[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ALERT!

To: Over-the-Rhine at actwin_com
Subject: RE: ALERT!
From: rhys daily <shadow at teuton_org>
Date: Fri, 5 May 2000 00:36:16 -0600 (MDT)
In-Reply-To: <20000505053432.41251.qmail at hotmail_com>

On Fri, 5 May 2000, Mark van Hornsveld wrote:

> Can you explain in simple terms what Registry entries it does
> change/add/delete?

sure... 


The following files must be deleted.

MSKernel32.vbs in the Windows System directory
Win32DLL.vbs in the Windows directory
LOVE-LETTER-FOR-YOU.TXT.vbs in the Windows System directory
WinFAT32.EXE in the Internet download directory
WIN-BUGSFIX.EXE in the Internet download directory
script.ini in the mIRC directory


you can check to see if it's running by starting TaskManager

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32DLL=C:\WINDOWS\Win32DLL.vbs
                                  
The worm replaces the following files :-

*.JPG
*.JPEG
*.MP3
*.MP2

with copies of itself and it adds the extension .VBS to the original
filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would
contain the worm.

The worm also overwrites the following files :-

*.VBS
*.VBE
*.JS
*.JSE
*.CSS
*.WSH
*.SCT  
*.HTA

with copies of itself and renames the files to *.VBS.

there's also this other key you should look for... it does things with
your passwords (hands them out)

The password stealing trojan is also installed via the following registry
key :-

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX

to auto run at system start-up.

After it has been run the password stealing trojan copies itself to
WINDOWS\SYSTEM\WinFAT32.EXE and replaces the registry key with

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinFAT32=Wi
nFAT32.EXE
                           

i hope this helps. i guess you know what it does to the email
system... since that's how the idiot thing propagates...

> I saw the script at the customer site I was working at yesterday but I
> know not enough of vbscript (nothing actually) to exactly understand
> what it all does.
> 
> Mark

it does nasty things to your Microsloppy stuff...  ('ray for Liunx!)

hm. that's all.

rhys

--
If I'm feigning coherence and calmness, laugh with me. If I'm Drowning,
Over The Rhine

---------------
Unsubscribe by going to http://www.actwin.com/MediaNation/OtR/

References:

RE: ALERT!

From: "Mark van Hornsveld" <yellowpolo at hotmail_com>

Prev by Date: Re: ALERT!
Next by Date: RE: ALERT!
Prev by thread: RE: ALERT!
Next by thread: Re: peter mulvey cd?
Index(es):
- Date
- Thread