VIRUS INFO
|
| Naziv
virusa: |
I-Worm.Lentin |
| Alias:
|
I-Worm.Lentif.f,
W32/Lentin.E, Lentin.F, W32.Yaha.F@mm,
W32/Yaha.E, I-Worm.Yaha.A |
| Tip: |
worm |
| Način
širenja: |
e-mailom |
| Veličina: |
29,839
bajtova |
Destruktivan:
|
ne |
| Datum
aktiviranja: |
startovanjem
pristiglog attachmenta |
| Otkriven:
|
17.06.2002. |
OBJAŠNJENJE
Stiže
kao e-mail od nekoga ko ima Vašu e-mail
adresu na svom računaru.
Ovaj virus, napisan u programskom jeziku
C++ kompresovan sa UPX-om, stiže u 2 varijante.
Subject:
Melt the Heart of your Valentine with
this
beautiful Screen saver
Telo poruke:
<<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>>
This e-mail is never sent unsolicited.
If you need to unsubscribe,
follow the instructions at the bottom
of the message.
***********************************************************
Melt the Heart of your loved ones with
these beautiful Screen saver from www.screensaverin.com
* To remove yourself from this mailing
list, point your browser to:
http://screensaverin.com/remove?freescreensaver
* Enter your email address (%EmailAddress%)
in the field provided and click "Unsubscribe".
OR...
* Reply to this message with the word
"remove" in the subjt line.
This message was sent to address %EmailAddress%
X-PMG-Recipient:
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
ili,
Subject:
Fw: Melt the Heart of your Valentine
with this beautiful Screen saver
Telo poruke:
Hi
Check this screen saver
Happy Valentines day
See u
----- Original Message -----
From: "Screen Saver" <screensaver@screensaverin.com>
To: <%EmailAddress%>
Sent: Friday, February 11, 2002 8:38 PM
Subject: Melt the Heart of your Valentine
with this beautiful Screen saver
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
This e-mail is never sent unsolicited.
If you need to unsubscribe,
follow the instructions at the bottom
of the message.
***********************************************************
Melt the Heart of your loved ones with
these beautiful Screen saver from www.screensaverin.com
* To remove yourself from this mailing
list, point your browser to:
http://screensaverin.com/remove?freescreensaver
* Enter your email address (%EmailAddress%)
in the field provided and click "Unsubscribe".
OR...
* Reply to this message with the word
"remove" in the subjt line.
This message was sent to address %EmailAddress%
X-PMG-Recipient:
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
gde
je %EmailAddress% e-mail adresa
od koga je stigao e-mail.
Kao
attachment, korisnik može da dobije i
fajl sa nekim od sledećih naziva:
SCREENSAVER, SCREENSAVER4U,
SCREENSAVER4U, SCREENSAVERFORU,
FREESCREENSAVER, LOVE,
LOVERS, LOVESCR, LOVERSCREENSAVER,
LOVERSGANG, LOVESHORE,
LOVE4U, LOVERS, ENJOYLOVE,
SHARELOVE, i, CHECKFRIENDS,
URFRIEND, FRIENDSCIRCLE,
FRIENDSHIP, FRIENDS,
FRIENDSCR, FRIENDS,
FRIENDS4U, FRIENDSHIP4U,
FRIENDSHIPBIRD, FRIENDSHIPFORU,
FRIENDSWORLD, WERFRIENDS,
PASSION, BULLSHITSCR,
SHAKEIT, SHAKESCR, SHAKINGLOVE,
SHAKINGFRIENDSHIP, PASSIONUP,
RISHTHA, GREETINGS,
LOVEGREETINGS, FRIENDSGREETINGS,
FRIENDSEARCH, LOVEFINDER,
TRUEFRIENDS, TRUELOVERS ili FUCKER
mada je primećeno da koristi i attachmente
sa dvostrukom ekstenzijom u sledećim nazivima
fajlova: LOVELETTER, RESUME,
BIODATA, DAILYREPORT,
MOUNTAN, GOLDFISH, WEEKLYREPORT,
REPORT ili LOVE.
Kao prva ekstenzija se koristi: DOC,
MP3, XLS, WAV,
TXT, JPG, GIF,
DAT, BMP, HTM,
MPG, MDB ili ZIP
a kao druga: PIF, BAT
ili SCR.
Kada
korisnik startuje pristigli fajl, crv
se iskopira u direktorijum C:\RECYCLED
kao fajl MSMDM.EXE i MSSCRA.EXE
i promeni sadržaj Registry baze:
HKEY_CLASSES_ROOT \exefile\shell\open\command
(Default) = c:\recycled\naziv_fajla%1
%*.
gde je naziv_fajla, fajl koji se startuje
svaki put kada korisnik startuje neki
EXE fajl, startovaće i samog
virusa.
Virus će promeniti i sadržaj WIN.INI
fajla, gde će postaviti da se svaki put
startuje i MSTASKMON.EXE.
Da bi sakrio svoje aktivnosti, crv ponekad
napravi malu šalu sa korisnikovom radnom
površinom. ( )
Virus
kreira dva tekstualna fajla sa sledećim
sadržininama:
<<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>>
W32.YAHA-III
Author :H^H,h2h@achayans.com
Origin :India,Kerala
I like Klez,Sircam,But i hate the bullshit
payloads
Is i am a good coder?? still i have dout
huhh!!!
Beware Indian Hackers..Tomarrow is ours!!!
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
i,
<<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>>
iNDian sNakes pResents yAha.E
iNDian hACkers,Vxers c0me & w0Rk wITh
uS & fuCk tHE GFORCE-pAK shites
bY
sNAkeeYes,c0Bra
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
Virus
kreira i jedan DLL fajl, nasumičnim odabirom
slova i znakova, u koji smešta sve e-mail
adrese koje pronađe u:
Windows Address Book, MSN
/.NET Messenger, Yahoo Pager
List, ICQ List (*.UIN
fajlovi), *.HT* fajlovi
u Temporary Internet Files folderu, *Hotmail*.*ht*,
*.DOC i *.TXT fajlovima.
Kada
zarazi korisnikov računar, virus koristi
SMTP protokol i šalje se na sve e-mail
adrese koje je zebeležio u svoj DLL fajl.
E-mailove koje virus šalje, HTML formatirani,
izgledaju ovako:
Subject:
Melt the Heart of your Valentine with
this beautiful Screen saver
Telo poruke:
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
This e-mail is never sent unsolicited.
If you need to unsubscribe, follow the
instructions at the bottom of the message.
**************************************************
Melt the Heart of your loved ones with
these beautiful Screen saver from www.screensaverin.com
* To remove yourself from this mailing
list, point your browser to:
http://screensaverin.com/remove?freescreensaver
* Enter your email address (%EmailAddress%)
in the field provided and click "Unsubscribe".
OR...
* Reply to this message with the word
"remove" in the subjt line.
This message was sent to address %EmailAddress%
X-PMG-Recipient:
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
Attachment: VALENTIN.SCR
ili,
Subject:
Fw: Melt the Heart of your Valentine
with this beautiful Screen saver
Telo poruke:
Hi
Check this screen saver
Happy Valentines day
See u
-----
Original Message -----
From: "Screen Saver"
To:
Sent: Friday, February 11, 2002 8:38 PM
Subject: Melt the Heart of your Valentine
with this beautiful Screen saver
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
This e-mail is never sent unsolicited.
If you need to unsubscribe, follow the
instructions at the bottom of the message.
**************************************************
Melt the Heart of your loved ones with
these beautiful Screen saver from www.screensaverin.com
* To remove yourself from this mailing
list, point your browser to:
http://screensaverin.com/remove?freescreensaver
* Enter your email address (%EmailAddress%)
in the field provided and click "Unsubscribe".
OR...
* Reply to this message with the word
"remove" in the subjt line.
This message was sent to address %EmailAddress%
X-PMG-Recipient: <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
<<<>>> <<<>>>
Attachment: VALENTIN.SCR
gde
je %EmailAddress% e-mail adresa
od koga je stigao e-mail.
Virus
skenira sve procese koji su startovani
na korisnikovom računaru i ako neki odgovara
listi, jednostavno ga zatvori. Lista je
sledeća:
ANTIVIR, MCAFEE, NORTON,
NVC95, FP-WIN, IOMON98,
PCCWIN98, F-PROT95,
F-STOPW, PVIEW95, NAVWNT,
NAVRUNR, NAVLU32, NAVAPSVC,
NISUM, SYMPROXYSVC,
RESCUE32, NISSERV, ATRACK,
IAMAPP, LUCOMSERVER,
LUALL, NMAIN, NAVW32,
NAVAPW32, WEBTRAP, POP3TRAP,
PCCMAIN, PCCIOMON, SCAM32,
WEBSCANX, SAFEWEB, ICMON,
CFINET, CFINET32, AVP.EXE,
LOCKDOWN2000, AVP32,
ZONEALARM, WINK i SIRC32.
REŠENJE
Preuzmite cleaner
za ovaj virus. Zbog varijacija virusa,
ako prethodni cleaner ne radi posao, preporučujem
da preuzmete onda ovaj cleaner.
|
