|
 |
|
 |
| Tuesday, February 07, 2012
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
kevin |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
56 |
 |
People Online: |
 |
Visitors:
3 |
 |
Members:
0 |
 |
Total:
3 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 05/20/2002 1:49 PM |
|
| This message covers two Internet worms that have been reported today. While not necessarily huge threats, they afford us an opportunity to call your attention to a couple of important issues that should be a daily concern.
New Internet Worm: "Stages"
We received word late today from one of our clients who is an international petroleum company that several of their partners around the world have identified this worm on their mail servers. While this worm can be easily contained, removal from an infected machine is a non-trivial exercise requiring considerable computer skills and patience.
This worm is the first of which this author is aware of a type that was recently discussed privately on a white hats mailing list. The worm arrives as an attachment called LIFE_STAGES.TXT.SHS. Unlike most files, Windows Explorer hides its true extension even if you have told Explorer to show all file extensions. This enables the SHS file to masquerade as a completely harmless TXT (Notepad) file.The SHS extension is a registered file type on all machines and is called a "Shell Scrap Object".
If you open this attachment, two things happen simultaneously:
1) A text file opens in Notepad. The text is an old joke that's been circulating for years.
2) A Visual Basic Script executes and begins doing several things, including:
Dropping copies of the worm in several places on your machine and on mapped drives.
Mass mailing itself to all addresses in all Outlook address books.
Modifying the registry to execute a program designed to spread the worm via IRC.
Creating hidden files in the Recycle Bin.
This is the first worm of which we are aware that deliberately creates files in the Recycle Bin. Among the files copied into the Recycle Bin is REGEDIT.EXE. The F-Secure Web site notes that the association of .REG files is changed to point to this copy which the worm also renames to RECYCLED.VXD.
In addition to spreading via Microsoft Outlook, this worm is able to spread via mIRC and Pirch chat clients.
The F-Secure site describes the Stages worm at http://www.datafellows.com/v-descs/stages.htm but gives no information about how to eradicate it. I first noticed their note on Saturday when I was reviewing Web sites for an article I am writing about anti-virus defense.
Symantec describes the worm at http://www.symantec.com/avcenter/venc/data/vbs.stages.a.html. They have detailed instructions for removing the worm from an infected machine. Since the instructions are complex and involve editing the Windows Registry and doing special things from a DOS prompt, we recommend that you print them out and get expert help unless you are extremely comfortable editing the Registry and working "without a net" at a DOS prompt.
Network Associates (McAfee) also has detailed removal instructions and a description of the worm and what it does at http://vil.nai.com/villib/dispvirus.asp?virus_k=98668. Their instructions are similar to the ones on the Symantec page and we urge the same caution. The McAfee notice also recommends that you set your anti-virus scanner to SCAN ALL FILES mode. This mode must be used with extreme care because:
If it scans a mail data base such as those used by Microsoft Exchange and Lotus Notes, it can cause the data base to become corrupted.
It can flag false positive (virus alerts) in mail data bases and other files that are not normally scanned.
We urge extreme caution in using this mode of scanning. If you do so, we strongly recommend that you limit its use to on-demand scan operations that are run manually while a knowledgeable human being watches.
Both McAfee and Symantec recommend that you set your scanner to always scan .SHS files. In McAfee, look in the configuration settings for the button marked "Extensions" next to the "Program Files only" radio button in the "What to Scan" box on the Properties page.
We also endorse their recommendation to set your mail gateway to stop messages containing .SHS attachments. We can think of no legitimate reason to send such an attachment!
Love Letter Worm Resurfaces
The same note from our petroleum company customer also noted that their anti-virus defenses detected and contained the Love Letter worm today. The lesson in this is that just because a virus or worm has disappeared from the news does not mean that it is gone for good. Like the DNA viruses that attack people, they can and do resurface until they are wiped from the face of the Earth.
This concludes this VirusWarn message.
Lee Drake, Moderator |
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|