Worm.W32/Yaha.AF@MM
Alias:
W32.Yaha.AF@mm (Symantec)
Descripción:
Variante de Yaha.T que hace lo siguiente:
-
Termina procesoso de
antivirus y cortafuegos.
-
Usa su propio motor
SMTP para enviarse a todos los contactos de las libretas de
direcciones de Windows, de MSN y Windows Messenger, y los
programas de mensajería de Yahoor,e ICQ, así como todas las
que encuentra en ficheros con extensió .ht*.
-
Intenta difundirse
mediante carpetas compartidas y discos de red mapeados.
-
Intenta difundirse
mediante la red de intercambio de ficheros Kazaa.
-
Instala un capturador
de pulsaciones del teclado (keylogger) y envia los registros al
autor.
-
Realiza un ataque de
denegación de servicio (DoS) sobre máquinas, especificadas o
aleatorias, en los puertos TCP 135, 139 y 445.
Detalles:
Cuando W32.Yaha.AF es ejecutado, hace lo siguiente:
- Se copia en los siguientes lugares, con el atributo
"oculto" establecido:
- %System%\exe32.exe
- %System%\msmgr32.exe
- %CommonStartup%\msmgr32.exe
- %CurrentUserStartup%\msmgr32.exe
Donde:
- Crea los ficheros:
- %Windir%\Hosts
- %Windir%\Lmhosts
- %System%\etc\hosts
- %System%\etc\Lmhosts
con las siguientes entradas:
127.0.0.1 www.symantec.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.sophos.com
127.0.0.1 www.avp.ch
127.0.0.1 www.mcafee.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www3.ca.com
127.0.0.1 www.ca.com
Lo cual imposibilita al usuario acceder a estos sitios webs.
- Crea el fichero %System%\mss32.dll, que usa para almacenar las
direcciones de correo electrónico que encuentra.
- Crea el fichero %Cookies%\anyuser@yahoo.com.txt, que es un
capturador de pulsaciones de teclado.
- Añade el valor:
"MsManager"="%System%\msmgr32.exe"
a las claves del registro:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunService
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunService
Para ser ejecutado en el inicio de Windows.
- Modifica los valores por defecto de las claves del registro:
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\batfile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\comfile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\piffile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\scrfile\shell\open\command
a:
(Predeterminado) = "%System%\exe32.exe\" %1 %*
Desactiva las herramientas del registro estableciendo el
siguiente valor:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
"DisableRegistryTools"="1"
- Borra los valores:
"syshelp"
"WinGate initialize"
"Module Call initialize"
"WinServices"
"WindowsMGM"
de la clave del registro:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Borra la siguientes entradas del registro:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"WinServices"
- Se registra como un servicio
- Termina los siguientes procesos si están activos:
- Winservices
- TCPSVS32
- NAV32_LOADER
- WINGATE.EXE
- SYSHELP.EXE
- WINMGM32.EXE
- WINK
Borra los siguientes ficheros si existen:
%System%\WinServices.exe
%System%\nav32_loader.exe
%System%\tcpsvs32.exe
%System%\syshelp.exe
%System%\WinGate.exe
%System%\WinRpcsrv.exe
%System%\winmgm32.exe
%Windir%\SNTMLS.DAT
- Termina procesas cuyas ventanas tengan un título título
conteniendo algunas de las siguientes cadenas:
- Windows Task Manager
- System Configuration Utility
- Registry Editor
- Process Viewer
- Termina procesos cuyo nombre contenga alguna de las siguientes
cadenas:
- _AVP32
- _AVP32.EXE
- _AVPCC
- _AVPCC
- _AVPCC.EXE
- _AVPM
- _AVPM.EXE
- AckWin32
- AckWin32
- ACKWIN32
- AckWin32.exe
- AckWin32.exe
- ACKWIN32.EXE
- ADVXDWIN
- ADVXDWIN.EXE
- agentw.exe
- ALERTSVC
- ALERTSVC.EXE
- ALOGSERV
- alogserv
- ALOGSERV
- alogserv.exe
- ALOGSERV.EXE
- AMON9X
- AMON9X.EXE
- ANTI-TROJAN
- ANTI-TROJAN.EXE
- ANTS
- ANTS.EXE
- APVXDWIN
- apvxdwin
- APVXDWIN.EXE
- apvxdwin.exe
- ATCON
- ATCON.EXE
- ATUPDATER
- ATUPDATER.EXE
- ATWATCH
- ATWATCH.EXE
- AUTODOWN
- AutoDown
- AUTODOWN
- AUTODOWN.exe
- AutoDown.exe
- AUTODOWN.EXE
- AutoTrace
- AutoTrace.exe
- AVCONSOL
- AVCONSOL.EXE
- AVGCC32
- AVGCC32
- AVGCC32.EXE
- AVGCC32.EXE
- AVGCTRL
- Avgctrl
- AVGCTRL.EXE
- Avgctrl.exe
- AvgServ
- AVGSERV
- AvgServ
- AVGSERV
- AVGSERV.EXE
- AVGSERV.EXE
- AVGSERV9
- AVGSERV9.EXE
- AVGW
- AVGW.EXE
- avkpop
- avkpop.exe
- AvkServ
- AvkServ.exe
- avkservice
- avkservice.exe
- avkwctl9
- avkwctl9.exe
- AVP
- AVP.EXE
- AVP32
- AVP32.EXE
- AVPCC
- avpm
- avpm
- AVPM
- avpm.exe
- AVPM.EXE
- Avsched32
- Avsched32.exe
- AvSynMgr
- AVSYNMGR
- AVSYNMGR
- AvSynMgr
- AVSYNMGR
- AVSYNMGR.exe
- AVWINNT
- AVWINNT.EXE
- AVXMONITOR9X
- AVXMONITOR9X
- AVXMONITOR9X.EXE
- AVXMONITOR9X.EXE
- AVXMONITORNT
- AVXMONITORNT
- AVXMONITORNT.EXE
- AVXMONITORNT.EXE
- AVXQUAR
- AVXQUAR
- AVXQUAR.EXE
- AVXQUAR.EXE.EXE
- AVXW
- AVXW.EXE
- blackd
- BLACKD
- blackd.exe
- BLACKD.EXE
- BlackICE
- BlackICE.exe
- CDP.EXE
- cfgWiz
- cfgWiz.exe
- Claw95
- Claw95
- CLAW95
- Claw95.exe
- Claw95.exe
- CLAW95.EXE
- Claw95cf
- CLAW95CF
- Claw95cf.exe
- CLAW95CF.EXE
- cleaner
- cleaner.EXE
- cleaner3
- cleaner3.EXE
- CMGRDIAN
- CMGrdian
- CMGRDIAN
- CMGRDIAN.EXE
- CONNECTIONMONITOR
- CONNECTIONMONITOR.EXE
- CPD
- cpd.exe
- cpd.exe
- CPDClnt
- CPDCLNT.EXE
- CPDClnt.exe
- CTRL
- CTRL.EXE
- defalert
- defalert.exe
- defscangui
- defscangui.exe
- DEFWATCH
- DEFWATCH.EXE
- DOORS
- DOORS
- DOORS.EXE
- DOORS.EXE
- DVP95
- DVP95.EXE
- DVP95_0
- DVP95_0.EXE
- EFPEADM
- EFPEADM
- EFPEADM.exe
- EFPEADM.EXE
- ETRUSTCIPE
- ETRUSTCIPE
- ETRUSTCIPE.exe
- ETRUSTCIPE.EXE
- EVPN
- EVPN
- EVPN.exe
- EVPN.EXE
- EXPERT
- EXPERT.EXE
- F-AGNT95
- F-AGNT95.EXE
- fameh32
- fameh32.exe
- fch32
- fch32.exe
- fih32
- fih32.exe
- fnrb32
- fnrb32.exe
- F-PROT
- F-PROT.EXE
- F-PROT95
- F-PROT95.EXE
- FP-WIN
- FP-WIN.EXE
- FRW
- FRW
- FRW.EXE
- FRW.EXE
- fsaa
- fsaa.exe
- fsav32
- fsav32.exe
- fsgk32
- fsgk32.exe
- fsm32
- fsm32.exe
- fsma32
- fsma32.exe
- fsmb32
- fsmb32.exe
- f-stopw
- F-STOPW
- f-stopw.exe
- F-STOPW.EXE
- gbmenu
- gbmenu.exe
- GBPOLL
- gbpoll
- GBPOLL.EXE
- gbpoll.exe
- GENERICS
- GENERICS.EXE
- GUARD
- GUARD
- GUARD.EXE
- GUARD.EXE
- GUARDDOG
- GUARDDOG.EXE
- iamapp
- IAMAPP
- IAMAPP
- iamapp.exe
- IAMAPP.EXE
- IAMAPP.EXE
- iamserv
- IAMSERV
- iamserv.exe
- IAMSERV.EXE
- IAMSTATS
- IAMSTATS.EXE
- ICLOAD95
- ICLOAD95.EXE
- ICLOADNT
- ICLOADNT
- ICLOADNT.EXE
- ICLOADNT.EXE
- ICMON
- ICMON.EXE
- ICSUPP95
- ICSUPP95
- ICSUPP95.EXE
- ICSUPP95.EXE
- ICSUPPNT
- ICSUPPNT.EXE
- IFACE
- IFACE.EXE
- IOMON98
- IOMON98
- IOMON98.EXE
- IOMON98.EXE
- ISRV95
- ISRV95.EXE
- JEDI
- JEDI.EXE
- LDNETMON
- LDNETMON.EXE
- LDPROMENU
- LDPROMENU.EXE
- LDSCAN
- LDSCAN.EXE
- LOCKDOWN
- LOCKDOWN.EXE
- lockdown2000
- LOCKDOWN2000
- lockdown2000.exe
- LOCKDOWN2000.EXE
- LUALL
- LUALL.EXE
- LUCOMSERVER
- LUCOMSERVER.EXE
- LUSPT
- LUSPT.exe
- MCAGENT
- MCAGENT.EXE
- MCMNHDLR
- MCMNHDLR.EXE
- Mcshield.exe
- MCTOOL
- MCTOOL.EXE
- MCUPDATE
- MCUPDATE.EXE
- MCVSRTE
- MCVSRTE.EXE
- MCVSSHLD
- MCVSSHLD.EXE
- MGAVRTCL
- MGAVRTCL.EXE
- MGAVRTE
- MGAVRTE.EXE
- MGHTML
- MGHTML.EXE
- MINILOG
- MINILOG.EXE
- Monitor
- MONITOR
- Monitor.exe
- MONITOR.EXE
- MOOLIVE
- MOOLIVE.EXE
- MPFAGENT.EXE
- MPFSERVICE
- MPFSERVICE.exe
- MPFTRAY.EXE
- MWATCH
- MWATCH
- MWATCH.exe
- MWATCH.EXE
- NAV Auto-Protect
- NAV Auto-Protect
- NAVAP
- NAVAP
- navapsvc
- navapsvc
- NAVAPSVC.EXE
- navapsvc.exe
- navapw32
- NAVAPW32
- NAVAPW32.EXE
- NAVENGNAVEX15
- NAVENGNAVEX15
- NAVLU32
- NAVLU32.EXE
- Navw32
- NAVW32
- Navw32.exe
- NAVWNT
- NAVWNT.EXE
- NDD32
- NDD32.EXE
- NeoWatchLog
- NeoWatchLog.exe
- NETUTILS
- NETUTILS.EXE
- NISSERV
- NISSERV
- NISSERV.EXE
- NISSERV.EXE
- NISSERV.EXE
- NISUM
- NISUM
- NISUM.EXE
- NISUM.EXE
- NMAIN
- NMAIN.EXE
- NORMIST
- NORMIST
- NORMIST.EXE
- NORMIST.EXE
- notstart
- notstart.exe
- NPROTECT
- NPROTECT.EXE
- npscheck
- npscheck.exe
- NPSSVC
- NPSSVC.EXE
- NSCHED32
- NSCHED32.EXE
- ntrtscan
- ntrtscan.EXE
- NTVDM
- NTVDM.EXE
- NTXconfig
- NTXconfig.exe
- Nui.EXE
- Nupgrade
- Nupgrade.exe
- NVC95
- NVC95
- NVC95.EXE
- NVC95.EXE
- NVSVC32
- NVSVC32
- NWService
- NWService.exe
- NWTOOL16
- NWTOOL16.EXE
- PADMIN
- PADMIN.EXE
- PAVPROXY
- pavproxy
- PAVPROXY.EXE
- pavproxy.exe
- PCCIOMON
- PCCIOMON
- PCCIOMON.EXE
- PCCIOMON.EXE
- pccntmon
- pccntmon.EXE
- pccwin97
- pccwin97.EXE
- PCCWIN98
- PCCWIN98.EXE
- pcscan
- pcscan.EXE
- PERSFW
- PERSFW.EXE
- PERSWF
- PERSWF.EXE
- POP3TRAP
- POP3TRAP.EXE
- POPROXY
- POPROXY.EXE
- PORTMONITOR
- PORTMONITOR.EXE
- PROCESSMONITOR
- PROCESSMONITOR.EXE
- PROGRAMAUDITOR
- PROGRAMAUDITOR.EXE
- PVIEW95
- PVIEW95.EXE
- rapapp.exe
- RAV7
- RAV7.EXE
- RAV7WIN
- RAV7WIN.EXE
- REALMON
- REALMON.EXE
- Rescue
- RESCUE
- Rescue.exe
- RESCUE.EXE
- RTVSCN95
- RTVSCN95.EXE
- RULAUNCH
- RULAUNCH.EXE
- sbserv
- sbserv.exe
- SCAN32
- SCAN32.EXE
- SCRSCAN
- SCRSCAN.EXE
- Smc
- SMC.EXE
- Sphinx
- SPHINX
- Sphinx.exe
- SPHINX.EXE
- SPYXX
- SPYXX.EXE
- SS3EDIT
- SS3EDIT.EXE
- SWEEP95
- SWEEP95.EXE
- SweepNet
- SweepNet
- SWEEPSRV.SYS
- SWEEPSRV.SYS
- SWNETSUP
- SWNETSUP.EXE
- SymProxySvc
- SymProxySvc.exe
- SYMTRAY
- SYMTRAY.EXE
- TAUMON
- TAUMON.EXE
- TC.EXE
- TCA
- TCA.EXE
- TCM
- TCM.EXE
- TDS-3
- TDS-3.EXE
- TFAK
- TFAK.EXE
- vbcmserv
- vbcmserv
- vbcmserv.exe
- vbcmserv.exe
- VbCons
- VbCons
- VbCons.exe
- VbCons.exe
- VET32
- VET32
- VET32.exe
- VET32.EXE
- Vet95
- VET95
- Vet95.exe
- VET95.EXE
- VetTray
- VETTRAY
- VetTray.exe
- VETTRAY.EXE
- VIR-HELP
- VIR-HELP.EXE
- VPC32
- VPC32.EXE
- VPTRAY
- VPTRAY.EXE
- VSCHED
- VSCHED.EXE
- VSECOMR
- VSECOMR
- VSECOMR.EXE
- VSECOMR.EXE
- vshwin32
- VSHWIN32
- VSHWIN32
- VSHWIN32.EXE
- VSMAIN
- VSMAIN.EXE
- vsmon
- vsmon.exe
- VSMON.EXE
- VSSTAT
- VSSTAT
- VSSTAT.EXE
- WATCHDOG
- WATCHDOG.EXE
- WEBSCANX
- WEBSCANX
- WEBSCANX.EXE
- WEBTRAP
- WEBTRAP.EXE
- WGFE95
- WGFE95.EXE
- WIMMUN32
- WIMMUN32.EXE
- WrAdmin
- WRADMIN
- WRADMIN
- WrAdmin.exe
- WRADMIN.EXE
- WRADMIN.EXE
- WrCtrl
- WRCTRL
- WRCTRL
- WrCtrl.exe
- WRCTRL.EXE
- zapro
- zapro.exe
- zonealarm
- zonealarm.exe
- WINSERVICES
- TCPSVS32
- NAV32_LOADER
- WINGATE.EXE
- SYSHELP.EXE
- WINMGM32.EXE
- WINK
- AAAA
- Realiza un ataque de denegación de servicio (DoS) contra
ciertos hosts predeterminados y aleatorios, en los
puertos 135, 139 y 445.
- Si existe la carpeta %Windir%\INETPUB\WWWROOT, sobreescribe
todos los ficheros con extensions .htm o .html que encuentra con
el siguiente texto:
Ha..Ha..Haaa...
- Escanea todos los discos fijos y remotos y todas las carpetas
compartidas e intenta hacer lo siguiente:
- Copiarse como MCCP32.EXE en las
siguientes carpetas:
- \WINDOWS
- \WIN98
- \WIN95
- \WINNT
- \WINME
- \WINME
- \WINXP
- Añade la siguiente línea en la
sección [WINDOWS] del fichero \Windows\Win.ini, si
lo encuentra:
Run=MCCP32.EXE
- Busca en el registro la localización
de la carpeta compartida de Kazaa en el registro, y realiza
las siguientes acciones:
- Renombra cualquier fichero .exe,
.com, o .scr de esta carpeta cuyo tamaño sea mayor o
igual que el del gusano a .mp3.
- Se copia con el nombre de
fichero original que acaba de eliminar.
- Añade bytes "00" al
final de cada copia hasta tener el mismo tamaño del
fichero al que suplanta.
Detalles de la rutina de correo electrónico
El gusano usa su propio motor SMTP para enviarse por correo a
todos los contactos de la libreta de direcciones de Windows, de MSN
y Windows Messenger, de Yahoo Messenger y de ICQ, así como las que
encuentra en ficheros con extensión .ht*. Intenta usar el servidor
SMTP por defecto del ordendador infectado, y si no puede usará uno
de la lista que incluye en su código. El correo que envía puede
ser uno de los siguientes:
Asunto: Fw: Critical Patches
Adjunto: MS-Q3946.EXE
Message:
Hi,
I got this mail from Microsot support. Atlast Microsoft has got a
comprehensive patch
for all the vulnerabilities. Once this patch is applied, it takes
care of all the recent virus problems
in Microsoft products.
Later....
Microsoft support wrote:
>Thanks for using Microsoft products. Recent viruses have
prompted micrsoft to issue patches
>to all its customers worldwide.
>
>We are including a comprehensive patch for all windows
platforms. This patch gives you
>comprehensive protection against all recent viruses.
>
>Yours sincerely,
>Kelly
>Team Support
>Microsoft Inc
Asunto: Hi check your computer
with this!!!
Adjunto: FixBlast.com
Message:
Hi,
I am cutting and pasting the message i got from symantec antivirus
I think the last mail you sent me was infected with W32.Blaster.
Rgds
Dear customer,
We are enclosing Fix for both Welcha and Blaster worms as per your
request.
Step by Step Instructions for Cleaning W32.Blaster/W32.Welcha
Worms:
1. Save the file to a convenient location, such as your downloads
folder or the Windows Desktop
2. To check the authenticity of the digital signature, refer to
the section, "Digital signature."
3. Close all the running programs before running the tool.
4. If you are running Windows XP, then disable System Restore.
Refer to the section, "System Restore option in Windows
Me/XP," for additional details.
In case of any clarifications please do not hesitate to contact
us.
Best Regards,
Neil Thomas
Symantec Support
Asunto: Your previous message
is infected
Adjunto: FixBlast.com
Message:
Hi,
Your previous mail to me is infected with Blaster.
I am attaching the tool i got from symantec site please clean your
machine with the same.
Best Rgds,
Asunto: Fix for New Worm
Threat
Adjunto: FixBlastz.com
Message:
Hi,
I got this mail from Mcafee Antivirus Support. There is a new
variant of W32.Blaster worm.
I got a special fix today in the early hours, please check your
machine with the attached tool.
I have also cut and pasted the steps for cleaning.
Rgds
Dear customer,
We are enclosing Fix for W32.Blaster.Z as per your request.
Step by Step Instructions for Cleaning W32.Blaster.Z
1. Save the file to a convenient location, such as your downloads
folder or the Windows Desktop
2. To check the authenticity of the digital signature, refer to
the section, "Digital signature."
3. Close all the running programs before running the tool.
4. If you are running Windows XP, then disable System Restore.
Refer to the section, "System Restore option in Windows
Me/XP," for additional details.
In case of any clarifications please do not hesitate to contact
us.
Best Regards,
Jerry Nelson
McAfee Support
Remitente:Microsoft
Support
Asunto:Critical Updates
Adjunto: MS-Q3526.com
Mensaje:
Dear Customer,
Thanks for using Microsoft products. Recent viruses have prompted
micrsoft to issue patches
to all its customers worldwide.
We are including a comprehensive patch for all windows platforms.
This patch gives you
comprehensive protection against all recent viruses.
Yours sincerely,
JimThompson
Team Support
Microsoft Inc
person who registers
with us through your account, we will pay you $1.5.Once your
account reaches
the limit of $50, your payment will be send to your registration
address by
check or draft.
Please note that the registration process is completely free which
means
by participating in this program you will only gain without
loosing anything.
Best Regards,
Admin,
De: Symantec Support
Asunto: Fix for
W32.Blaster/Welcha
Adunto: FixBlast.com
Mensaje:
Dear customer,
We are enclosing Fix for both Welcha and Blaster worms as per your
request.
Step by Step Instructions for Cleaning W32.Blaster/W32.Welcha
Worms:
1. Save the file to a convenient location, such as your downloads
folder or the Windows Desktop
(or removable media that is known to be uninfected, if possible).
2. To check the authenticity of the digital signature, refer to
the section, "Digital signature."
3. Close all the running programs before running the tool.
4. If you are running Windows XP, then disable System Restore.
Refer to the section, "System Restore option in Windows
Me/XP," for additional details.
In case of any clarifications please do not hesitate to contact
us.
Best Regards,
Neil Thomas
Symantec Support
From: Mcafee Support
Asunto: Fix for the latest
W32/Blaster.Z
Adjunto: Fixblastz.com
Mensaje:
Dear customer,
We are enclosing Fix for W32.Blaster.Z as per your request.
Step by Step Instructions for Cleaning W32.Blaster.Z
1. Save the file to a convenient location, such as your downloads
folder or the Windows Desktop
(or removable media that is known to be uninfected, if possible).
2. To check the authenticity of the digital signature, refer to
the section, "Digital signature."
3. Close all the running programs before running the tool.
4. If you are running Windows XP, then disable System Restore.
Refer to the section, "System Restore option in Windows
Me/XP," for additional details.
In case of any clarifications please do not hesitate to contact
us.
Best Regards,
Jerry Nelson
McAfee Support
Remitente:Microsoft
Support
Asunto:Critical Patches
Adjunto: MS-Q31338.ZIP ( Which
is a zip file that contains a copy of worm)
Mensaje:
Dear Customer,
Thanks for using Microsoft products. Recent viruses have prompted
micrsoft to issue patches
to all its customers worldwide.
We are including a comprehensive patch for all windows platforms.
This patch gives you
comprehensive protection against all recent viruses.
Yours sincerely,.
JimThompson
Team Support
Microsoft Inc
Remitente:System
Administrator
Asunto:Fix for recent viruses
Adjunto:FIXES.ZIP ( Which is a
zip file that contains a copy of worm)
Mensaje:
Hi All,
I am sending these fixes to the recent viruses which have been
making rounds in the IT world.
I request you to install the same in your systems and pass it to
others.
Yours sincerely,
James
System Administrator
KPMG
Remitente:HRD
Consultants
Asunto:Your details
Adjunto:Requirement.zip (
Which is a zip file that contains a copy of worm)
Mensaje:
Hi,
We have your email id in our database. We have enclosed our
requirements.
Expecting your reply at the earliest.
Kind Rgds,
James Martin
Remitente:Symantec
Support
Asunto:Fix for
W32.Blaster/W32.Welcha
Adjunto:FixBlast.zip ( Which
is a zip file that contains a copy of worm)
Mensaje:
Dear customer,
We are enclosing Fix for both Welcha and Blaster worms as per your
request.
Step by Step Instructions for Cleaning W32.Blaster/W32.Welcha
Worms:
1. Save the file to a convenient location, such as your downloads
folder or the Windows Desktop
(or removable media that is known to be uninfected, if possible).
Extract from the zip file.
2. To check the authenticity of the digital signature, refer to
the section, "Digital signature"
3. Close all the running programs before running the tool.
4. If you are running Windows XP, then disable System Restore.
Refer to the section, "System Restore option in Windows
Me/XP," for additional details.
In case of any clarifications please do not hesitate to contact
us.
Best Regards,
Keith Johnson
Symantec Support
Remitente:McAfee Support
Asunto:Fix for latest
W32.Blaster.Zworm
Adjunto:FixBlastz.zip ( Which
is a zip file that contains a copy of worm)
Mensaje:
Dear customer,
We are enclosing Fix for W32.Blaster.Z as per your request.
Step by Step Instructions for Cleaning W32.Blaster.Z
1. Save the file to a convenient location, such as your downloads
folder or the Windows Desktop
(or removable media that is known to be uninfected, if possible).
2. To check the authenticity of the digital signature, refer to
the section, "Digital signature"
3. Close all the running programs before running the tool.
4. If you are running Windows XP, then disable System Restore.
Refer to the section, "System Restore option in Windows
Me/XP," for additional details.
In case of any clarifications please do not hesitate to contact
us.
Best Regards,
Richard
McAfee Support
Remitente:Support eEye
Asunto:Microsoft RPC still
vulnerable - Latest worm
Adjunto:RPCDCOM.ZIP ( Which is
a zip file that contains a copy of worm)
Mensaje:
Microsoft RPC Heap Corruption Vulnerability - Part II
Severity:
High (Remote Code Execution).
Description:
eEye Digital Security has discovered a critical remote
vulnerability in the way Microsoft
Windows handles certain RPC requests.The RPC (Remote Procedure
Call) protocol provides
an inter-process communication mechanism allowing a program
running on one computer to execute code on a remote system. '
The vulnerability
exists within the DCOM (Distributed Component Object Model) RPC
interface. This interface handles
DCOM object activation requests sent by client machines to the
server. By sending a malformed
request packet it is possible to overwrite various heap structures
and allow the execution of
arbitrary code.
Please install the attached patch immediately.
Asunto:Details.
Adjunto: details.pif ( Which
is a zip file that contains a copy of worm)
Mensaje:
Hi,
See the attached file for details.
Rgds
Asunto:Thank you
Adjunto: thankyou.zip ( Which
is a zip file that contains a copy of worm)
Mensaje:
Please see the attached file for details
Rgds
Asunto:Your document
Adjunto: your_documents.zip (
Which is a zip file that contains a copy of worm)
Mensaje:
See the attached file for your documents
Rgds
Asunto:Your application
Adjunto: application.zip (
Which is a zip file that contains a copy of worm)
Mensaje:
Please see the attached file for applicaion details.
Rgds
Asunto:Wicked Screen Saver
Adjunto: wickedsaver.zip (
Which is a zip file that contains a copy of worm)
Mensaje:
Hi,
This is the most wicked screen saver i have ever seen.Enjoy!!!'
Rgds
Asunto:Naughty Movie Clip
Adjunto: movie3498.zip ( Which
is a zip file that contains a copy of worm)
Mensaje:
Hi,
This is an interesting movie clip. You will enjoy it.
Rgds
Asunto:Hi check your computer
with this!!!
Adjunto: FixBlast.zip ( Which
is a zip file that contains a copy of worm)
Mensaje:
Hi,
I am cutting and pasting the message i got from symantec antivirus
I think the last mail you sent me was infected with W32.Blaster.
Bye
Dear customer,
We are enclosing Fix for both Welcha and Blaster worms as per your
request.
Step by Step Instructions for Cleaning W32.Blaster/W32.Welcha
Worms:
1. Save the file to a convenient location, such as your downloads
folder or the Windows Desktop
2. To check the authenticity of the digital signature, refer to
the section, "Digital signature."
3. Close all the running programs before running the tool.
4. If you are running Windows XP, then disable System Restore.
In case of any clarifications please do not hesitate to contact
us.
Best Regards,
Neil Thomas
Symantec Support
Asunto:I got an infected mail
from you
Adjunto: FixBlast.zip ( Which
is a zip file that contains a copy of worm)
Mensaje:Hi,
Your previous mail to me is infected with Blaster.
I am attaching the tool i got from symantec site please clean your
machine with the same.
Best Rgds,
Asunto:Fix for New Worm
Threat.
Adjunto:FixBlastz.zip ( Which
is a zip file that contains a copy of worm)
Mensaje:Hi,
I got this mail from Mcafee Antivirus Support. There is a new
variant of W32.Blaster worm.
I got a special fix today in the early hours, please check your
machine with the attached tool.
I have also cut and pasted the steps for cleaning.
Rgds
Solución:
- Si utiliza Windows Me o XP, y sabe cuándo se produjo la
infección, puede usar la característica de Restauración
del Sistema para eliminar el virus volviendo a un punto de
restauración anterior a la infección. (Tenga en cuenta que se
desharán los cambios de configuración de Windows y se eliminarán
todos los archivos ejecutables que haya creado o descargado
desde la fecha del punto de restauración)
Si esto no es posible o no funciona es recomendable
desactivar temporalmente la Restauración del Sistema antes de
eliminar el virus por otros medios, ya que podría haberse
creado una copia de seguridad del virus. Si necesita ayuda vea desactivar
la Restauración del Sistema en Windows Me y desactivar
la Restauración del Sistema en Windows XP.
- Con un antivirus actualizado, localice todas las copias del
virus en el disco duro de su PC. Si no dispone de antivirus,
visite nuestra página de Antivirus
gratuitos.. Repare o borre el fichero infectado.
Si el antivirus no puede reparar la infección o borrar los
ficheros, puede ser debido a que el fichero está en uso por
estar el virus en ejecución (residente en memoria).
Nota: A Menudo los antivirus informan de que 'no puede
reparar un fichero' en el caso de gusanos o troyanos debido a
que no hay nada que reparar, simplemente hay que borrar el
fichero.
- En el caso de que no se pueda eliminar el fichero del virus,
debe terminar manualmente el proceso en ejecución del virus.
Abra el Administrador de tareas (presione Control+Mayúsculas+Esc).
En Windows 98/Me seleccione el nombre del proceso y deténgalo.
En Windows 2000/XP, en la pestaña 'Procesos' haga clic derecho
en el proceso y seleccione 'Terminar Proceso'. A continuación
vuelva a intentar el borrado o reparación del fichero.
- A continuación hay que editar el registro para deshacer los
cambios realizados por el virus. Si necesita información sobre
cómo editar el registro puede ver esta Guía
de edición del registro o este video
de ayuda que ilustra el proceso. Sea
extremadamente cuidadoso al manipular el registro. Si modifica
ciertas claves de manera incorrecta puede dejar el sistema
inutilizable.
Antes de reparar el registro debe activar las herramientas de
edición del registro. Para esto haga clic en Inicio, Ejecutar,
y en el cuadro de diálogo que aparece teclee notepad y
pulse "Aceptar".
Copie el siguiente texto en la ventana del Bloc de Notas:
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
[HKEY_CLASSES_ROOT\batfile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\scrfile\shell\open\command]
@="\"%1\" %*"
Guarde este fichero, por ejemplo en c:\repair.reg. Haga clic en
inicio, ejecutar y teclee regedit -s c:\repair.reg (o el
lugar en que guardó el fichero) y pulse el botón Aceptar.
Elimine el siguiente valor:
"MsManager"="%System%\msmgr32.exe"
en las siguientes claves:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunService
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunService
Elimine las siguientes claves:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RedWorm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Winver
HKEY_LOCAL_MACHINE\Winver
- Reinicie su ordenador y explore todo el disco duro con un
antivirus para asegurarse de la eliminación del virus. Si
desactivó la restauración del sistema, recuerde volver a
activarla.
Más información acerca de este virus en:
Fuente: red.es |
