-
Yep guys....this might be foolish...
As the topic suggests people who suspect they r host to a spyware,worm or trojan and want to get ur data back....
post ur enquiries here.....
Lets give it a kick start..
Hope the moderators dnt mind.......
Will be happy to see a slight nod ....
-
The virus threst is in the foll format...
Virus Name[acc to company databse]
Discovery Date
PWSteal.Banger
April 25, 2006
W32.Beagle.EC@mm
April 24, 2006
W97M.Durlen
April 23, 2006
W32.Kidala.A@mm
April 22, 2006
Mlab.Lagob
April 22, 2006
Trojan.Zlob.K
TROJ_ZLOB.MU [Trend]
April 22, 2006
W32.Rontokbro.AN@mm
April 21, 2006
W32.Polip
Polipos.a [F-Secure],
P2P-Worm.Win32.Polip.a [Kaspersky Lab],
W32/Polipos [McAfee], W32/Polipos-A [Sophos],
PE_POLIP.A [Trend Micro]
April 21, 2006
W32.Banleed.A
April 20, 2006
Trojan.Lisentkey
April 20, 2006
Trojan.Galapoper.A
April 20, 2006
W32.Opanki.P
April 20, 2006
Regards,
M.Y.Tonse
Note:This is copyrighted info frm Norton[/img]
-
WOW!!!
Not a single mention...
This was supposed to be imp...
-
Admin,
this post is was requested for the Sticky Topic !!
-
Microsoft Excel Hyperlink Buffer Overflow-2006/06/18
Type Buffer Overflow
Impact of exploitation Remote Code Execution
User Interaction user interaction needed
Attack Vector Website or e-mail
Rating High
Vendor Status Responded, not patched
Vulnerable systems
Windows 2003 SP0 - SP1,
Windows 2000 SP4, Windows XP SP0 - SP2, Microsoft Excel 2000, Microsoft Excel 2003,
Summary
A buffer overflow vulnerability exists in Microsoft Excel that may allow for code execution when clicking a malicious hyperlink within a Microsoft Excel document.
Beware people...
-
W32.Pirate
Worm: Intell32
Please help.
-
-
Salaams Endurer,
I am indeed sry.Its a truma to watch u rPc go wild.Try to send me the
Hijack this logs .
Following is a detailes manul removal instruction..wont be too hard for
.You are always welcome to post more .
Name W32/Brontok-AJ
Type Worm
How it spreads Email attachments
Affected operating systems Windows
Side effects Turns off anti-virus applications
Forges the sender's email address
Uses its own emailing engine
Reduces system security
Installs itself in the Registry
Leaves non-infected files on computer
Aliases mail-Worm.Win32.Brontok.n
W32.Rontokbro.X@mm
WORM_RONTKBR.GEN
Descripton on how it works!!Egs listed below!!
W32/Brontok-AJ is a mass-mailing worm for the Windows platform.
W32/Brontok-AJ sends itself to email addresses found on the infected
computer.
Emails sent by the worm have the following characteristics:
From: angelina_ph@<recipient's domain>
or jennifer_sh@<recipient's domain>
If the recipient's address is Indonesian:
Subject: Fotoku yg Paling Cantik
Message text:
Hi,
Aku lg iseng aja pengen kirim foto ke kamu.
Jangan lupain aku ya !.
Thanks
For all other addresses:
Subject: My Best Photo
Message text:
Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,
Attachment name: Photo.zip
W32/Brontok-AJ closes windows with specific titles.
W32/Brontok-AJ adds entries to the system HOSTS file to prevent access
to security-related domains
--------------------------------------------------
Dearest Endurer,
I hope everything turns well.Folloing is ahuge list of files which if
properly cantoned shall erase this shit outta your PC
W32/Brontok-AJ is a mass-mailing worm for the Windows platform.
W32/Brontok-AJ sends itself to email addresses found on the infected
computer.
Emails sent by the worm have the following characteristics:
From: angelina_ph@<recipient's domain>
or jennifer_sh@<recipient's domain>
If the recipient's address is Indonesian:
Subject: Fotoku yg Paling Cantik
Message text:
Hi,
Aku lg iseng aja pengen kirim foto ke kamu.
Jangan lupain aku ya !.
Thanks
For all other addresses:
Subject: My Best Photo
Message text:
Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,
Attachment name: Photo.zip
The zip file is also detected as W32/Brontok-AJ and contains Photo.bmp
and View-Photo.bat. View-Photo.bat runs Photo.bmp. Photo.bmp is an
executable (currently detected as Troj/Dloadr-ADW) which attempts to
download and execute a copy of the worm from a preconfigured website.
At the time of writing, this website is unavailable.
When W32/Brontok-AJ is installed it copies itself to the following
locations:
<User>\Local Settings\Application Data\dv<random1>\yesbron.com
<User>\Local Settings\Application Data\jalak-<random2>-bali.com
<System>\n<random3>\b<random4>.exe
<System>\n<random3>\csrss.exe
<System>\n<random3>\lsass.exe
<System>\n<random3>\services.exe
<System>\n<random3>\smss.exe
<System>\n<random3>\sv<random5>r.exe
<System>\n<random3>\winlogon.exe
<System>\c_<random6>.com
<Windows>\j<random7>.exe
<Windows>\o<random8>.exe
<Windows>\_default<random9>.pif
<Windows>\<random10>\ib<random11>.exe
where <random1> etc. are randomly-chosen numbers
W32/Brontok-AJ installs the following files:
<System>\n<random3>\c.bron.tok.txt
<Current Folder>\Baca Bro !!!.txt
<Windows>\Tasks\At1.job
<Windows>\Tasks\At2.job
The .job files each contain a scheduled task, instructing Windows to
execute the installed copies of the worm once per day.
The file c.bron.tok.txt contains the following text:
Brontok.C
By:JowoBot
The file Baco Bro !!!.txt contains the following text:
BRONTOK.C[22]
Sedikit Jawaban u/ Membungkam Mulut Sesumbar 'MEREKA'.
Nobron = Satria Dungu = Nothing !!!
Romdil = Tukang Jiplak = Nothing !!!
Nobron & Romdil -->> Kicked by The Amazing Brontok
[ By JowoBot ]
W32/Brontok-AJ closes windows whose titles contain any of the
following:
task manager
registry
command prompt
system configuration
group policy
cmd.exe
computer management
scheduled task
killbox
hijack
SYSINTERNAL
PROCESS EXP
REMOVER
CLEANER
anti
washer
ertanto
BROWNIES
movzx
killer
pcmedia
pc-media
rontok
rontox
robknot
commander
windows script
norman
norton
symantec
cillin
trendmicro
bitdef
kaspersky
avg
avira
virus
trojan
worm
mcafee
b.e
folder option
wintask
alwil
sex
porn
naked
cewe
bugil
telanjang
nod32
task view
peid
ahnlab
W32/Brontok-AJ adds entries to the system HOSTS file to prevent access
to security-related domains.
W32/Brontok-AJ may install a new version of the file
<System>\msvbvm60.dll.
The following registry entries are created to run the installed copies
of the worm on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\run
<random>
<User>\Local Settings\Application Data\dv<random1>\yesbron.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer\run
<random>
<Windows>\_default<random10>.pif
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random>
<System>\n<random3>\sv<random5>r.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random>
<Windows>\j<random7>.exe
The following registry entries are changed to run j<random7>.exe and
o<random8>.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\o<random8>.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\j<random7>.exe
(the default value for this registry entry is
"<Windows>\System32\userinit.exe,").
The following registry entry is set, disabling the registry editor
(regedit):
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Advanced
ShowSuperHidden
0
Registry entries are created under:
HKCU\Software\Brontok\
Once again..Bear Well.
Regards,
M.Y.TONSE
-
Thank you bro. You've proven to be extremely helpful.
-
Glad i could help you bro.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
Reply With Quote