heh.pl
Kanał informacyjny Heh.pl


Czwartek 28 marca 2024 r.

artykuły | abc komputera (archiwum) | forum dyskusyjne | redakcja


Temat

'wirus' Ktorego Nie Moge Zlokalizowac!


217.75.5.* napisał:
witam
mam zainstalowanego nortona antivirusa(w tle jest auto-protect), pokazal mi
dwa dziwne komunikaty:
http://republika.pl/temp_ftp/wirus.jpg
http://republika.pl/temp_ftp/wirus2.jpg
Plikow tych nie moge znalezc fizycznie na dysku.

przeskanowalem dysk systemowy nortonem, nic nie znalazl. Przeswietlilem
procesy w tle HijackThis,wykryl tylko jeden podejrzany proces
O16 - DPF: {A6916797-7ABD-4F07-93AE-098B6F543129} (CO2Player Class) -
www.lemontv.pl/lmctrlp.cab
skasowalem wszystkie odwolania w rejestrze,na dysku etc
Poza tym nie znalazlem niczego podejrzeanego!

80.55.178.* napisał:
Witam. Używałem kiedyś nortona. Zrezygnowałem z niego dlatego, że nie wykrywał wielu wirusów. Polecam NOD32 lub eScan. Dużo znajomych używa Avasta.

Znalałem notkę na stronie BitDefender'a (po ang) o wirusie VBS.LoveLetter.A :

http://www.bitdefender.pl/index.php?m=1&id=1&tab=1&vid=255&PHPSESSID=9dbd29484c2841cefef34851438b5520

Wirus rozprzestrzenia się przez e-mail'a.

2) http://www.ciac.org/ciac/bulletins/k-039.shtml
3) http://vil.nai.com/vil/content/v_98617.htm

CYTAT

VBS.LoveLetter.A

The following was sent out to ISP customers from Emirates.net.ae

"VBS.LoveLetter.A is an email worm, mIRC worm, and a file infector. VBS.LoveLetter.A will use Microsoft Outlook and email itself out as an attachment with the above subject line and attachment name. The body of the message will be "kindly check the attached LOVELETTER coming from me". The virus will also infect files with the following extensions: vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, and mp2

The virus will insert the following files: MSKernel32.vbs in the Windows

System directory; Win32DLL.vbs in the Windows directory;
LOVE-LETTER-FOR-YOU.TXT.vbs in the Windows System directory;
WinFAT32.EXE in the Internet download directory;
WIN-BUGSFIX.EXE in the Internet download directory;
script.ini in the mIRC directory

More information is available from various anti-virus vendor websites:

* http://www.f-secure.com/download-purchase/updates.html
* http://vil.nai.com/villib/dispVirus.asp?virus_k=98617
* http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html
* http://www.ca.com/virusinfo/virusalert.htm
* http://www.sophos.com/virusinfo/analyses/vbsloveleta.html
* http://www.sophos.com/virusinfo/analyses/trojloveleta.html
* http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_LOVELETTER-O
* http://www.finjan.com/attack_release_detail.cfm?attack_release_id=34
* http://www.pspl.com/virus_info/worms/loveletter.htm
* http://www.aks.com/home/csrt/valerts.asp
* http://www.mcafee.com


- zmień antywirusa
- przeskanuj jeszcze raz system ale innym antywirem

****DODANE****

Przy szukaniu odp. na Twoje pytanie miałem okazję spotkać jakiegoś wirusa. Naszczęście mam NOD'a więc odrazu został wykryty.

194.29.181.* napisał:
Bazy panowie, nowe bazy z neta ściągać jak tylko wychodzą.

80.55.178.* napisał:

Bazy panowie, nowe bazy z neta ściągać jak tylko wychodzą.


Gdy są nowe bazy wirusów, to NOD32 sam sobie je ściąga. Automatyczna aktualizacja icon_smile3.gif

217.75.5.* napisał:
przeskanowalem caly dysk skanerem online mksa,znalazl jakiegos trojana w pliku tmp w moim katalogu w documents and settings

80.55.178.* napisał:
A obacz skanerem on-line BitDefender'a :
http://www.bitdefender.pl/
(po lewej stronie jest [po niżej menu] jest SCAN ONLINE new)

Nie sprawdzałem tego skanera dlatego, że akurat jestem na linuksie, a do tego skanowania trzeba mieć IE.
Tak jak mówiłem na początku, obacz NOD32 - http://www.nod32.pl/download/ --> na samym dole: Wersje Testowe

217.75.5.* napisał:
po przeskanowaniu dysku mksem komunikat nava o trojanie pojawil sie jeszcze raz,przeskanowanie bitdefenderem tez nic nie wykazalo,
ech co tam k** siedzi?!

80.55.178.* napisał:
Jeżeli umiesz ang. to tu masz przepis jak usunąć wirusa:

CYTAT

LoveLetter Removal

The files MSKernel32.vbs and Win32DLL.vbs files which include the virus have to be deleted, the infected files have to deleted from the hard disk and the registry keys added by the virus have to be deleted also. Usually, these keys allow the virus to run every time the system is started and they are:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows \CurrentVersion\
Run\MSKernel32 si RunServices\Win32DLL

The executable WIN-BUGSFIX.exe must also be deleted from the download directory together with the registry:
HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX.

In addition, the file script.ini will also have to be deleted from the mIRC directory.


PS : Jeżeli coś się stanie z Twoim kompem po usunięciu tych plików i modyfikacji rejestru to nie biorę odpowiedzialności za Twojego kompa. --> tak dla formalności icon_razz2.gif

****DODANE****

Znalazłem jeszcze bardziej obszerną instrukcje usuwania tego wirusa:

CYTAT
FREE REMOVAL TOOL : N/A
SYMPTOMS:
-instead of every vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, mp2 file there is a copy of the virus,
with the same name as the original file and the .vbs extension.
-when opening Internet Explorer, this will try to automatically download the WIN-BUGSFIX.exe file.
-The key:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32" has the value
"%dirsystem%\MSKernel32.vbs"
and the key:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL" the value
"%dirwin%\Win32DLL.vbs"

where %dirsystem% is C:\Windows\System or C:\Winnt\System32 and
%dirwin% is C:\Windows or C:\Winnt .
TECHNICAL DESCRIPTION:
VBS.LoveLetter.A is an Internet worm using the Outlook Adress Book to spread itself.
It is extremely aggressive when spreading in the network.

Once the attachment is executed, the virus copies itself in three files on the system,
"MSKernel32.vbs" and "LOVE-LETTER-FOR-YOU.TXT.vbs" in system folder ("C:\Windows\System" or "C:\Winnt\System32")
and "Win32DLL.vbs" in windows folder ("C:\Windows" or "C:\Winnt")

At the same time, the system registry is modified so that two of these files are executed every time the system starts:
The key:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32\" with the value
"%dirsystem%\MSKernel32.vbs"
and the key:

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL" the value
"%dirwin%\Win32DLL.vbs"

where %dirsystem% is C:\Windows\System or C:\Winnt\System32 and
%dirwin% is C:\Windows or C:\Winnt .

If there is no WinFAT32.exe file in the system directory, the virus automatically sets the key

"HKCU\Software\Microsoft\Internet Explorer\Main\Start Page\" (the homepage for Internet Explorer)
to be one of the following:

"http://www.skyinet.net/~young1s/.../WIN-BUGSFIX.exe"
"http://www.skyinet.net/~angelcat/.../WIN-BUGSFIX.exe"
"http://www.skyinet.net/~koichi/.../WIN-BUGSFIX.exe"
"http://www.skyinet.net/~chu/.../WIN-BUGSFIX.exe"



Thus, when opening Internet Explorer, this will try to automatically download the WIN-BUGSFIX.exe file,
which will be executed when the system is restarted.

In order to do that it writes the registry key
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX\"
with the value "%downloaddirectory%\WIN-BUGSFIX.exe" where %downloaddirectory% is the folder found in the registry keys
"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory".

VBS.LoveLetter.A searches in the system and on the mapped drives inside the network, all files with the
vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, mp2 extensions, overwriting them into .vbs files.
At the same time, VBS.LoveLetter.A creates a file LOVE-LETTER-FOR-YOU.HTM in the system directory
and a file "script.ini" in the mIRC directory (if it exists) in order to send the html file, which includes the virus,
through mIRC to mIRC users who entered the same chat room.

The LOVE-LETTER-FOR-YOU.HTM file includes the VBS form of the virus that infects the system if the user allows
ActiveX elements from HTML pages.

It also spread itself to all the contacts in Outlook Adress Book. The mail format is:
Subject: "ILOVEYOU"
Body: "kindly check the attached LOVELETTER coming from me."
Attachment: a copy of the virus, the file "LOVE-LETTER-FOR-YOU.TXT.vbs"
REMOVAL INSTRUCTIONS:
If you don't have BitDefender installed click here to download an evaluation version.

1. Make sure that you have the latest updates using
BitDefender Live!;

2. Make the following changes in the windows registry:


Please make sure to
modify only the values that are specified. It is also recommended to backup
the Windows Registry before proceeding with these changes.
a) Select Run... from
the Start menu, then type regedit
and press Enter;
b ) Delete following keys:

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32"

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL"

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX"


3. Perform
a full scan of your system (selecting, from the Action tab, the option "Prompt
user for action"). Choose to delete all the files infected with VBS.LoveLetter.A

4. In addition, the file script.ini will also have to be deleted from the mIRC directory.


Jest jeszcze jeden skaner online : http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Podobne tematy


Działy









Copyright © 2002-2024 | Prywatność | Load: 1.25 | SQL: 1 | Uptime: 9 days, 14:43 h:m | Wszelkie uwagi prosimy zgłaszać pod adresem eddy@heh.pl