Metagames


Précédent   Metagames > Discussions Générales > Points Divers
Accueil S'inscrire Blogs FAQ Communauté Calendrier Téléchargements Messages du jour Recherche

Réponse
 
Outils de la discussion Modes d'affichage
Vieux 28/07/2004, 15h28   #1 (permalink)
Profil
Invité
Non Inscrit / Non Connecté
Ancienneté  100%
Ancienneté 100%
 
Messages: n/a
Téléchargements:
Uploads:
Par défaut

Worm.Win32.Mydoom.M


Code:
Symptoms:
Presence of the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
with the following value:
%WINDIR%\java.exe
Presence of the following files:
%WINDIR%\java.exe
%WINDIR%\services.exe

The port 1034 is listening for incoming connections.

Technical description:
This is an internet worm that spreads trough e-mail.
When it is run it adds the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
with the following value:
%WINDIR%\java.exe

It copies itself to %WINDIR%\java.exe
where %WINDIR% is a variable representing the Windows directory.

It drops the following file:
%WINDIR%\services.exe, that is detected by BitDefender as Backdoor.Mydoom.M

It tries to terminate some programs that have windows with the following names:
rctrl_renwnd32
ATH_Note
IEFrame

It searches for mail addresses in the default Windows Address Book, then looks into the Temporary Internet Files and then scans all the disks on the machine, looking for files that have the extension starting with pl, ph, tx, asp, dbx, wab etc.

It sends mail with the sender one of "Postmaster", "Mail Administrator", "Automatic Email Delivery Software", "Post Office", "The Post Office", "Bounced mail", "Returned mail", "MAILER-DAEMON", "Mail Delivery Subsystem".

The mail has the subject one of: "hello", "hi", "error", "status", "test", "report", "delivery failed", "Message could not be delivered", "Mail System Error - Returned Mail", "Delivery reports about your e-mail", "Returned mail: see transcript for details", "Returned mail: Data format error" etc.

The attachment's name is one of "readme", "instruction", "transcript", "mail", "letter", "text", "file", "attachment",
"document", "message" with the extension in "cmd", "bat", "com" , "exe", "pif", "scr". It sometimes has ".zip" after the normal extension.

The mail is constructed based on a template. The worm parses the template and generates a very large number of possible bodies. The rule is very simple, it just picks one of the options separated by |.

For instance, for the string "{We have {detected|found|received reports} " it can generate "We have detected" or "We have found" or "We have received reports" .
Also , there are some variables that have $ in front of them, and they are filled with data at runtime . For instance, $t is the name of the domain.

The template is this:


Dear user {$t|of $T},{ {{M|m}ail {system|server} administrator|administration} of $T would like to {inform you{ that{:|,}|}|let you know {that|the following}{.|:|,}}|||||}

{We have {detected|found|received reports} that y|Y}our {e{-|}mail |}account {has been|was} used to send a {large|huge} amount of {{unsolicited{ commercial|}|junk} e{-|}mail|spam}{ messages|} during {this|the {last|recent}} week.
{We suspect that|Probably,|Most likely|Obviously,} your computer {had been|was} {compromised|infected{ by a recent v{iru}s|}} and now {run|contain}s a {trojan{ed|}|hidden} proxy server.

{Please|We recommend {that you|you to}} follow {our |the |}instruction{s|} {in the {attachment|attached {text |}file} |}in order to keep your computer safe.

{{Virtually|Sincerely} yours|Best {wishe|regard}s|Have a nice day},
{$T {user |technical |}support team.|The $T {support |}team.}

Your message {was not|could not be} delivered because the destination {computer|server} was
{not |un}reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.

Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.

Your message {was not|could not be} delivered within $D days:
{{{Mail s|S}erver}|Host} $i is not responding.

The following recipients {did|could} not receive this message:
<$t>

Please reply to postmaster@{$F|$T}
if you feel this message to be in error.
| }from {$F [$i]|{$i|[$i]}}

----- The following addresses had permanent fatal errors -----
{<$t>|$t}

{----- Transcript of {the ||}session follows -----
... while talking to {host |{mail |}server ||||}{$T.|$i}:
{>>> MAIL F{rom|ROM}:$f
<<< 50$d {$f... |}{Refused|{Access d|D}enied|{User|Domain|Address} {unknown|blacklisted}}|554 <$t>... {Mail quota exceeded|Message is too large}
554 <$t>... Service unavailable|550 5.1.2 <$t>... Host unknown (Name server: host not found)|554 {5.0.0 |}Service unavailable; [$i] blocked using {relays.osirusoft.com|bl.spamcop.net}{, reason: Blocked|}
Session aborted{, reason: lost connection|}|>>> RCPT To:<$t>
<<< 550 {MAILBOX NOT FOUND|5.1.1 <$t>... {User unknown|Invalid recipient|Not known here}}|>>> DATA
{<<< 400-aturner; %MAIL-E-OPENOUT, error opening !AS as output
|}{<<< 400-aturner; -RMS-E-CRE, ACP file create failed
|}{<<< 400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded
|}<<< 400}|}

Removal instructions:
Kill the JavaVM process and delete the files.

[Source]BitDefender Virusinfo
  Réponse avec citation
Vieux 28/07/2004, 15h31   #2 (permalink)
Profil
Invité
Non Inscrit / Non Connecté
Ancienneté  100%
Ancienneté 100%
 
Messages: n/a
Téléchargements:
Uploads:
Par défaut

A coté de ça jai limpression de parler japonais , russe , et tt ske tu vexu couramment ...
En gros pour les incultes com moi ca ve dire koi ?
  Réponse avec citation
Vieux 28/07/2004, 15h47   #3 (permalink)
Profil
Invité
Non Inscrit / Non Connecté
Ancienneté  100%
Ancienneté 100%
 
Messages: n/a
Téléchargements:
Uploads:
Par défaut

En gros le trojan attaque la machine virtuel java et entre par le port 1034.

C'est un très grand raccourci. Je comprend pas, je trouve l'explication clair pourtant Ya que moi qui pense ca?
  Réponse avec citation
Vieux 28/07/2004, 16h38   #4 (permalink)
Profil
Invité
Non Inscrit / Non Connecté
Ancienneté  100%
Ancienneté 100%
 
Messages: n/a
Téléchargements:
Uploads:
Par défaut

en clair on peut le pecho comment?
  Réponse avec citation
Vieux 28/07/2004, 17h56   #5 (permalink)
Profil
Invité
Non Inscrit / Non Connecté
Ancienneté  100%
Ancienneté 100%
 
Messages: n/a
Téléchargements:
Uploads:
Par défaut

Il est compatible avec win98 et winme ?
  Réponse avec citation
Vieux 28/07/2004, 17h58   #6 (permalink)
Profil
Invité
Non Inscrit / Non Connecté
Ancienneté  100%
Ancienneté 100%
 
Messages: n/a
Téléchargements:
Uploads:
Par défaut

oui vu que ce n'est pas un soft spécifique a windows
  Réponse avec citation
Vieux 28/07/2004, 18h02   #7 (permalink)
Profil
Invité
Non Inscrit / Non Connecté
Ancienneté  100%
Ancienneté 100%
 
Messages: n/a
Téléchargements:
Uploads:
Par défaut

Mais on l'attrape uniquement en ouvrant un email ou un fichier contaminé ?
  Réponse avec citation
Réponse
Précédent   Metagames > Discussions Générales > Points Divers


Règles de messages
Vous ne pouvez pas créer de nouvelles discussions
Vous ne pouvez pas envoyer des réponses
Vous ne pouvez pas envoyer des pièces jointes
Vous ne pouvez pas modifier vos messages

Les balises BB sont activées : oui
Les smileys sont activés : oui
La balise [IMG] est activée : oui
Le code HTML peut être employé : non
Trackbacks are non
Pingbacks are non
Refbacks are non


Discussions similaires
Discussion Auteur Forum Réponses Dernier message
Un nouveau virus est née momo_ps2 Playstation Portable 17 10/10/2006 07h47
Nouveau virus Invité Playstation Portable 3 21/10/2005 07h03
Nouveau virus : Bagle.AF Worm Invité Points Divers 24 18/07/2004 01h13
probleme:nouveau virus!!!!!!!! Invité Points Divers 14 02/05/2004 12h49
ATTENTION NOUVEAU VIRUS Invité Points Divers 21 01/02/2004 01h26


Fuseau horaire GMT +1. Il est actuellement 09h19.


© 2003-2018 MetaGames. Tous droits réservés.