|
 |
|
 |
| Tuesday, February 07, 2012
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
kevin |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
56 |
 |
People Online: |
 |
Visitors:
3 |
 |
Members:
0 |
 |
Total:
3 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 05/20/2002 1:45 PM |
|
| We have received and confirmed from multiple sources that a new and unusually dangerous variant of the infamous "love letter" worm has been found in the wild. According to the National Infrastructure Protection Center (NIPC), there have been 2 reports (that reached the FBI) and the NIPC began tracking the propagation of this variant called "NewLove.BD" or "Contract" at about 2:00 PM EDT (18:00 GMT) today.
What It Does
According to information posted on three anti-virus Web sites that I monitor for such events, this worm combines attributes of "LoveLetter" and "Resume" worms from recent months with a twist. The twist is that after it sends itself to everyone in your Outlook address book, it tries to download a Trojan Horse program that steals passwords. The name of the Trojan Horse program is HCHECK.EXE. If it succeeds, it installs this program in such a way that it runs every time you start up your computer.
The purpose of the Trojan Horse is to steal passwords that you might use to dial into a remote server and perhaps your network password as well, though this is not fully clear from any of the descriptions. In addition, it looks in the registry for a key that contains a PIN for an on-line banking application used by customers of Union Bank of Switzerland, UBS. It then uses Outlook via MAPI (which is installed with Outlook) to send its stolen goods to three hard coded addresses, one of which appears to belong to the author. It uses an open SMTP gateway that appears to be located in the Philippines to send the stolen passwords.
Both Symantec and McAfee state that their programs will detect this virus as a "New VBS" worm if you have heuristic scanning enabled. Since there is a risk that heuristic scanning will raise false alarms, this setting is disabled by default.
How to Protect Yourself
As always, the best protection against such attacks is to use caution when opening messages of a suspicious nature that arrive from people you know. This goes double for messages that come with attachments. Regretfully, the best policy to have with regard to mail with attachments is to confirm by another means that the message is authentic before you open it. You can most easily do this by sending a new message to the person who sent you the unexpected attachment. If the sender replies that he or she did not send you such a message, discard the message and its attachment at once and ask the sender to investigate.
If you feel the need for additional protection, see the instructions below for how to enable heuristic scanning.
Caution!
Be aware that heuristic scanning may raise some false alarms. You should carefully investigate and confirm any alert raised by your software's heuristic scanner before you hit the panic button. Get expert assistance in this regard if necessary. You will recognize such a message as follows:
Symantec will tell you that the report is from Hound Dog, which is what they call their heuristic scanning module.
McAfee will identify the virus as being of "unknown type" or "New VBS."
Here are the instructions for several common brands of anti-virus software:
Symantec NAV 5.0:
1. Click Options.
2. Click the Scanner tab.
3. Click Heuristics.
4. Make sure that "Enable Bloodhound" is checked.
5. Move the slider all the way to the right, and then click OK.
6. Click the Auto-Protect tab.
7. Click Heuristics.
8. Make sure that "Enable Bloodhound" is checked.
9. Move the slider all the way to the right, and then click OK.
10. Click OK.
Symantec NAV 2000:
1. Click Options.
2. In the Options list, double-click Manual Scans.
3. In the Options list, under Manual Scans, click Bloodhound.
4. Make sure that "Enable Bloodhound" is checked.
5. Move the slider to Highest level of protection.
6. In the Options list, double-click Auto-Protect.
7. In the Options list, under Auto-Protect, click Bloodhound.
8. Make sure that "Enable Bloodhound" is checked.
9. Move the slider to Highest level of protection.
10. Click OK.
McAfee VirusScan 4.5:
1. Right-click the VirusScan Console icon in the lower right corner of your task bar.
2. Highlight Vshield.
3. Click Task, then Properties.
4. Click Configure.
5. Click the button marked "Advanced."
6. Check the box marked "Enable heuristic scanning."
7. Click "Enable macro and program file heuristics scanning" to fully enable the feature.
8. Click the button marked "Apply" to enable the new settings.
9. Click the button marked "Download Scan."
10. Click the button marked "Advanced."
11. Check the box marked "Enable heuristic scanning."
12. Click "Enable macro and program file heuristics scanning" to fully enable the feature.
13. Click the button marked "Apply" to enable the new settings.
14. Click on the "OK" button.
15. The system will prompt. "System Scan will be loaded on startup. Would you like to load it now?" Click Yes to do so.
Further Details
For those who are interested, you can read further about this worm at any of the following locations:
McAfee: http://vil.nai.com/villib/dispvirus.asp?virus_k=98789
Symantec: http://www.symantec.com/avcenter/venc/data/vbs.loveletter.bd.htm:
F-Secure/DataFellows: http://www.datafellows.com/v-descs/love.htm
NIPC: http://www.nipc.gov/warnings/alerts/2000/alert00-053.htm
Summary
Though this worm appears to be spreading slowly, the possibility of it installing a Trojan Horse program that is designed to steal passwords makes an attack potentially very dangerous. The anti-virus vendors are rating the risk as Medium because existing filters can detect the worm if they are set as described above. It is also probably a higher risk for Europeans who are more likely to have accounts with UBS, though this could also affect US customers of the bank.
This concludes this VirusWarn notice.
Lee Drake, Moderator |
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|