Inicio > Mis eListas > debunker > Mensajes

 Índice de Mensajes 
 Mensajes 2622 al 2636 
AsuntoAutor
Trabalenguas sobre vilogo
Esto si es Interes illu min
prueba illu min
nueva direccion Raul Ant
Re: Martha Rosenth Fernando
Re: P R Ó X I M A Fernando
Re: I M A G E N, Fernando
Re: SPAM protesta "Javier
aviso de virus Mamiblu
FRIENSHIP EN EL SU Guillerm
RE: aviso de virus Juan Ant
aviso de virus LÚSAR
Instrucciones para LÚSAR
Instrucciones para illu min
Fw: Re: enseXar at LÚSAR
 << 15 ant. | 15 sig. >>
 
Debunker
Página principal    Mensajes | Enviar Mensaje | Ficheros | Datos | Encuestas | Eventos | Mis Preferencias

Mostrando mensaje 2638     < Anterior | Siguiente >
Responder a este mensaje
Asunto:[debunker] aviso de virus
Fecha:Miercoles, 28 de Noviembre, 2001  09:58:29 (-0600)
Autor:LÚSAR <lusar @.......com>
En respuesta a:Mensaje 2637 (escrito por Juan Antonio)

W32/Badtrans@MM Help Center
Description - What virus is this? Back to Top
A new variant of Badtrans has been discovered, referred to as Badtrans.b. AVERT has raised the Risk Assessment on this variant of W32/Badtrans@MM to High Risk for Consumers. We have received many reports from the home users that they have become infected. It is believed that failure to update recently has caused this increase in occurrence.

VirusScan and other McAfee products with DAT files 4172 and higher are protected from this variant.

W32/Badtrans@MM is a mass-mailing worm that drops a remote-access Trojan. The virus arrives via email in Microsoft Outlook and attempts to send itself by replying to unread email messages. The email may contain the text "Take a look to the attachment" in the message body and will contain an attachment that is 13,312 bytes in length. The attachment name is created from three sections.

The first part is chosen from the possibilities:

fun
Humor
docs
info
Sorry_about_yesterday
Me_nude
Card
SETUP
stuff
YOU_are_FAT!
HAMSTER
news_doc
New_Napster_Site README
images
Pics

The second part is chosen from the possibilities:

.DOC.
.MP3.
.ZIP.

and the last part from the possibilities:

pif
scr

This new variant also uses the iframe exploit and incorrect MIME header to run automatically on unpatched systems. See Microsoft Security Bulletin (MS01-020) for more information and a patch.

Payload - What can this virus do? Back to Top
If the attachment is opened, the worm displays a message box entitled, "Install error" which reads, "File data corrupt: probably due to a bad data transmission or bad disk access." A copy is saved into the WINDOWS directory as INETD.EXE and an entry is entered into the WIN.INI file to run INETD.EXE at startup. KERN32.EXE (a backdoor Trojan), and HKSDLL.DLL (a valid keylogger DLL) are written to the WINDOWS SYSTEM directory, and a registry entry is created to load the Trojan upon system startup.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce\kernel32=kern32.exe

Once running, the Trojan attempts to mail the victim's IP Address to the author. Once this information is obtained, the author can connect to the infected system via the Internet and steal personal information such as usernames, and passwords. In addition, the Trojan also contains a keylogger program which is capable of capturing other vital information such as credit card and bank account numbers and passwords.

DETECTION AND REMOVAL
- How can I detect and remove this virus?
Back to Top
 McAfee.com VirusScan and Clinic users,
click here to update ActiveShield.
 Retail McAfee VirusScan users,
click here to get the latest DAT file.
Scan Your System for Infected Files
  1. McAfee.com VirusScan Online and Clinic users, click here to perform a Scan.
  2. If W32/Badtrans@MM is found, use the delete option to remove it.
Please select the applicable operating system for further removal instructions:
----- Original Message -----
Sent: Tuesday, November 27, 2001 7:26 PM
Subject: RE: [debunker] aviso de virus

Yo tambien lo tengo, quizas ha entrado por aqui
----- Original Message -----
 
Desconozco por donde ha entrado, pero al realizar la revisión diaria mi antivirus ha encontrado el W32/Badtrans.B



--------------------------------------------------------------------- 
Para darte de baja, envía un mensaje a: debunker-baja@eListas.net 
Para obtener ayuda, visita http://www.eListas.net/lista/debunker 
Archivo disponible en http://www.eListas.net/lista/debunker/archivo 
debunker es la lista oficial de http://www.ciberesceptico.org