Windows machine, please see this article.
To prevent the worm from connecting to your database you should verify that all of your current accounts have passwords and that they are strong passwords (i.e. not easily guess-able).
And remember to use firewalls and strong passwords to protect your MySQL Servers.
Please consult your security advisors for the best way to protect your systems.
How to protect yourself from getting infected by UDF worm:
There are 2 basic steps to protect your MySQL Servers:
1. Always use strong passwords on all accounts.
2. Use firewalls to protect your MySQL Servers.
To find out more about Windows security and firewalls, please refer to ARNIT Windows security tips at : http://www.arnit.net/security/sectips.php?platform=windows
Fake Email from RBC Royal Bank
February 9, 2005, 11:05 pm
There has been a numerous repots of the newly spread fake email from "RBC Royal Bank".
This email asks you to go to a web site "http://rbc.servicesadmin.info" to confirm your credit card information. If you investigate this link closely, you will find out that it referes to a subdomain "RBC" of "servicesadmin.info". It is obvious that this is a fake website since the main domain is a DNS forwarder.
Below is the original email content:
From: Royal Bank <security@rbcroyalbank.com>
RBC Royal Bank
Account Confirmation Required!
Dear Valued Royal Bank Banking Client,
Recently there have been a large number of identity theft attempts targeting Royal Bank customers. In order to safeguard your account we require that you confirm your banking details. This process is mandatory.
You may do so by clicking Herehttp://rbc.servicesadmin.info/ and submitting the required information .
Failure to do so may result in a temporary cessation of your account services pending submission. Thank you for your prompt attention to this matter and your co-operation in helping us maintain the integrity of our customers accounts.
Please do not reply to this e-mail, as this is an unmonitored alias. If you require further assistance refer to our support centre.
Royal Bank respects your privacy.Click here to read the Royal Bank Group Privacy Policy Statement.
Electronic Banking services are issued by the Royal Bank.
(Electronic Banking services include telephone banking, Netbank and Bpay).
Product Disclosure Statement (PDS) is available for these products on this website or from any branch of the Royal Bank.
rbcroyalbank.com is operated by Royal Bank of Canada.
Royal Bank of Canada 1995 - 2004
This email asks you to go to a web site "http://rbc.servicesadmin.info" to confirm your credit card information. If you investigate this link closely, you will find out that it referes to a subdomain "RBC" of "servicesadmin.info". It is obvious that this is a fake website since the main domain is a DNS forwarder.
Below is the original email content:
From: Royal Bank <security@rbcroyalbank.com>
RBC Royal Bank
Account Confirmation Required!
Dear Valued Royal Bank Banking Client,
Recently there have been a large number of identity theft attempts targeting Royal Bank customers. In order to safeguard your account we require that you confirm your banking details. This process is mandatory.
You may do so by clicking Herehttp://rbc.servicesadmin.info/ and submitting the required information .
Failure to do so may result in a temporary cessation of your account services pending submission. Thank you for your prompt attention to this matter and your co-operation in helping us maintain the integrity of our customers accounts.
Please do not reply to this e-mail, as this is an unmonitored alias. If you require further assistance refer to our support centre.
Royal Bank respects your privacy.Click here to read the Royal Bank Group Privacy Policy Statement.
Electronic Banking services are issued by the Royal Bank.
(Electronic Banking services include telephone banking, Netbank and Bpay).
Product Disclosure Statement (PDS) is available for these products on this website or from any branch of the Royal Bank.
rbcroyalbank.com is operated by Royal Bank of Canada.
Royal Bank of Canada 1995 - 2004
Page :
1