|
 |
|
 |
| Sunday, September 05, 2010
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
SullyC |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
53 |
 |
People Online: |
 |
Visitors:
1 |
 |
Members:
0 |
 |
Total:
1 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 05/20/2002 1:38 PM |
|
| I've received 4 copies of a virus that is so new even my very updated Norton signatures didn't catch it (however McAfee latest signatures did). The new virus is the "Anna Kournikova" virus, and includes a file named ANNAKOURNIKOVA.JPG.VBS. This virus executes a vbscript that performs a number of nasties on your system, including emailing itself to everyone. It's spreading VERY quickly. I rate this alert a HIGH PRIORITY alert.
What It Does
This script was created by a worm generating tool. As such, the particulars of its actions may vary. The most common variant functions as follows.
When run, the encrypted script copies itself to the WINDOWS directory as "AnnaKournikova.jpg.vbs". It attempts to mail a separate email message, using MAPI messaging, to all recipients in the Windows Address Book using the following information:
Subject: Here you have, ;o)
Body:
Hi:
Check This!
Attachment: AnnaKournikova.jpg.vbs
It also creates a registry key and key values. The script refers to these values to check if the mailing routine has already taken place:
HKEY_USERS\.DEFAULT\Software\OnTheFly
HKEY_USERS\.DEFAULT\Software\OnTheFly\mailed=(1 for yes)
On January 26th, the script attempts to connect to the web site http://www.dynabyte.nl
How to Protect Yourself
As always, the best protection against such attacks is to use caution when opening messages of a suspicious nature that arrive from people you know. This goes double for messages that come with attachments. Regretfully, the best policy to have with regard to mail with attachments is to confirm by another means that the message is authentic before you open it. You can most easily do this by sending a new message to the person who sent you the unexpected attachment. If the sender replies that he or she did not send you such a message, discard the message and its attachment at once and ask the sender to investigate.
Additionally, most good antivirus programs these days will scan and clean incoming email messages BEFORE they hit your email client. Norton Antivirus for instance has this ability. Be sure it's enabled and your virus signatures are up to date.
If you feel the need for additional protection, see the instructions below for how to enable heuristic scanning.
Caution!
Be aware that heuristic scanning may raise some false alarms. You should carefully investigate and confirm any alert raised by your software's heuristic scanner before you hit the panic button. Get expert assistance in this regard if necessary. You will recognize such a message as follows:
Symantec will tell you that the report is from Hound Dog, which is what they call their heuristic scanning module.
McAfee will identify the virus as being of "unknown type" or "New VBS."
Here are the instructions for several common brands of anti-virus software:
Symantec NAV 5.0:
1. Click Options.
2. Click the Scanner tab.
3. Click Heuristics.
4. Make sure that "Enable Bloodhound" is checked.
5. Move the slider all the way to the right, and then click OK.
6. Click the Auto-Protect tab.
7. Click Heuristics.
8. Make sure that "Enable Bloodhound" is checked.
9. Move the slider all the way to the right, and then click OK.
10. Click OK.
Symantec NAV 2000:
1. Click Options.
2. In the Options list, double-click Manual Scans.
3. In the Options list, under Manual Scans, click Bloodhound.
4. Make sure that "Enable Bloodhound" is checked.
5. Move the slider to Highest level of protection.
6. In the Options list, double-click Auto-Protect.
7. In the Options list, under Auto-Protect, click Bloodhound.
8. Make sure that "Enable Bloodhound" is checked.
9. Move the slider to Highest level of protection.
10. Click OK.
McAfee VirusScan 4.5:
1. Right-click the VirusScan Console icon in the lower right corner of your task bar.
2. Highlight Vshield.
3. Click Task, then Properties.
4. Click Configure.
5. Click the button marked "Advanced."
6. Check the box marked "Enable heuristic scanning."
7. Click "Enable macro and program file heuristics scanning" to fully enable the feature.
8. Click the button marked "Apply" to enable the new settings.
9. Click the button marked "Download Scan."
10. Click the button marked "Advanced."
11. Check the box marked "Enable heuristic scanning."
12. Click "Enable macro and program file heuristics scanning" to fully enable the feature.
13. Click the button marked "Apply" to enable the new settings.
14. Click on the "OK" button.
15. The system will prompt. "System Scan will be loaded on startup. Would you like to load it now?" Click Yes to do so.
Further Details
For those who are interested, you can read further about this worm at any of the following locations:
McAfee: http://vil.mcafee.com/dispVirus.asp?virus_k=99011&
Symantec: http://www.symantec.com/avcenter/venc/data/vbs.sst@mm.html
F-Secure/DataFellows: http://www.europe.f-secure.com/v-descs/onthefly.shtml
NIPC: None in particular found
Summary
Never open attachments you're not expecting. Keep your signatures up to date and turn on heuristics. Be wary of messages with attachments that don't have adequate and plausible explanations, and that you are expecting. NEVER open anything with a .vbs attachment (no matter what's before it).
This concludes this VirusWarn notice.
Lee Drake, Moderator |
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|