[EVA] Virale infection - Not Iroul though

Kajiki Kaijou jessica at esperanto.se
Sun Dec 16 16:40:14 EST 2001 

Ebj (ebj.nerv at flashnet.it) kände för att skriva:

>I suppose that giving a couple of useful details on this wouldn't hurt.
>
>I-Worm.BadtransII is a worm virus, that is, it is a virus whose action
>consists
>in, but is not limited to, diffusion through networks of computers.
>It affects Win32 systems as an attachment on email messages. It also has a
>secondary component, a Trojan (a hidden program) that steals reserved info on
>infected systems. Variant II has been discovered in Nov. 2001 and is "in the
>wild", that is, very widespread.
>
>The worm consists of a 29KB long file, compressed with the UPX program. Once
>unpacked, it is 60KB long.
>
>The worm part of the virus will spread infected emails using a direct
>connection
>(and not an existing client), the trojan will send to a specific email
address
>information it finds on the infected host (user info, RSA data, keypress
logs,
>cached passwords). The Trojan also installs a keypress catcher on the system.
>
>You can get INFECTED in two ways:
>
>1.You click with the mouse on an infected attachment
>
>2.If your system is IFRAME vulnerable, the "preview" function on the Outlook
>Express client will activate the virus.
>
>Here are some useful addresses for information and prevention.
>
>Microsoft Security Bulletin (MS01-020): Incorrect MIME Header Can Cause IE to
>Execute E-mail Attachment
>http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
>
>Patch to eliminate vulnerability:
>http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp
>
>Variant II will also substitute KERNEL32.EXE with the virus body itself, and
>will install KDLL.DLL (keypress catcher and sender) on the Windows system
>folder. Removing these two files results into disinfection of the system.
>
>[excerpt from the Badtrans analisys by Paolo Monti on www.avp.it,
>translated by
>me]

Ahhhh.... the joys of running MacOS. :P

-- 
__Kajiki Kaijou__________________________
|    Tel:    http://mobil.luin.nu        |
|    Home:   http://www.deadlybrain.org  |
|____Work:___http://kaworu.bishounen.nu__|

This is a sig virus. Please put me in your sig.
                          --Slashdot signature

More information about the oldeva mailing list