|
 |
|
 |
| Tuesday, February 07, 2012
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
kevin |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
56 |
 |
People Online: |
 |
Visitors:
4 |
 |
Members:
0 |
 |
Total:
4 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 05/20/2002 1:35 PM |
|
| Within the last few days, we have had several encounters with the so-called "Matcher." This is an Internet worm that spreads using the Outlook address book. Unlike many of the recent worms, this one arrives as an executable file called MATCHER.EXE.
Protecting Yourself
As always, the easiest way to protect yourself is to avoid opening strange looking or unexpected attachments, even if they arrive from someone that you know. Since most of the recent worms spread themselves using the sender's address book, they will almost always arrive from someone you know or someone else at your own company.
That is exactly what happened at one of my clients which is located in Singapore. The worm arrived at the desk of a user on the company's brand new Exchange 2000 server and spread using the corporate address book. That address book includes a mailing list that is used to send announcements to all 20,000 of their users. That is how I had my first encounter with the worm.
Virus Scanners, Your Second Line of Defense
Your second line of defense is your ant-virus software.
McAfee
Quoting from the report posted by Network Associatss, Inc. at http://vil.nai.com/vil/virusSummary.asp?virus_k=99072:
This threat is detected heuristically with the current engine and 4096 DATs (released in September, 2000) as "New Backdoor". Specific detection is included in the 4134 DATs.
In plain English, this means that:
If you have a reasonably recent installation or engine and data file update and if you have enabled heuristic scanning, the worm will be detected.
If you have the 4134 data files which were released yesterday, the worm will be detected whether or not you have enabled heuristic scanning.
Since heuristic scanning is disabled by default, you will need to either enable it or update your data files. Updating your data files regularly (at least monthly) is a generally good idea.
Norton
At http://www.symantec.com/avcenter/venc/data/w32.matcher.html, Symantec, the company that makes the Norton Anti-Virus, indicates that this worm is widely distributed. It gives the following step by step instructions for removal.
To remove this worm, delete all detected files, remove the entry that it made to the registry \Run key, and delete the entry that it made to the \Autoexec.bat file.
To remove this worm:
1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and then run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as W32.Matcher
To edit the registry:
CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. If you do not thoroughly understand these instructions, get competent professional help!
Please see the document http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617 (How to back up the Windows registry) before proceeding.
1. Click Start, and then click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the following value:
(Default) <\Windows\System folder> \Matcher.exe
5. Click Registry and then click Exit to save the changes.
To edit the Autoexec.bat file:
1. Click Start and then click Run.
2. Type the following and then press Enter:
edit c:\autoexec.bat
3. Locate the following lines and delete them:
@echo off
echo from: Bugger
pause
4. Click File and then click Save.
5. Click File and then click Exit.
Mitigating Factors
To operate, this worm needs two things to be installed on a computer:
1) The Visual Basic 6 (or higher) runtime library. This may be installed without your knowledge
by any one of a number of applications. According to F-Secure, the name of this library file
is MSVBVM60.DLL.
2) Microsoft Outlook.
It needs the library in order to run at all and it needs the address book to propagate.
This worm does relatively little damage to infected machines and relatively easy to remove. The most serious risk it poses is probably to large Microsoft Exchange Server installations that host mail boxes for infected users. Consequently, some of our clients prohibit executable attachments to enter their servers.
The Gory Detalils - What It Does
As recent worms go, this one is fairly benign. The write-ups posted by Symantec and Network Associates are almost identical. The following is quoted primarily from the write-up posted by Network Associates at http://vil.nai.com/vil/virusSummary.asp?virus_k=99072
This mass mailing worm requires the Visual Basic 6 (or higher) runtime library to function. When run, it copies itself to the WINDOWS SYSTEM directory as Matcher.exe and creates a registry run key to load the worm at startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\(Default)=%SysDir%\matcher.exe
Once running, the program attempts to email itself to everyone in the Outlook Address book using the following information:
Subject: Matcher
Body: Want to find your love mates!!! Try this its cool... Looks and Attitude Maching to opposite sex.
Attachment: Matcher.exe
The worm also attempts to modify the AUTOEXEC.BAT file as follows:
@echo off
echo from: Bugger
pause
At http://www.europe.f-secure.com/v-descs/matcher.shtml, the F-Secure Web site add the following information.
Matcher is an e-mail worm written in Visual Basic. It was first discovered on April 18th, 2001. The worm's file is a PE executable about 29kb long. The worm file is not encrypted or packed. To be run the worm requires MSVBVM60.DLL library to be present in a system.
When the worm's file is run, it installs itself to system by copying itself as MATCHER.EXE to \Windows\System\ folder and modifying a startup key in the Registry to be always run with Windows. The worm then connects to Outlook, reads e-mail addresses from Address Book and sends itself as MATCHER.EXE to all these addresses. In some cases the worm repeats sending itself every 1 minute. As a result mail servers might be overloaded with worm's messages.
This last sentence is important and probably accounts for the multiple instances that we have seen on the Singapore client's mail system. It represents a potentially serious risk to large mail servers.
This concludes this VirusWarn notice.
Lee Drake, Moderator |
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|