Latest Viruses
W32.Memesa (found by Symantec)
This virus was found on December 15, 2006, its risk level is very low. The systems that could be affected by this virus are Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP. Memesa is a worm that attempt to email itself out as an attachment, change the desktop background, and open local pages in Internet Explorer. Attempts to email itself as an attachment to an email with the following characteristics:
On email subject will be found one of the following :
May display a locally generated Web page in Internet Explorer. The page contains the following text :
KU TAK TAHU APA SALAHKU YANG SEBENARNYA. KU TELAH MELAKUKAN MEMPERSIAPKAN SEMUANYA. TETAPI APA YAN [REMOVED] RENA TIDAK ADA GUNANYA BERGAUL DENGAN ORANG YANG HANYA BISA MENYEDOT ENERGI POSITIFMU KELUAR.
If your computer is affected from W32.Memesa just do these steps :
How to make a backup of the Windows registry :
TROJ_CLAGGE.AI (found by Trend Micro)
This kind of trojan was found on December 15, 2006. The damage potential is high, the risk is low, distribution potential is low, and it could attack computer with Windows 98, ME, NT, 2000, XP, Server 2003 system. This Trojan arrives on a system as an attachment to a spammed email message. It downloads a file, which is detected as TSPY_BZUB.DI, from a specific URL. As a result, the routines of the downloaded spyware may be exhibited on the affected machine.
Solution :
Users running Windows ME and XP must disable system restore to allow full scanning of infected computers. Users running other Windows versions can proceed with the succeeding solution set(s).If you are currently running in safe mode, please restart your computer normally before performing the following solution. Scan your computer with antivirus and delete files detected as TROJ_CLAGGE.AI and TSPY_BZUB.DI. To do this, download the latest virus pattern file and scan computer.
Win32.Viking.DE (found by F-Secure)
This virus was found on December 13, 2006, it has some aliases : Win32/Viking.CH, Worm.Win32.Viking.de. Viking.DE, a variant of Viking, the virus that it infects executable files on all available drives and has network spreading capabilities. The virus copies itself into the Windows directory and drops a DLL that downloads and runs files from a website. Viking.DE has a payload - it kills processes belonging to anti-virus and security software.
Disinfection of the Viking virus-worm should be performed as follows :
I-Worm/Stration (found by Grisoft)
This worm spreads by e-mail as an attachment or as a hyperlink in ICQ message. Virus sends messages with hyperlink to the infected file over ICQ. These messages are sent without user knowledge. Some versions of this worm might cause Explorer errors, worm can block saving from Notepad, block using of Registry editor and most variants downloads other malicious files from the Internet. Virus blocks some security software such as various firewalls, anti-virus systems etc. Computer is infected when recipient downloads and executes infected file. When the worm is launched it copies itself to the Windows System folder and creates some files like DLL libraries. Virus adds link to main executable file to the HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run registry key so virus is launched on computer startup. Libraries are registered in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key in "AppInit_DLLs" item and some variants registers libraries also to the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify key.
Virus sends messages with forged sender address, subject of these messages is usually as follows (depends on virus variant) :
Error
Good Day
hello
Mail Delivery System
Mail server report
Mail Transaction Failed
picture
Server Report
Status
test
Message contains executable attachment named for example as follows :
body.*
test.*
text.*
Update-KB*-x86.*
Erasing all files detected as I-Worm/Stration will remove the virus.
This virus was found on December 15, 2006, its risk level is very low. The systems that could be affected by this virus are Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP. Memesa is a worm that attempt to email itself out as an attachment, change the desktop background, and open local pages in Internet Explorer. Attempts to email itself as an attachment to an email with the following characteristics:
On email subject will be found one of the following :
- "Sstt..! foto2 panas agnes dengan f4!"
- "FWD: foto mesra agnes vs f4!"
- "Apakah Anda sedang jatuh cinta? Apakah cinta Anda cinta sejati? Check this out!"
- "Ssstt, kumpulan foto mesra f4 dengan agnes monica!"
- "foto mesra f4 vs agnes monica.zip"
- "agnes vs f4.zip"
- "foto panas agnes.zip
May display a locally generated Web page in Internet Explorer. The page contains the following text :
KU TAK TAHU APA SALAHKU YANG SEBENARNYA. KU TELAH MELAKUKAN MEMPERSIAPKAN SEMUANYA. TETAPI APA YAN [REMOVED] RENA TIDAK ADA GUNANYA BERGAUL DENGAN ORANG YANG HANYA BISA MENYEDOT ENERGI POSITIFMU KELUAR.
If your computer is affected from W32.Memesa just do these steps :
- Disable System Restore (Windows Me/XP).
- Update the virus definitions.
- Run a full system scan.
- Delete any values added to the registry.
How to make a backup of the Windows registry :
- Click Start > Run.
- Type regedit
- Click OK.
- Navigate to the subkey:
- On the right pane, delete the value : "sysshell" = "%Windir%\svchost.exe",
- Restore the values for the following registry entries to their previous settings:
- Exit the Registry Editor.
CurrentVersion\Run.
CurrentVersion\Policies\System\"DisableRegistryTools" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\System\"DisableTaskMgr" = "1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\
SHOWALL\"CheckedValue" = "1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\
SHOWALL\"DefaultValue" = "1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\
NOHIDDEN\"CheckedValue" = "2"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\
NOHIDDEN\"DefaultValueSUCCESS" = "2"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\"Hidden" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\"HideFileExt" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer\"NoFolderOptions" = "1"
TROJ_CLAGGE.AI (found by Trend Micro)
This kind of trojan was found on December 15, 2006. The damage potential is high, the risk is low, distribution potential is low, and it could attack computer with Windows 98, ME, NT, 2000, XP, Server 2003 system. This Trojan arrives on a system as an attachment to a spammed email message. It downloads a file, which is detected as TSPY_BZUB.DI, from a specific URL. As a result, the routines of the downloaded spyware may be exhibited on the affected machine.
Solution :
Users running Windows ME and XP must disable system restore to allow full scanning of infected computers. Users running other Windows versions can proceed with the succeeding solution set(s).If you are currently running in safe mode, please restart your computer normally before performing the following solution. Scan your computer with antivirus and delete files detected as TROJ_CLAGGE.AI and TSPY_BZUB.DI. To do this, download the latest virus pattern file and scan computer.
Win32.Viking.DE (found by F-Secure)
This virus was found on December 13, 2006, it has some aliases : Win32/Viking.CH, Worm.Win32.Viking.de. Viking.DE, a variant of Viking, the virus that it infects executable files on all available drives and has network spreading capabilities. The virus copies itself into the Windows directory and drops a DLL that downloads and runs files from a website. Viking.DE has a payload - it kills processes belonging to anti-virus and security software.
Disinfection of the Viking virus-worm should be performed as follows :
- Disconnect a computer or local network from the Internet.
- Disable network sharing or set strong passwords for all shares.
- Select the "Disinfect Automatically" on all computers. With "Disinfect Automatically" selected, anti-virus will disinfect files that a virus tries to infect over a network (if sharing was not disabled).
- Scan all files on all drives on all computers and MANUALLY select the "Disinfect" action to disinfect all infected files and to rename the virus droppers. DO NOT select automatic disinfection option after the scan!
- Restart all disinfected computers.
- Scan all hard drives on disinfected computers again to make sure that no more infected files are left.
- If needed, repeat disinfection procedure.
- Disinfect all infected computers connected on the network. Enable network sharing, keep strong share passwords.
- Reconnect the disinfected computer or local network to the Internet.
I-Worm/Stration (found by Grisoft)
This worm spreads by e-mail as an attachment or as a hyperlink in ICQ message. Virus sends messages with hyperlink to the infected file over ICQ. These messages are sent without user knowledge. Some versions of this worm might cause Explorer errors, worm can block saving from Notepad, block using of Registry editor and most variants downloads other malicious files from the Internet. Virus blocks some security software such as various firewalls, anti-virus systems etc. Computer is infected when recipient downloads and executes infected file. When the worm is launched it copies itself to the Windows System folder and creates some files like DLL libraries. Virus adds link to main executable file to the HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run registry key so virus is launched on computer startup. Libraries are registered in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key in "AppInit_DLLs" item and some variants registers libraries also to the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify key.
Virus sends messages with forged sender address, subject of these messages is usually as follows (depends on virus variant) :
Error
Good Day
hello
Mail Delivery System
Mail server report
Mail Transaction Failed
picture
Server Report
Status
test
Message contains executable attachment named for example as follows :
body.*
test.*
text.*
Update-KB*-x86.*
Erasing all files detected as I-Worm/Stration will remove the virus.
posted by Rini at
1:06 PM
6 Comments:
Who knows where to download XRumer 5.0 Palladium?
Help, please. All recommend this program to effectively advertise on the Internet, this is the best program!
Hello!!! avian2006.blogspot.com is one of the most excellent resourceful websites of its kind. I take advantage of reading it every day. I will be back.
The author of avian2006.blogspot.com has written an excellent article. You have made your point and there is not much to argue about. It is like the following universal truth that you can not argue with: The necessity of the quietness of your footsteps lies in direct proportion to the amount of objects you'll bump in to. Thanks for the info.
Good brief and this enter helped me alot in my college assignement. Thank you for your information.
Hi
Very nice and intrestingss story.
Nice topic
Post a Comment
Subscribe to Post Comments [Atom]
<< Home