Visualizzazione dei risultati da 1 a 2 su 2
  1. #1
    Moderatore di Sicurezza informatica e virus L'avatar di amvinfe
    Registrato dal
    May 2002
    Messaggi
    6,739

    Win32.Worm.Duni.A anche per Kazaa

    Win32.Worm.Duni.A

    Name: Win32.Worm.Duni.A
    Aliases: N/A
    Type: Worm
    Size: ~500 Kbytes
    Discovered: July 04 2002
    Detected: July 04 2002, 10:30 (GMT+2)
    Spreading: Low
    Damage: Low
    ITW: Unknown
    Symptoms:

    - Files commfig.sys, k32.vxd in the Windows Directory (usually c:\windows)
    - File zero.exe in the root folder c:\

    Technical description:

    The virus spreads using email, but it's designed to use only the MSN messenger contacts list.The virus is attached as a file with the ".cpl" extension.".cpl" files are interpreted by Windows as Control Panel items and executed.
    The virus, upon execution, searches all contacts from MSN and uses the SMTP server mail.hotmail.com to spread itself.For this, it uses two files, "commfig.sys" and "k32.vxd" in the windows\system folder.If it succesfuly spreads itself, then it creates the file "zero.exe" in the root folder.To make
    sure that it will run on each system startup, the virus copies itself under a random name made from a number in the Windows folder and inserts the following line in the registry:
    under
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
    the virus inserts a line which looks like the following:
    952 rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\952.cpl

    After each run,it remains resident and continously searches for a few antivirus files, and deletes them if found.
    Files it tries to delete:
    "C:\archiv~1\perav\pav.dll", "C:\archiv~1\perav\per.dll", "C:\program files\perav\pav.dll", "C:\program files\perav\per.dll", "C:\windows\PAV.EXE", "C:\windows\bases\avp.set", "C:\windows\system\vshield.vxd", "C:\windows\system32\vshield.vxd", "C:\windows\vshield.vxd".
    Also, it searches the registry and tries to disrupt some antiviruses: under

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

    the value PAV.EXE is changed to C:\Windows, and the value
    HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SharedFil es\Folder
    is changed to C:\Windows too.

    Possible e-mail subjects:

    'Esta si que es zorra!!!'
    'Fotos de asesinatos, Jack el Destripador, Charles Manson, y much os mas para decorar tu escritorio.'
    'Yeahhh Mutha Facka... NY Brookling in your NET.'
    'Genera passwords para poder entrar a las webs mas putonas de la red, y gratis, incluso podras bajar peliculas porno.'
    'Para los verdaderos amigos...'
    'Test de amor.'
    '30 pregutas para saber si tu pareja te enga'#241'a.'
    'La imagen de cristo en un bosque.'
    'mira como seria un mundial en la antigua mesopotamia.'
    'Fotos de Cristo para decorar tu escritorio.'
    'Te han enviado una postal.'
    'Te acuerdas de mi?'
    'Asi se hace el amor...'
    'Asi me gusta a mi...'
    'Esto doleria mucho, mucho :-).'
    'Si esto no me lo regresas me sentire mal.'
    'La vida despues de la muerte.'
    'Me cambie de correo, aver si ahora me escribes...'
    'Leelo y reenvialo a quienes mas amas.'
    'Cancion de amor, para ti.'
    'Paulina Rubio y su zorrita cosmica...'
    'No todo lo que uno lea sobre el servicio de webmail de Microsoft es cierto.'
    'Ver el listado de falsas alarmas.'
    'ja, la han cagado con este video.'
    'Bin Laden DT de la seleccion de arabia...'
    'Bin Laden nuevo goliador de Arabia saudita , jaaaaaaa.'
    'Bin Laden presidente de la FIFA.'
    'Dime que te parece esta animacion.'
    'Una broma para las secretarias, ja ja.'
    'Test para secretarias, para saber que tan tontas son.'
    '41 preguntas para saber si alguien es sicopata.'
    'mira esto es mas ordinario que gato con hanta, juaaaaaaaaaaaa.'
    'listado de ultimas mentiras que circulan por los mails.'
    'Last hoaxes list.'
    'Hola'
    'como te gustarian este par de tetitas.'
    'Leelo y reenvialo a quienes mas amas.'
    'mira esto es mas ordinario que gato con hanta, juaaaaaaaaaaaa.'
    'listado de ultimas mentiras que circulan por los mails.'
    'Bin Laden killing muthaFaka bill gates.'

    For each of these subject lines, the virus chooses a coresponding attachement name:

    'zorrita.cpl'
    'jack.cpl'
    'sickofitall.cpl'
    'analpasswords.cpl'
    'poema_angelical.cpl'
    'testdeamor.cpl'
    'Adulterio_en_tus_narices.cpl'
    'Cristo.cpl'
    'mundial.cpl'
    'cristo2002.cpl'
    'postal_de_mi_alma.cpl'
    'estesoyyo.cpl'
    'milposiciones.cpl'
    'como_como.cpl'
    'por_ahi_noooooo.cpl'
    'lomasimportante.cpl'
    'vidaymuerte.cpl'
    'siemprevivir@setnet.cpl'
    'milvidas.cpl'
    'comoolvidarte.cpl'
    'paulinasex.cpl'
    'mentiras_en_hotmail.cpl'
    'listado_de_hoaxes.cpl'
    'zapato_en_el_culo.cpl'
    'binladenDT.cpl'
    'gooooooool.cpl'
    'Fifaladen.cpl'
    '788782.cpl'
    'secretarias.cpl'
    'test_secretontas.cpl'
    'sere_yo_uno_de_esos.cpl'
    'scarycrai.cpl'
    'mentiras_mails.cpl'
    'mcaffehoaxlist.cpl'
    'tetris2002.cpl'
    'zandias_meloones.cpl'
    'quien_como_tu.cpl'
    'portymore.cpl'
    'listado_de_porquerias.cpl'
    'billgatesscream.cpl

    The virus uses an alternative way of infection:if the user has Kazaa installed, then the virus will search the registry value
    HKEY_CURRENT_USER\Software\Kazaa\Transfer\DlDir0
    which points to the Kazaa download directory and will copy itself there under one of the
    following names, making itself available for download to other Kazaa users:
    'DivResidentEvil.ZIP.cpl'
    'SpidermanDesktop.cpl'
    'AVP_KeyActualization2002.ZIP.cpl'
    'Messenger_skins.ZIP.cpl'
    'Porno_sTar.cpl'
    'CannibalCorpse.MP3.cpl'
    'Sickofitall.Zip.cpl'
    'AXEbahia.cpl'
    'NuevosVideosProfesorRossa.cpl'
    'NewVideo_Blink182.cpl'
    'LagWagon&Blink182.cpl'
    'Hacking.cpl'
    'AllMcAfeeCrack.Cpl'
    'Britney_spearsVSDavidBeckham_AnalPasions.cpl'
    'Crack.PerAntivirus.Zip.cpl'
    'JamieThomasVSrodneyMullen.cpl'
    'MariguanaDesktop.cpl'
    'AgeOfEmpires2_Crack.cpl'
    'PSX2_Emulation.Zip.cpl'
    'GameCube.Zip.cpl'
    'Mames.Zip.cpl'
    'Crack_Delphi5and6.Zip.cpl'
    'terminator2.cpl'
    'BinladenF**kinBillGates.cpl'
    'AnalPasswords.cpl'
    'ElvisDesktop.cpl'
    'B.cpl'
    'Z.cpl'
    'AVP_Spanish.cpl'
    'ZoneAlarmCrack.cpl'
    'HardXCore.cpl'
    'PhotoShop6.xCrack.cpl'
    'BioHazard.cpl'
    'VisualBasic.Net.cpl'
    'Zidane.Taliban.cpl'
    'VideoPortoSeguro.cpl'
    'PSX2EmulatorFree.Zip.cpl'
    'sexo_en_la_calle.cpl'
    'sexo_anal_full_video.cpl'
    'sexo_oriental_full_video.cpl'
    'muertes_videos.cpl'
    'fullvideo_anal_action.zip.cpl'
    Please note that the virus uses a somewhat easy trick of naming itself something like "file.zip" and then filling with white spaces until the final extension which is ".cpl", so the user may not be aware that the virus has a double extension.

    Example:
    "file.zip. .cpl"

    Removal:

    - automatic removal: let BitDefender delete/disinfect files found infected.
    - manual removal: delete the files: c:\zero.exe, c:\windows\commfig.sys, c:\windows\k32.vxd.Inspect the registry key
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
    and look for a line that looks like this (only the number varies):
    952 rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\952.cpl
    Delete the file named there (C:\windows\952.cpl), and then delete this entry in the registry.Search for files named *.cpl on your hard-disk and see if any of them matches any of the names given in the description.If so, delete those files.


    Fonti BitDefender
    ==
    Visita il mio blog SuspectFile.com
    ==

  2. #2
    ma sto virus si può ricevere per e-mail, ma kazaa che centra. E kazaalite è vulnerabile???
    unreal, l'essere immortale

Permessi di invio

  • Non puoi inserire discussioni
  • Non puoi inserire repliche
  • Non puoi inserire allegati
  • Non puoi modificare i tuoi messaggi
  •  
Powered by vBulletin® Version 4.2.1
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.