[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: ALERT!
On Fri, 5 May 2000, Mark van Hornsveld wrote:
> Can you explain in simple terms what Registry entries it does
> change/add/delete?
sure...
The following files must be deleted.
MSKernel32.vbs in the Windows System directory
Win32DLL.vbs in the Windows directory
LOVE-LETTER-FOR-YOU.TXT.vbs in the Windows System directory
WinFAT32.EXE in the Internet download directory
WIN-BUGSFIX.EXE in the Internet download directory
script.ini in the mIRC directory
you can check to see if it's running by starting TaskManager
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32DLL=C:\WINDOWS\Win32DLL.vbs
The worm replaces the following files :-
*.JPG
*.JPEG
*.MP3
*.MP2
with copies of itself and it adds the extension .VBS to the original
filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would
contain the worm.
The worm also overwrites the following files :-
*.VBS
*.VBE
*.JS
*.JSE
*.CSS
*.WSH
*.SCT
*.HTA
with copies of itself and renames the files to *.VBS.
there's also this other key you should look for... it does things with
your passwords (hands them out)
The password stealing trojan is also installed via the following registry
key :-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
to auto run at system start-up.
After it has been run the password stealing trojan copies itself to
WINDOWS\SYSTEM\WinFAT32.EXE and replaces the registry key with
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinFAT32=Wi
nFAT32.EXE
i hope this helps. i guess you know what it does to the email
system... since that's how the idiot thing propagates...
> I saw the script at the customer site I was working at yesterday but I
> know not enough of vbscript (nothing actually) to exactly understand
> what it all does.
>
> Mark
it does nasty things to your Microsloppy stuff... ('ray for Liunx!)
hm. that's all.
rhys
--
If I'm feigning coherence and calmness, laugh with me. If I'm Drowning,
Over The Rhine
---------------
Unsubscribe by going to http://www.actwin.com/MediaNation/OtR/
References:
- RE: ALERT!
- From: "Mark van Hornsveld" <yellowpolo at hotmail_com>