Welcome in here.. Indonesian Blogsite by FUNderSec
Technologist [Umbrella of CyberUnderground Portal]

Macam - Macam Virus dari Tahun 2003 - 0day [Part 2]

  • W32/Mydoom@MM
 is a HIGH-OUTBREAK mass-mailing worm flooding email servers worldwide. When run, the worm steals email addresses from the infected machine and also automatically generates random email addresses for propagation. This email generation engine is similar to technologies spammers use to generate addresses for spam email campaigns.

W32/Mydoom@MM generates emails with a spoofed "From: field", so incoming messages may appear to be from people you know. Furthermore, the subject line and message body are both randomly generated by the worm.

Caution—An infected email can come from addresses you recognize and may contain the following information:

From: randomly generated (spoofed)
Subject: randomly generated
Body: randomly generated—examples:

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.

Attachment: randomly generated
The icon used by the file tries to make it appear as if the attachment is a text file. The attachment type varies [.exe, .pif, .cmd, .scr]—often arrives in a ZIP archive. (filesize = 22,528 bytes)

Aliases: Novarg, W32.Novarg.A@mm, Win32/Shimg, WORM_MIMAIL.R


  • W32/Mimail.s@MM
 is a Medium Risk mass-mailing worm that tries to steal credit card information by displaying a fake Microsoft Windows license expiration message. Stolen credit numbers are sent to addresses within the domains @mail15.com and @ziplip.com.

W32/Mimail.s@MM also forwards itself to contacts it steals from the infected machine.

Caution: Watch out for emails with "here is the file you asked for" in the subject line or body. They may contain an attachment with the W32/Mimail.s@MM worm.

What to look for:

From: An infected email can come from people you know.
Subject: here is the file you asked for
Body: Hi! Here is the file you asked for!
Attachment: example--document.txt.scr
possible file extensions used: .pif, .scr, .exe, .jpg.scr, .jpg.pif, .jpg.exe, .gif.exe, .gif.pif, .gif.scr
Aliases: W32.Mimail.R@mm


  • New Bagle-B worm spreading, warns Sophos
Sophos, a world leader in protecting businesses against spam and viruses, is warning of a new worm called Tanx-A (also known as Bagle-B). Sophos has received several reports of this worm spreading in the wild.

The Tanx-A (Bagle-B) worm spreads via email and arrives with the subject line 'ID' followed by various random characters and the message text 'Yours ID'. An attached .exe file, has a randomly generated filename. If run, a remote access component allows hackers to gain remote access to infected computers.

The worm harvests email addresses from infected PCs and, when forwarding itself on to other computer users, spoofs the "From:" field using addresses found on the computer's hard drive.

"Bagle-B tries to deceive computer users by spoofing the sender's address, but the worm is easy to spot because of its distinctive subject line," said Carole Theriault, security consultant, Sophos. "The message is simple - don't open unsolicited emails and don't automatically trust emails that appear to come from a known contact. Practising safe computing and blocking executable files at the email gateway will prevent infection from this worm."

Like its predecessor, Bagle-A, this worm has a built in 'dead date' and has been designed to fall dormant on 25 February 2004.

  • W32/Netsky.b@MM
is a Medium Risk mass-mailing worm that copies itself to folders named "share" or "sharing" on the infected system. It spreads itself to addresses it steals, spoofing or forging the "from: field" or using the address skynet@skynet.de. The worm also tries to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses on the host computer.

Caution: An infected email can come from addresses you recognize.

What to look for:

Subject/Body: Varies. Examples include:
-I have your password!
-about me
-anything ok?
-do you?
-from the chatter
Attachment: Varies but may have a double-extension such as .rtf.pif contained in a .ZIP file.
Aliases: Moodown.B, I-Worm.Moodown.b

0 komentar:

Posting Komentar

FUNderSec Blogsite. Diberdayakan oleh Blogger.

[.// FUNderSec Blogsite //.] Copyright © 2010 - 2012 | Template design by O Pregador | Powered by Blogger Templates

Thanks For Visiting My Simple Blog, ^0^ I Love You All My Visitors And FUNderSec Fans. Dont Forget Come Here Again | FUNderSec |