VRVIRGIN 0 Posted January 11, 2006 Report Share Posted January 11, 2006 Just got news of a nasty new virus doing the rounds, thought you peeps should be aware of it. It affects hotmail users mainly. Do not under any circumstances open any files received with this name: inviztor @ hotmail . com. If i 've got the translaton right, it reformats your computer and the computers of all your contacts and gains access to all hotmail passwords. All this as soon as you open the file. Hopefully not too late for everyone. Link to post Share on other sites
duncs 0 Posted January 11, 2006 Report Share Posted January 11, 2006 cheers for the tip off Link to post Share on other sites
Ferrari VR6 0 Posted January 11, 2006 Report Share Posted January 11, 2006 I expect inviztor @ hotmail . com is just another hoax that in itself can be classed as a virus...Check this one out, very cleverly written and made me pap myself when it arrived in my mailbox as it came from a user in the company i work for...From: xxxxxxxxxxxxxxSent: 02 December 2005 14:57To: xxxxxxxxxxxxxxSubject: FW: ImportantA new virus has just been discovered that has been classified by Microsoft as the most destructive ever. This virus was discovered yesterday afternoon by McAfee . This virus simply destroys Sector Zero from the hard disk, where vital information for its functioning are stored.This virus acts in the following manner: It sends itself automatically to all contacts on your list with the title:"A Card for You". As soon as the supposed virtual card is opened the computer freezes so that the user has to reboot. When the ctrl+alt+del keys or the reset button are pressed, the virus destroys Sector Zero, thus permanently destroying the hard disk. Yesterday in just a few hours this virus caused panic in New York, according to news broadcast by CNN. This alert was received by an employee of Microsoft itself. So don't open any mails with subject: "A Virtual Card for You." As soon as you get the mail, delete it!! Even if you know the sender !!!Please pass this mail to all of your friends.Forward this to everyone in your address book. I'm sure most people, like myself, would rather receive this notice 25 times than not at All!------------------------------------------------------PLEASE DO NOT PASS THIS MAIL TO ALL OF YOUR FRIENDS, by forwarding these types of warnings on you are actually propagating the virus itself, i have posted the above to make an example of how easy it is for peeps to create panic with an email and fill the internet up with more spam...But still, it's better to be safe than sorry Link to post Share on other sites
Petesvw 0 Posted January 11, 2006 Report Share Posted January 11, 2006 Thanks for letting us know either way. Link to post Share on other sites
fritzenberg 3 Posted January 12, 2006 Report Share Posted January 12, 2006 why don`t the geekey scumbag pricks who write these viruses get a life or better still just fuck off and die!!!! ggrrr! Link to post Share on other sites
petervr6 0 Posted January 13, 2006 Report Share Posted January 13, 2006 like they aint got nothing better to do sad prats. Link to post Share on other sites
Buzzark 0 Posted January 13, 2006 Report Share Posted January 13, 2006 Just got news of a nasty new virus doing the rounds' date=' thought you peeps should be aware of it. It affects hotmail users mainly. Do not under any circumstances open any files received with this name: inviztor @ hotmail . com. If i 've got the translaton right, it reformats your computer and the computers of all your contacts and gains access to all hotmail passwords. All this as soon as you open the file. Hopefully not too late for everyone.[/quote']Lol. It's a hoax. Created by individuals even sadder than real virus writers and forwarded by the panicing public.I work in IT, we get a lot of this and I am forced to spank every user sending these "helpful" messages round our own network.Your intentions were good, but a better method is to check the validity of such emails you receive before posting it or forwarding it to "all your friends".There are many virus and hoax databases you can check against.PS, there isn't a virus around that can wipe your drive, all your contacts drives and also recover account and password info for hotmail - I found that quite funny. !lol Link to post Share on other sites
Ferrari VR6 0 Posted January 13, 2006 Report Share Posted January 13, 2006 There's a new high risk email virus doing the rounds (W32.Feebs.D@mm) whether it's related to inviztor @ hotmail . com i don't know but this is no hoax and is absolutely current, the global server team in the company i work for are currenlty lets say... tense For those who have no idea what all the computer talk is all about, it basically says that the virus is gonna repeatedly pump your pc in every orifice without a rubber and then pass on it's experiences to some arsole who will proabably then rob you! (check the text i've highlighted in red near the bottom)There are no virus scanner definitions currently written as it's so new so keep an eye out! %-6 Below is some information from the Internet Storm Center and a description from the Symantec WebSite...---------------------------------------------------------------------------------------------Published: 2006-01-11,Last Updated: 2006-01-11 22:28:25 UTC by Daniel Wesemann (Version: 1) We are currently analyzing a copy of .. something. Attachment name "message.zip", detection by AV is still thin to nonexistent. When run, the code tries to pull additional files from web servers in Russia, so if you have a chance, you might consider blocking the following TLDs on your proxy / perimeter:1gb.ru / t35.com / hzs.nm.ru / users.cjb.net / h16.ruUPDATE 2200UTC: message.zip contains a file named "Secure E-mail File.hta", which is according to current Virustotal output only detected by Panda and Kaspersky, the latter calls it Worm.Win32.Feebs.k . Samples we've seen come in an email with subject "Secure Message from HotMail.com user". The HTA file is nicely obfuscated, it has 2 obfuscation functions, one being easy unescape, while the other one is a bit more complex. Once it is executed by a user, it will run in the local zone, so it can use various ActiveXObjects. It will try to download executables from 5 web sites (domains listed above), all of which are up and working at this moment.SymantecWhen W32.Feebs.D@mm is executed, it performs the following actions:1. Drops and executes the following files using a malicious JavaScript, when the .HTA file is viewed:C:\Command.exe %UserProfile%\All Users\Start Menu\Programs\Startup\Command.exeNote: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).2. Executes the worm, when the JavaScript shows a logon prompt for user name and password as a diversion tactic.3. Adds the value:"Stubpath" = "C:\COMMAND.EXE"to the registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CD5AC91B-AE7B-E83A-0C4C-E616075972F3}4. Adds the value:"(default)" = "%System\[PATH TO DLL WORM COMPONENT]"to the registry subkey:HKEY_CLASSES_ROOT\CLSID\{[RANDOM CLSID]}\InprocServer32so that it runs every time Windows starts.5. Adds the value:"[FILE NAME OF DLL WORM COMPONENT]" = "{[RANDOM CLSID]}"to the registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoadso that it runs every time Windows starts.6. Sends emails to all addresses found. The email has the following characteristic:From:The from address is a combination of one of the following names with one of the following domain names:Names:protect secur security securmailDomains:@hotmail.com @gmail.com @aol.com @msn.com @yahoo.comSubject:The subject may be the following string:happy new yearOr alternatively it can be a combination of the following strings:[sTRING 1]Secure Protected Encrypted Extended[sTRING 2]Mail E-Mail Message Html[sTRING 3][bLANK] System Service Service ([DOMAIN]) from [DOMAIN] user.[sTRING 4]Thank you Sincerely Best RegardsSubject is a combination of the strings in the following pattern:[sTRING 1] [sTRING 2] [sTRING 3]Note: The subject could look like one of the following:Subject: Protected Message from Gmail.com user. Subject: Secure Mail Service (HotMail.com) Subject: Encrypted E-mail from Yahoo.com user.Message:You have received [sTRING 1] [sTRING 2] from [DOMAIN] user.This message is addressed personally for you.To decrypt your message use the following details:ID: [RANDOM NUMBERS]Password: [RANDOM LETTERS]Keep your password in a safe place and under no circumstances give itto ANYONE.[sTRING 1] [sTRING 2] and instruction is attached.[sTRING 4][sTRING 1] [sTRING 2] [sTRING 3],[DOMAIN]Note:The message could look like the following:You have received Encrypted Message from MSN.com user.This message is addressed personally for you.To decrypt your message use the following details:ID: 44321Password: mxsjstjgdKeep your password in a safe place and under no circumstances give itto ANYONE.Encrypted Message and instruction is attached.Best Regards,Encrypted E-mail Service,MSN.comAttachment: One of the following:msg.zip message.zip data.zip mail.zipThe attachment contains the worm as an .HTA file with the following name:[sTRING 1] [sTRING 2] File.HTANote:The attachment could look like one of the following:Extended Mail File.HTA Extended E-Mail File.HTA Secure Mail File.HTA Secure E-Mail File.HTA7. Creates the following files:%System%\MS[RANDOM].exe %System%\MS[RANDOM] %System%\MS[RANDOM]32.DLL Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).8. Loads %System%\MS[RANDOM]32.DLL into all active processes and uses rootkit functionalities to hide its files and registry keys.9. Adds the value:"web" = "[http://]popcapfree.t35.com/[REMOVED]"to the registry subkey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer10. Stores several registry subkeys containing configuration info, stolen passwords, accounts, and email addresses:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\datHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\cdatHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\fdatHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\rdatHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\sdatHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\ldatHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\gdatHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\pdatHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\udatHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\idatHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\ddatHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\kdat11. Modifies the value:"EnableFirewall" = "0"in the registry subkeys:HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsFirewall\DomainProfileHKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsFirewall\StandardProfileHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfileHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfileto disable the Windows Firewall.12. Searches for folders that contain the following strings:downloads share incoming13. Copies itself to any folders that it finds as the following files:3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip ACDSee_9_new!_full+crack.zip Adobe_Photoshop_10_(CS3)_new!_full+crack.zip Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip Ahead_Nero_8_new!_full+crack.zip DivX_7.0_new!_full+crack.zip ICQ_2006_new!_full+crack.zip Internet_Explorer_7_new!_full+crack.zip Kazaa_4_new!_full+crack.zip Longhorn_new!_full+crack.zip Microsoft_Office_2006_new!_full+crack.zip winamp_5.2_new!_full+crack.zipThe .zip file contains a nonmalicious text file that matches the name of the .zip file. It is reported, however, that the text file's name does not include the following string:_new!_full+crack14. Attempts to lower security settings on the compromised computer by ending security-related programs and by stopping services with names starting with one of the following strings:armor2net armorwall avgcc avp6 aws bgnewsui blackd bullguard ca ccapp ccevtmgr ccproxy ccsetmgr dfw dpf fbtray fireballdta FirePM firesvc firewal fsdfwd fw fwsrv goldtach hacker hackereliminator iamapp iamserv internet security ipatrol ipcserver jammer kaspe kavpf keylog keypatrol KmxAgent KmxBiG KmxCfg KmxFile KmxFw KmxIds KmxNdis KmxSbx kpf4gui kpf4ss leviathantrial looknstop mcafeefire mpftray netlimiter npfc npfmsg npfsvice npgui opf opfsvc outpost pavfnsvr pccpfw pcipim pcIPPsC persfw rapapp RapDrv smc sndsrvc spfirewallsvc spfw sppfw sspfwtry2 s-wall symlcsvc ton tzpfw umxtray vipnet vsmon xeon xfilter zapro zlclient zonealarm15. Deletes all the startup registry keys associated with these services under the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[sERVICE NAME]16. Starts a local Web server on TCP port 80. When a user connects to the Web server, it loads the .HTA file and also gives a link to offline.zip which is a zip file containing the worm.17. May gather sensitive information from the compromised computer by monitoring open windows. This includes monitoring for WebMoney, ICQ and cryptography key files. This information can then be sent to a remote attacker.Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates. If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied. Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites. Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files. Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media. Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched. Link to post Share on other sites
VR6Pete 1,455 Posted January 13, 2006 Report Share Posted January 13, 2006 Viruses are a part of every day life, and a contant threat in the I.T industry. Ensure that you have an UP TO DATE AV application... if you dont want to pay for one, then use AVG FREE (Google it).Although, if your a Linux Pimp, like me, you wont have this sort of problem, however, if you are running wine applications under linux, or your using your box for public services (http, mail) then you could potentually have viri stored on your system, however due to .exe, .com, .scr not being nativally executable under a *nix environment, you are generally safe. but a scan now and then cant hurt DOWN WITH MICROSOFT - UP WITH LINUX Link to post Share on other sites
Ferrari VR6 0 Posted January 13, 2006 Report Share Posted January 13, 2006 DOWN WITH MICROSOFT - UP WITH LINUX Lol and agreed! Link to post Share on other sites
Buzzark 0 Posted January 17, 2006 Report Share Posted January 17, 2006 Agreed - you need an up to date antivirus solution.www.avast.com is a very good free one for home users.W32.Feebs.D@mm is very real, inquizitor I still think is a hoax. Link to post Share on other sites
Recommended Posts