|
 |
|
 |
| Sunday, September 05, 2010
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
SullyC |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
53 |
 |
People Online: |
 |
Visitors:
1 |
 |
Members:
0 |
 |
Total:
1 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 05/20/2002 1:44 PM |
|
| In addition to the excellent information in Lee's note, I shall add that a
check of the NAI (Corporate/Enterprise Users) Web site confirms that McAfee
added a detector for this worm, discovered two months ago, in their 4091
series DAT files. These files were released on 16 August 2000.
You can check the version of signature files installed in your copy of
VirusScan as follows:
1) Find the VShield icon in the tray (near the right edge of your task bar).
2) Right click the VShield icon and choose About.
3) Look at the number labeled "Virus definitions." It will say something
like "4.0.4097" which tells me that I have the 4097 set.
The next line will show the creation date of the signature set. If this
shows a date of 16 August 2000 or later, your copy of VirusScan has a
detector for this worm, in case one should somehow find its way to your
mail box or to an inadvertently opened share.
The information on the Network Associates Web site is at
http://vil.nai.com/vil/dispVirus.asp?virus_k=98775.
The information at the Network Associates site, which is geared for
"corporate" users, is always more complete than the information at the
McAfee site which is geared toward retail customers. I guess they think
their retail users would be overwhelmed. If you know how to use the
additional information, it is indispensable.
One of the items routinely reported is the minimum (first) signature DAT
file number that covers the specified virus or worm. For example, if the
current detector is 4097 and an article says that the minimum DAT file is
4098, you know that they plan to have it integrated into their next regular
set of DAT files. Network Associates normally releases a new set of DAT
files once a week, usually on late Wednesday afternoon. If the article
shows a number lower than that of the set installed on your system, you are
already covered.
Regards,
David Gray
P6 Consulting
Irving, TX
http://www.p6c.com
Phone +1 (972) 751-0254
>From: "Lee Drake" <ldrake@aztekcs.net>
>To: "Viruswarning \(E-mail\)" <viruswarning@azcomputer.net>
>Date: Fri, 29 Sep 2000 22:58:29 -0400
>X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0)
>Importance: Normal
>Subject: Viruswarn: Netbios based Trojan program spreading on the internet
>Sender: viruswarning-owner@azcomputer.net
>
>A new type of trojan program called (QAZ) is spreading itself over open
>netbios file shares over the internet. This program, once activated, probes
>other machines on the internet looking for open file shares that are linked
>to TCP/IP. If it finds these active, it will attempt to link to the shared
>drive. If the drive is unpassworded it will copy itself to it, and install
>itself so it will be run.
>
>While most of you have probably checked your open ports using Steve Gibson's
>excellent shields up site, it's probably not a bad idea to recheck all your
>machines periodically, in case a user has inadvertently re-linked the
>netbios to TCP/IP, or a new machine's been installed without having netbios
>TCP/IP connections stripped from it's configuration.
>
>Steve's site is at www.grc.com there are good instructions for stripping
>netbios from the ip ports, as well as Zone Alarm - a very good program for
>detecting probes of your computer from outside sources.
>
>There's a full description of the virus at several sites:
>
>http://computers.rochester.rr.com/alert/1.asp
>http://vil.mcafee.com/dispVirus.asp?virus_k=98775&
>http://www.sarc.com/avcenter/venc/data/w32.hllw.qaz.a.html
>
>This virus/worm is detected by various firewall, security, and anti-virus
>programs, but the best defense is to be sure your ports 137-139 are
>stealthed, or unavailable.
>
Lee Drake, Moderator |
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|