Re: CRIME Anyone know of a recent Virus, etc that deletes pictures?

From: Joe St Sauver (JOE@private)
Date: Thu Feb 26 2004 - 11:53:09 PST

  • Next message: Marc Schuette: "Re: CRIME Anyone know of a recent Virus, etc that deletes pictures?"

    Kim wrote...
    
    #Being asked the question and haven't seen anything recent. Have I just =
    #not been paying attention?
    
    I think this is the one you want (the following is from a note I sent along
    to one of our local mailing lists on the 24th):
    
    !A new worm, W32.Mydoom.F@mm, rated by Symantec as a level 3 issue, is in
    !circulation. If you haven't Live Updated since late yesterday, you may want
    !to do so. You can read about this worm at:
    !
    !http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.f@private
    !
    !I mention this worm in particular because (according to Symantec). 
    !
    !-- it randomly deletes .mdb, .doc, .xls, .sav, .jpg, .avi and .bmp files
    !-- it dDoS's www.microsoft.com and www.ria.com
    !-- it installs a backdoor proxy trojan allowing unauthorized remote access
    !-- it ships as a .pif/.scr/.exe/.cmd/.com/.bat/etc.
    !-- it uses a relatively large number of attachment names
    !-- it uses a relatively large number of relatively "motivational" subjects
    !-- it uses a variety of relative common mail sender names (plus random
    !   characters) from aol/msn/yahoo/hotmail/<random>.edu
    !-- it takes active steps to terminate common antivirus programs
    !-- it dredges a relatively wide variety of files for email addresses 
    !   (including .htm and .txt files, but also including .php, .pl, .vbs,
    !   etc.) to which to mail itself
    
    I would also note/mention Netsky.C (another Level 3 worm):
    
    !Yet another category 3 worm in ciculation... W32.Netsky.C@mm this time. 
    !
    !F-Secure describes it as having been found Feb 25, 2004; Symantec
    !claims they knew about it on Feb 24th. See 
    !
    !  http://www.symantec.com/avcenter/venc/data/w32.netsky.c@private
    !  http://www.f-secure.com/v-descs/netsky_c.shtml
    !
    !Some salient points:
    !
    !  -- be sure folks update their A/V definitions (yes, yet again)
    !
    !  -- because this worm propagates as a zip, it may NOT get defanged/filtered 
    !     on [some hosts]
    !
    !  -- there are some versions of Windows which may "help" by auto-unzipping
    !     zipped attachments by default; depending on what you use for an email 
    !     client and operating system, you may want to beware
    !
    !  -- Netsky propagates by mail, and may also "spread through file-sharing
    !     networks, Instant Messaging clients, Windows shared folders,
    !     or any program that uses shared folders containing 'Shar.'"
    !
    !  -- it uses a comparatively wide range of social-engineered subject lines
    !
    !  -- it edits the windows registry, apparently attempting to override
    !     some earlier worm infestations (oh boy! New and Improved!)
    
    Feel free to contact me if you have any questions,
    
    Regards,
    
    Joe St Sauver (joe@private)
    University of Oregon Computing Center
    



    This archive was generated by hypermail 2b30 : Thu Feb 26 2004 - 12:44:04 PST