| Informationen zu einigen Computer-Viren |
| The new BubbleBoy worm/virus | Melissa-Virus | PrettyPack | W32/Hybris-B | a hoax? |
| W32/Hybris-B |
| Februar 2001: Unsere Mailbox erhielt zweimal Mails ohne Absender, ohne Betreff, aber mit einer EXE-Datei im Anhang. Natürlich haben wir diese Datei nicht aktiviert. Diese Überprüfung der EXE-Datei ergab: infiziert mit dem Wurm W32/Hybris-B |
| Speicherresident: Ja
This virus modifies WSOCK32.DLL and
attempts to email a copy of itself
Zuerst aufgetreten im November 2000. |
| Name:W32/Hybris-B |
| Type:Win32 worm
Detected by Sophos Anti-Virus January 2001 (3.41) or later. A virus identity (IDE) file is available for earlier versions from the Latest virus identities section. Sophos has received several reports of this worm from the wild. Sophos researchers have released an updated IDE file which detects a minor mutation of the worm. Comments:
It consists of a base part and a collection of upgradeable components.
The components are stored within the worm
When run, the worm infects WSOCK32.DLL. Whenever an email is sent, the worm attempts to send a copy of itself as an attachment to a separate message to the same recipient. Any other behaviour exhibited by the worm is entirely dependent on the
set of installed components. The effects of
The text of the email message is determined by one of the installed
components, and hence can be changed by the
Consequently the message can have any subject, any message text and any filename for the attached file. A common component of the worm checks the language settings of the computer
it has infected, and selects a
English Subject:
Message text:
French Subject:
Message text:
Portuguese Subject:
Message text:
Spanish Subject:
Message text:
The methods for upgrading the worm can also be changed as they are also upgradable components. At the time of writing, two have been seen. One of the upgrading techniques attempts to download the encrypted components
from a website which is presumably
The other method involves posting its current plug-ins to the usenet
newsgroup alt.comp.virus, and upgrading them from
Another component of the worm searches the PC for .ZIP and .RAR archive files. When it find one, it searches inside it for a .EXE file, which it renames to .EX$, and then adds a copy of itself to the archive using the original filename. There is a payload component, which on the 24th of September of any
year, or at 59 minutes past the hour on
To close the spiral, press Ctrl-Alt-Del to access the Task Manager and
select the relevant process and then press the
|
Von: INTERNET:afro-nets@usa.healthnet.org,
INTERNET:afro-nets@usa.healthnet.org
An: AFRO-NETS, INTERNET:afro-nets@usa.healthnet.org
Datum: 12.11.99 19,20
Antwort: AFRO-NETS> The new BubbleBoy worm/virus
The new BubbleBoy worm/virus
----------------------------
This is some very authoritative explanation
of the new BubbleBoy
worms, which shows that for the moment
they are not a problem. There
is so much hysteria about this; it might
be worth saying something to
allay people's fears.
Tony Klouda
mailto:anthonyk@aklouda.demon.co.uk
--
Source: Woody's Office Watch (WOW) <http://woodyswatch.com/>
[Excerpts]
You have or will hear a lot about the 'BubbleBoy'
virus in the next
few days. WOW has the details you need,
why you should NOT panic but
take some simple precautions.
It's important to remember that while this
virus exists it has not
been released to the public. So there's
no need to worry since the
virus isn't on the Internet right now.
But the potential for trouble
is great.
Up to now we've been able to safely tell
you that just receiving an
e-mail is safe - only when you open the
message to read it can a vi-
rus be triggered. It was only a matter
of time before someone found a
way around that.
It's happened, but in a safe way. A 'friendly'
anti-virus researcher
worked out how it could be done and to
demonstrate it created 'Bub-
bleBoy'. This virus has been sent privately
to other anti-virus re-
searchers to let them develop pre-emptive
protections against this
new class of virus.
As we write this there are NO cases of
a member of the public being
infected or spreading 'BubbleBoy'.
I hear you saying "So what's all the fuss about?"
The fuss is because of the potential -
now that the general method is
known it's only a matter of time before
we see a malicious and public
version of this virus. Perhaps that won't
happen because the anti-
virus experts plus Microsoft have, on
this occasion, shut the barn
door BEFORE the horse has bolted. The
future risk is that a bigger or
sneakier horse may figure a way around
the bolted door.
What BubbleBoy does
Without giving too much detail away - Bubbleboy
acts a bit like the
Melissa-type viruses in that it grabs
e-mail addresses from your ad-
dress book and sends a message to each
recipient. It does this using
Internet Explorer 4 or 5 and Windows Scripting
Host.
What's different is that you don't have
to open or read the message!
In Outlook, you must open the e-mail for
the virus to spread but in
Outlook Express the virus is activated
even if just the Preview Pane
is used.
Who is at risk?
For the existing BubbleBoy virus specifically:
Anyone who has the
English or Spanish language version of
Windows 95 or 98 set up for a
single user (i.e. no logon name/password
dialog when you start up).
Other language versions of Windows, any
language version of Windows
NT or any language Windows 95/98 set up
for multi-user logons will
not spread the virus.
Risks for everyone: As mentioned before,
the main risk isn't Bubble-
boy - it's any ill-intentioned attempts
to emulate it and release it
to the unprotected public. It's possible
that any such public mani-
festation of this problem will not be
as narrowly focused as Bubble-
Boy. So in practice anyone with a version
of Windows with Internet
Explorer should be concerned.
WHAT YOU SHOULD DO
The protection against the BubbleBoy class
of viruses is simple - Mi-
crosoft has a patch already available.
It seems that the patch not
only protects against the specific BubbleBoy
virus but also more gen-
erally against attacks of this kind. It
remains to be seen how good
this protection is in practice, only time
will tell. In the meantime
you should get the patch without delay.
Windows 95 users with Internet Explorer
4 or 5 can go online and
choose Tools | Windows Update (slightly
different name in IE4). Or
head to:
http://windowsupdate.microsoft.com
which leads to the same place. The update
will appear in the web page
that's created after checking your system.
Look for the 'Critical Up-
dates' section at the top and select everything
in that section.
The one for 'BubbleBoy' is called "Update
for Security Vulnerabili-
ties in 'Scriptlet.typlib' and 'Eyedog'
ActiveX Controls" - a singu-
larly unhelpful title in our opinion.
Windows NT users should head over to:
http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm
and select the update for Digital Alpha
machines or Intel x86 com-
puters. This same link is useful for people
who want to download the
patch for Windows 95/98 separately, without
Windows update.
This is a good opportunity to remind everyone
to make sure his or her
anti-virus software is fully up to date
- visit the web site for your
AV package and download the latest update
for your own peace of mind.
Datum: 15.11.99 09,04
Melissa-Virus
Dieser Virus verteilt sich über das
Mailsystem, indem er sich selbst an die
nächsten 50 Einträge des Adressbuches
sendet. Falls Sie ein Mail mit Zeilen
wie: "Important Message From "UserName"
und/oder "Here is that document you
asked for ... don't show anyone else ;-)"
erhalten sollten, löschen Sie es
bitte umgehend ohne es zu öffnen.
3.3.2000: Im Zusammenhang mit PrettyPack erhielt ich die folgende Information:
I apologise for this email but it is a virus that was sent to me and my Norton did not pick it up. It is a typical worm
Please see the instructions for deleting it off your computer. What it does is when you are logged on it automatically sends emails to your address book.
I apologise once again. This is not a joke. I am most embarrassed.
Please see the instructions for you
to remove this from your computer
A friend in Vancouver received a file PrettyPark.exe from a source he regarded as reliable and opened the file. The virus automatically sends the file to everyone he had listed in his e-mail addresses list which included me. This is how I received it and had my computer send it on to you. It is a Trojan Horse virus that does not damage the computer but causes your computer to dial out every 30 minutes to send PrettyPark.exe to everyone's e-mail address you have in your computer.
If you have not opened that message and thus not activated the "exe" file you are OK. Just delete the entire message. If you did open it you have the virus and need to delete it.
The best approach is to go onto the
Internet to
<http://www.mcaffee.com/centres/anti-virus/virus_help_me.asp>www.McAffee.com\centres\anti-virus\virus_help_me.asp.
You will then have your system checked and the virus deleted.
Norton AntiVirus did not detect the
virus coming into my machine. It did however detect that I had an "infection"
when running a virus scan. Norton Anti-Virus could quarantine the "PrettyPark.exe"
file in the e-mail directory which you need to delete. (Even if it is not
quarantined, you should delete it by using Explorer. This will prevent
the file from being sent on to anyone
else).
If you use Norton's it will not automatically remove the virus. You have to doit manually. The virus is still resident in your System directory and has to be removed. I am appending instructions from Norton on how best to do this. Follow the instructions. If you have difficulties get back to me and I will endeavour to help you through the process.
My sincerest apologies for unknowingly
passing on a virus to you.
__________________________________________________
Repair Information
Removing this worm manually:
Using REGEDIT, modify the Registry entry
HKEY_LOCAL_MACHINE\Software\Classes\exefile\
shell\open\command
from
FILES32.VXD "%1" %* to "%1" %*
(You may launch REGEDIT through Windows
Start-menu-RUN. Then search for
"FILES32.VXD" in REGEDIT.)
Delete WINDOWS\SYSTEM\FILES32.VXD
Delete the "Pretty Park.EXE" file.
Reboot your computer.
You need to do step #1 above; otherwise,
executable files may not run
properly if you simply delete FILES32.VXD
Safe Computing
This worm, and other trojan-horse type
programs, demonstrate the need to practice safe computing. You should not
launch any executable-file attachment (EXE, SHS, MS Word or MS Excel file)
that comes from an untrusted email or newsgroup source. These files should
always be scanned by Norton AntiVirus, using the latest virus definitions.
********
Erfahrung ADIKom - 3. März 2000: heute
einen Norton AntiVirus Life-update gemacht, dann die Harddisk geprüft,
NortonAV findet keine infizierten Dateien; anschliessend die Diskette getestet,
auf welche die Datei PrettyPark.EXE kopiert wurde -> ebenfalls keine Reaktion
/ Meldung seitens NortonAV
********
7.3.2000:
Informationen finden Sie
unter folgender Internet -Adresse: <A REF="http://vil.nai.com/vil/wm98500.asp">W32/Pretty.worm.unp</A>
****15.3.2000***************
Profile
Name
W32/Pretty.worm.unp
Aliases
I-Worm.Prettypark.unp, Pretty Park.exe, Southpark Trojan
Variants
None
Related Viruses
W32/Pretty.Worm
Related Downloads
EXTRA.DAT for VirusScan 4.x Products download here
EXTRA.DRV for Dr Solomon Toolkit 8 download here
Zipped "undo.reg" to undo registry changes by this Internet worm on NT/95/98,
download
here
Date Added
2/17/00
Information
Discovery Date:
2/15/00
Length:
60,928
Type:
Trojan
SubType:
worm
Risk Assessment:
High
Minimum DAT:
4067 (3/1/00)
Minimum Engine:
4.0.25
Characteristics
*March 2, 2000 Update: AVERT has received numerous samples of this Internet
worm.
Many users reporting this worm are also users of Outlook Express. This
is the
unpacked edition of the originally packed "W32/Pretty.worm" Internet worm.*
This is an Internet worm that installs on Windows 9x/NT systems. It arrives
via email
from affected users who have also run this Internet worm. It appears as
an icon of a
character from the animated comedy series "Southpark". Emails containing
this Internet
worm have this format:
-------------
Subject: C:\CoolProgs\Pretty Park.exe
Test: Pretty Park.exe :)
-------------
Attached is the file "Pretty park.exe" and in some cases "Pretty~1.exe".
This worm will try to email itself automatically every 30 minutes to all
email
addresses listed in the Windows address book associated with Outlook Express.
A second function of this worm is that it will also try to connect to several
IRC servers
and send data packets to the connected server. While your system is connected
to the
Internet, it is sending and listening to random ports on both UDP and TCP
ports. The
range is from 1000 to 4900 (or at least so far in testing) and is a random
assigned port.
First it will choose a random port on UDP and/or TCP, then it will listen
to that port, next
it will respond with a packet to that port then close it. This happens
approximately once
every 30 seconds or so. The time intervals are not specific and appear
to be random as
well. In testing, the following IRC servers are connected to just for a
few seconds and are
also chosen at random:
banana.irc.easynet.net:6667
irc.ncal.verio.net:6667
irc.stealth.net:6667
irc.twiny.net:6667
irc1.emn.fr:6667
krameria.skybel.net:6667
mist.cifnet.com:6667
zafira.eurecom.fr:6667
While connected, this worm tries to stay connected by sending information
to the IRC
server, and will also retrieve any commands from the IRC channel. While
on the
determined IRC server, the author of this worm could use the connection
as a remote
access trojan in order to get information such as the computer name, registered
owner,
registered organization, system root path, and Dial Up Networking username
and
passwords.
Users should download 4067 DAT set or above for detection and removal of
this Internet
worm. To download the DAT files, follow this link .
Symptoms
Emails containing this Internet worm have this format:
-------------
Subject: C:\CoolProgs\Pretty Park.exe
Test: Pretty Park.exe :)
-------------
This program, when run will copy itself to FILES32.VXD in WINDOWS\SYSTEM
folder. It
then modifies the registry key value "command" located in the location:
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open
from "%1" %* to FILES32.VXD "%1" %*. This in essence will cause the FILES32.VXD
to
run during the execution of any exe file.
See this related description of W32/Pretty.worm.
Method Of Infection
Direct execution of the file "Pretty Park.exe" will install to the local
system as mentioned
above.
Removal Instructions
The order to remove this trojan is complicated by the depth to which the
trojan hooks the
operating system.
One trick that AVERT has discovered is to rename the registry editing programs
from
their original .EXE to a .COM extension. This will by pass the limitations
created by
removing the trojan prior to editing the registry. For example, in Windows
95/98, the
registry can be loaded and edited using the program named REGEDIT.EXE while
in
Windows NT, you use REGEDT32.EXE. Rename these to a .COM extension and
they will still execute and allow you remove references of trojans and
Internet worms.
1) Identify and note the files associated with this trojan as detected
by the scanner - do
not remove the trojan at this time. If you have already removed the trojan,
you will not be
able to run REGEDIT steps below on the affected system. Proceed instead
to step 11
listed below.
2) Open an MS-DOS prompt via the menu or click on START|RUN and type COMMAND
and then press enter.
3) Start Regedit in Windows 95/98 by typing REGEDIT or in Windows NT type
REGEDT32 and press enter.
4) Remove references to the trojan from these keys of the registry
HKEY_CLASSES_ROOT\exefile\shell\open\command\
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command
They should contain only the value not including brackets ["%1" %*].
5) If applicable, remove any keys that run the main trojan under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
And
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
6) If applicable, delete the registry key if it exists
HKEY_CLASSES_ROOT\.dl
and exit Regedit
7) If applicable, edit WIN.INI and remove the reference to the trojan from
the run= line in
the [windows] section.
8) If applicable, edit SYSTEM.INI and remove the reference to the trojan
from the shell=
line in the [boot] section. It should just contain the file EXPLORER.EXE.
9) Restart the system.
10) Delete the trojan program(s). If all is well the files should be deleted
OK. If you get an
error message saying that windows is unable to delete the file because
it is in use, then
you have made an error in the above procedure. Repeat steps 1 to 9 and
try again.
11) In the event that the trojan was deleted before making the registry
changes, it is still
possible to repair the registry. You will need access to another computer,
or at a
minimum, access to MS-DOS on the affected system. Using MS-DOS edit, create
a file
called UNDO.REG with the following content (you can cut and paste):
REGEDIT4
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
@="\"%1\" %*"
12) Save this file to the Windows folder of the affected system as the file "UNDO.REG".
13) Click on START|RUN and type in UNDO.REG and press ENTER. The contents
of
UNDO.REG should be now imported to the registry.
**** ende 15.3.2000 *************