Sector-Crossing und Virus-Warnung

Forum für Polarlichter, Spaceweather, Astronomie und Raumfahrt.

Moderatoren: Claudia Hinz, Ulrich Rieth, StefanK

Antworten
Benutzeravatar
Lutz Schenk
Administrator
Beiträge: 1356
Registriert: 9. Jan 2004, 18:34
Wohnort: Baunatal, Nordhessen 51.25N 9.39E
Kontaktdaten:

Sector-Crossing und Virus-Warnung

Beitrag von Lutz Schenk » 27. Jan 2004, 17:35

Hallo zusammen,

die ACE Daten zeigen mal schön den Sektor-Wechsel mit zugehöriger Kompression, die sich in erhöhter Dichte erkennen lässt.

Ich glaube aber nicht, das uns dies irgend etwas bringt.

Zum Virus:

Er ist mal wieder ein fieses Teil, welches auch als Absender u.a. "Mail-delivery-system" und benutzt im Betreff etwas ähnlich einer nicht zustellbaren Message.

Ich hatte vorhin schon einiges davon im Briefkasten :-(

Auch hatte ich eine Mail von Tom Eklund, die aber keinen Betreff und Zeile Text hatte, sondern nur Attachments. Auch diese habe ich erst mal gekickt. Es ist mir einfach zu heiß.

Hier mal die Warnung die unser System-Admin in der Fa. herausgab.:


Aus gegebenen Anlass gebe ich folgende Viruswarnung heraus.

Es wird vor dem Virus W32/Mydoom@MM und
W32/Dumara.y@MM gewarnt.


Diese Viren sind Massenmailer und bringen ihre eigene E-Mail Sendeprogramm
mit.

Der Virus W32/Mydoom@MM verteilt sich des weiteren über
Netzlaufwerksverbindungen.


Es wird vor einem Hohem Ausbruchsrisiko ( grossem Ausbreitungsrisko) beim
Virus W32/Mydoom@MM gewarnt.


Als Anhang finden Sie den Auszug vom Orginaltext der Viruswarnung.

( Auszüge aus den Viruswarnungen von Network Associates in Englisch )


Ich Bitte Sie daher beim Umgang mit E-Mails und auch Dateien um erhöhte
Aufmerksamkeit, diese

sollten Sie auch auf Ihrem privatem PC beachten wenn Sie Mails empfangen und verschicken sowie beim Umgang mit Dateien aus dem Internet.

===== Auszug aus der Viruswarnung von Network Associates zum Virus
W32/Mydoom@MM =====

Virus Name W32/Mydoom@MM


Virus Information
Discovery Date:
01/26/2004
Origin:
Unknown
Length:
22,528 bytes
Type:
Virus
SubType:
E-mail
Minimum DAT:
Release Date:
4319
01/26/2004
Minimum Engine:
4.2.40
Description Added:
01/26/2004
Description Modified:
01/26/2004 9:48 PM (PT)



Virus Characteristics:
This is a mass-mailing and peer-to-peer file-sharing worm that arrives in an
email message as follows:


From: (spoofed email sender)
Subject: (Varies, such as)
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi


Body: (Varies, such as)
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary
attachment.
Mail transaction failed. Partial message is available.


Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP
archive) (22,528 bytes)
examples (common names, but can be random)
doc.bat
document.zip
message.zip
readme.zip
text.pif
hello.cmd
body.scr
test.htm.pif
data.txt.exe
file.scr

The icon used by the file tries to make it appear as if the attachment is a
text file:

(Embedded image moved to file: pic06423.pcx)


When this file is run, it copies itself to the WINDOWS SYSTEM directory as
taskmon.exe
%SysDir%\taskmon.exe


(Where %Sysdir% is the Windows System directory, for example
C:\WINDOWS\SYSTEM)


It creates the following registry entry to hook Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe


The virus uses a DLL that it creates in the Windows System directory:
%SysDir%\shimgapi.dll (4,096 bytes)


This DLL is injected into the EXPLORER.EXE upon reboot via this registry
key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcS
erver32 "(Default)" = %SysDir%\shimgapi.dll


Peer To Peer Propagation
The worm copies itself to the KaZaa Shared Directory with the following
filenames:
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
activation_crack
icq2004-final
winamp


Remote Access Component
The worm opens a connection on TCP port 3127 suggesting remote access
capabilities.


Denial of Service Payload
On the first system startup on February 1st or later, the worm changes its
behavior from mass mailing to initiating a denial of service attack against
the sco.com domain. This denial of service attack will stop on the first
system startup of February 12th or later, and thereafter the worm's only
behavior is to continue listening on TCP port 3127.


Symptoms
Upon executing the virus, Notepad is opened, filled with nonsense
characters.


(Embedded image moved to file: pic22029.pcx)
Existence of the files and registry entry listed above


Method Of Infection
This file tries to spread via email and by copying itself to the shared
directory for Kazaa clients if they are present.


The mailing component harvests address from the local system. Files with
the following extensions are targeted:
wab
adb
tbb
dbx
asp
php
sht
htm
txt


Additionally, the worm contains strings, which it uses to randomly generate,
or guess, addresses.


Harvested addresses are sent the virus via SMTP. The worm guesses at the
recipient email server, prepending the target domain name with the following
strings:
mx.
mail.
smtp.
mx1.
mxs.
mail1.
relay.
ns.


Removal Instructions
All Users :
Use specified engine and DAT files for detection and removal.


The shimgapi.dll file is injected into the EXPLORER.EXE process if the
system has been rebooted after the infection has occured. In this
situation, a reboot and rescan is required to remove this DLL from the
system.


Alternatively, following EXTRA.DAT packages are available.
EXTRA.DAT
SUPER EXTRA.DAT


Modifications made to the system Registry and/or INI files for the purposes
of hooking system startup will be successfully removed if cleaning with the
recommended engine and DAT combination (or higher).


Additional Windows ME/XP removal considerations


Stinger
Stinger 1.97 has been made available to assist in detecting and repairing
this threat. Please note to ensure complete repair a reboot is required
after running Stinger.


McAfee Security Desktop Firewall
To prevent possible remote access McAfee Desktop Firewall users can block
incoming TCP port 3127.


ThreatScan users
The latest ThreatScan signature (2004-01-27) includes detection of the
Mydoom virus. This signature is available for ThreatScan v2.0, v2.1, and
v2.5.


ThreatScan users can also detect the backdoor portion of the virus by
running a "Resource Discovery" task utilizing the port scanning options.


To update your ThreatScan installations with the latest signatures perform
the following tasks:
From within ePO open the "Policies" tab.
Select "McAfee ThreatScan" and then select "Scan Options"
In the pane below click the "Launch AutoUpdater" button.
Using the default settings proceed through the dialogs that appear.
Upon successful completion of the update a message will appear stating
that; update 2004-01-27 has completed successfully.
From within ePO create a new "AutoUpdate on Agent(s)" task.
Go into the settings for this task and ensure that the host field is
set to ftp.nai.com , the path is set to
/pub/security/tsc20/updates/winnt/ and that the user and password
fields are both set to ftp. Note that "tsc20" in the above path is
used for ThreatScan 2.0 and 2.1. The correct path for ThreatScan 2.5
is "tsc25".
Launch this task against all agent machines.
When the task(s) complete information will be available in the "Task
Status Details" report.
To create and execute a new task containing the new update
functionality, do the following:
- Create a new ThreatScan task.
- Edit the settings of this task.
- Edit the "Task option", "Host IP Range" to include all desired
machines to scan.


To scan for the virus:
Select the "Remote Infection Detection" category and "Windows
Virus Checks" template. -or-
Select the "Other" category and "Scan All Vulnerabilities"
template.


To create and execute a new task to perform a port scan, do the
following:
Create a new Resource Discovery task.
Edit the settings of this task.
Edit the "Task option", "Host IP Range" to include all desired
machines to scan.


To scan for the virus:
Select the "Port Scan" option.
Select the "TCP Port Scan" option.
Enter 3127 in the "TCP Port Ranges" field.
Launch the scan.


For additional information:
Run the "ThreatScan Template Report"
Look for module number #4061

Aliases
Name
Novarg (F-Secure)
W32.Novarg.A@mm (Symantec)
Win32.Mydoom.A (CA)
Win32/Shimg (CA)
WORM_MIMAIL.R (Trend)


===== Auszug aus der Viruswarnung von Network Associates zum Virus
W32/Dumara.y@MM =====


Virus Name
Risk Assessment Description Menu
W32/Dumaru.y@MM Virus
Characteristics
Symptoms
Method Of
Corporate User Infection
: Removal
Medium Instructions
Home User Variants /
: Aliases
Medium Rate This page
Print This Page
Email This Page
Legend






Virus Information
Discovery Date:
01/24/2004
Origin:
Unknown
Length:
approx 17 Kb (FSG packed)
Note: file size may vary due
to appended data.
Type:
Virus
SubType:
E-mail worm
Minimum DAT:
Release Date:
4318
01/26/2004
Minimum Engine:
4.2.40
Description Added:
01/24/2004
Description Modified:
01/26/2004 11:52 AM (PT)


Virus Characteristics:
-- Update January 26, 2004 --
This threat has had its risk assessment upgraded to Medium
from Low-Profiled. This is due to increased prevalence.


-- Update January 25, 2004 --
A new minor variant of this worm was received. The extra.dat
file has been updated to deal with both threats -
W32/Dumaru.y@MM and W32/Dumaru.z@MM


W32/Dumaru.z@MM is very similar to the y variant, the major
differences being:
Filesize: approx 14,550 bytes
File download: this variant is intended to download a
remote file (URL hard-coded in body). This remote file
may change, but at the time of writing it was a variant
of W32/Spybot.worm. This is written to disk as
%SysDir%\NVIDIA32.EXE. This is detected as
W32/Spybot.worm.gen with the 4288 DATs or greater.


The email message constructed is identical to that for the y
variant.


-- Update January 24, 2004 --
The risk assessment of this threat was raised to Low-Profiled
due to Media attention at
http://antivirus.about.com/cs/allabout/a/dumaruy.htm


This detection is for a new variant of W32/Dumaru@MM. It
bears similarities to its predecessors (for example
W32/Dumaru.j@MM ).


This worm bears the following characteristics:
contains its own SMTP engine to construct messages
harvests target email addresses from the local machine


Additionally, the worm is also intended to steal data from
the victim machine (eg. certain application passwords,
keylogger data). This may be triggered via remote commands
from the hacker.


Mail Propagation
The worm constructs outgoing messages using its own SMTP
engine. Target email addresses are harvested from the victim
machine - files matching the following extensions are
searched:
.HTM
.WAB
.HTML
.DBX
.TBB
.ABD


The worm mails itself in a ZIP file. The ZIP contains the
worm with the following filename:
MYPHOTO.JPG. (many spaces) .EXE


Messages are constructed with the following characteristics:


From: "Elene" (F (removed) ENSUICIDE@HOTMAIL.COM)
Subject: Important information for you. Read it immediately !
Attachment: MYPHOTO.ZIP
Body:
Hi!
Here is my photo, that you asked for yesterday.


For example (with offensive and target email removed):


(Embedded image moved to file: pic13526.pcx)


Data Stealing
The worm is intended to steal data from the victim machine.
Keylogging functionality is targetted at capturing keystrokes
during specific browser sessions - those related to online
banking. The worm specifically targets e-gold.com users.
Logged data is written to the file VXDLOAD.LOG.


Clipboard contents are also targetted by the worm. Contents
are written to the file RUNDLLX.SYS.


These log contents are emailed to the hacker(s) using email
addresses hard-coded in the worm.


Remote Access
The worm listens on TCP ports 2283 and 10000 to allow a
remote attacker to issue instructions to the worm (such as
FTP commands).


Symptoms
Existence of the the following Registry key:
HKEY_LOCAL_MACHINE\Software\SARS


Existence of the files and Registry keys described in the
"Method of Infection" section


Method Of Infection
When executed, the worm copies itself multiple times onto the
victim machine:
%WinDir%\RUNDLLX.SYS
%SysDir%\L32X.EXE
%SysDir%\VXD32V.EXE


Where %WinDir% is the Windows directory (eg. C:\WINNT) and
%SysDir% is the Windows System directory (eg.
C:\WINNT\SYSTEM32).


A copy is also dropped in the Windows startup folder, as
DLLXW.EXE, for example:
c:\Documents and Settings\user2\Start
Menu\Programs\Startup\dllxw.exe


The worm creates a ZIP file (containing the worm) with the
filename ZIP.TMP in the following directory:
%WinDir%\TEMP\ZIP.TMP


The following Registry hook is added to hook system startup
(9x and NT):


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "load32" = %SysDir%\L32X.EXE


On NT/2k systems the following key is modified:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\
Winlogon "Shell"


from:


Explorer.exe


to:


explorer.exe %SysDir%\VXD32V.EXE


The WIN.INI and SYSTEM.INI system files are also modified to
hook system startup. The following entry is added to WIN.INI:


[windows]
"run" = %WinDir%\RUNDLLX.SYS


The following key is modified in SYSTEM.INI:


[boot]
"shell" = Explorer.exe


is modified to:


"shell" = explorer.exe %SysDir%\VXD32V.EXE


Unlike some previous variants, this variant does not have a
parasitic infection component (via NTFS streams).

Removal Instructions
All Users :
Use specified engine and DAT files for detection and removal.


Alternatively, the following EXTRA.DAT packages are
available.
EXTRA.DAT
SUPER EXTRA.DAT


Modifications made to the system Registry and/or INI files
for the purposes of hooking system startup will be
successfully removed if cleaning with the recommended engine
and DAT combination (or higher).


Stinger has been updated to detect and remove this threat.
Stinger is not required for McAfee users to clean an infected
system as the products contain the same level of repair.


Additional Windows ME/XP removal considerations


McAfee Security Threatscan:
ThreatScan signatures that can detect the W32/Dumaru.y@MM
virus are available.
Threatscan 2.5 -
ftp.nai.com/pub/security/tsc25/updates/winnt
Threatscan 2.0/2.1 -
ftp.nai.com/pub/security/tsc20/updates/winnt

Variants
Name
Type
Sub Type
Differences
W32/Dumaru.z@MM
Internet Worm
E-mail


Aliases
Name
CapeGold
W32.Dumaru.Y@mm (NAV)
W32/Dumaru.z@MM
Win32/ZHymn (CAI)
WORM_DUMARU.Y (Trend)

Benutzeravatar
Heiko Rodde
Beiträge: 323
Registriert: 9. Jan 2004, 17:32
Wohnort: Wiliberg (Aargau), Schweiz
Kontaktdaten:

Beitrag von Heiko Rodde » 27. Jan 2004, 19:42

hallo lutz,

danke fuer die lange warnung, aber wie angenehm ist es doch, den ganzen virenschei.. nicht mehr ernst nehmen zu muessen.

mac sei dank ! :-))))

naja ein geringes restrisiko besteht auch beim mac, allerdings duerfte das bei unter einem % liegen.

die letzten % pl aussichten, wenn ja sowieso nur gering nach dem sector-crossing, machen ja die anhaltenden schneefaelle wieder platt !
schneit's bei euch nicht ?

schoenen abend noch - gruss heiko

Benutzeravatar
Thorsten Gaulke
Beiträge: 756
Registriert: 9. Jan 2004, 16:18
Wohnort: Geseke N51°39'02" E008°30'46"

Beitrag von Thorsten Gaulke » 27. Jan 2004, 23:15

Moin Heiko...


1. Ich bin recht froh, dass ich keine E-Mail-Verteiler...oder Adressbücher...oder sonstiges auf dem Rechner habe...sämtliche E-Mail-Adressen sind altbacken handschriftlich an der Pinwand...

2. In Detmold war bisher super Wetter für Teleskopbeobachtungen des Saturn und des Jupiter und verschiedener Messier-Objekte...
Laut Wetterradar beginnt es (in einer Stunde) zu schneien...Wohl dem, der morgen früh nicht zur Arbeit muss

P.S ich muss zur Arbeit...45 km weit...hoffentlich gibt es keine Rutschpartie...

Gruß Thorsten
Gruß Thorsten

Nathalie Dautel
Beiträge: 24
Registriert: 9. Jan 2004, 21:29
Wohnort: baden-baden
Kontaktdaten:

Beitrag von Nathalie Dautel » 28. Jan 2004, 08:31

Hallo,

gestern mehrere dieser Mails bekommen( System Administrator, oder mit Betr.: Hi, Hello...), zum Glück nichts geöffnet. :-)
Gruß
Nathalie
Nathalie Dautel

Benutzeravatar
Andreas Wehrle
Beiträge: 407
Registriert: 9. Jan 2004, 07:32
Wohnort: Kandern Baden N. 47.71 O. 7.65
Kontaktdaten:

Sector-Crossing ?

Beitrag von Andreas Wehrle » 30. Jan 2004, 07:46

Sector-Crossing ? was ist das genau, kann mir das jemand näher Erklären ?

Gruß Andreas Wehrle

Benutzeravatar
Helga Schöps
Beiträge: 1709
Registriert: 10. Jan 2004, 14:07
Wohnort: Hermsdorf/Thür.
Kontaktdaten:

Sektor-Crossing

Beitrag von Helga Schöps » 30. Jan 2004, 08:55

Halllo Andreas,
schau mal bei Ulrich Rieths Homepage unter FAQs und da bei HCS. Da findest Du die Erklärung. Graphisch kannst Du es Dir unter
http://solar:event@gse.gi.alaska.edu/recent/ecimf.html
ansehen. Beim ACE siehst Du den Wechsel an der Phi-Linie.
Ich hoffe, dass hilft Dir fürs erste.
Grüße von Helga

PS: Deine Webcam-Seite ist toll, alles auf einem Blick!

Benutzeravatar
Andreas Wehrle
Beiträge: 407
Registriert: 9. Jan 2004, 07:32
Wohnort: Kandern Baden N. 47.71 O. 7.65
Kontaktdaten:

Danke Helga

Beitrag von Andreas Wehrle » 30. Jan 2004, 15:47

Danke Helga :lol:
Für die Info hast mir sehr geholfen.
Gruß Andreas Wehrle

Antworten

Wer ist online?

Mitglieder in diesem Forum: 0 Mitglieder und 5 Gäste