Archivlink: javarea.de Forum > News > Viruswarnung! Vollständigen Link anzeigen: javarea.de Forum > News > Viruswarnung! Pages: [1] geschrieben von Bernhard am 13.05.2003 - 11:46 hi leute! zur zeit hausiert ein virus bzw. ein worm in unserem firmennetzwerk ins rund 150 pc innerhalb von 5 stunden infiziert... wir schließen schon wetten ab wann der nächste kommt ;) geschrieben von Daniel am 13.05.2003 - 13:09 Was ist es denn für einer? geschrieben von Bernhard am 13.05.2003 - 13:13 fizzer heißt er.. anscheinend ist er "harmlos" er wird über email übertragen und schickt sich immer wieder automatisch weiter dadurch wird das netz "nur" überbelastet ... leider legt er virenscanner flach dadurch entsteht das risiko das ein anderer virus das ganze system versaut.. geschrieben von Daniel am 13.05.2003 - 13:42 Da sieht man mal wieder wie schlimm ein harmloser Visus sein kann... hf & gl geschrieben von Bernhard am 13.05.2003 - 13:55 das stimmt bei uns in der firma sind es glaub ich schon 200 die anklopfen... aber was meinst mit hf & gl ? geschrieben von Daniel am 14.05.2003 - 13:55 Das ist aus dem Counter Striken.... wünscht man sich vor Wars und halt auch so heisst Good Luck and Have fun geschrieben von Gast am 14.05.2003 - 14:15 This is an Internet worm that spreads via e-mail messages and KaZaa shared directories. It also contains "backdoor" remote access features. Installation When the worm is launched, it creates the following files in the Windows directory: iservc.exe (copy of the worm) initbak.dat (copy of the worm) ProgOp.exe (worm's component) iservc.dll (keylogger library used by the worm) iservc.klg (contains logged keystroke data) The worm also writes a registry key to start automatically when Windows starts: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run SystemInit=(Windows directory path)\iservc.exe Under Windows NT/2000/XP the worm is able to create a system service, but this ability is disabled by its author. It also registers as a default handler for files with ".TXT" extension, so it gets executed when such a file is opened. Replication: KaZaa The worm copies itself to the KaZaa download directory with random filenames. Replication: E-mail The worm uses its own SMTP engine to send its copies. The destination e-mail addresses are randomly generated or extracted from the Outlook and Windows address books. Infected messages have various selected subjects, bodies, and attachment names. They are generated from several large string lists. For example: Subject: Re: ;( Attachment: desktop.exe Body: you must not show this to anyone... Subject: Re: I think you might find this amusing... Attachment: Logan6.exe Body: Let me know what you think of this... Subject: Fwd: why? Attachment: Taylor83.com Body: Today is a good day to die... Backdoor routine: IRC The worm contains a list of IRC channels it tries to connect to and to receive remote access commands from an attacker. Backdoor routine: Other The worm starts HTTP and telnet-like servers and binds them to pre-configured ports to provide remote access to the computer. Other The worm captures all keystrokes and writes them to the file named "iservc.klg" in the Windows directory. It also tries to download and install its updated version from a geocities user page. The worm tries to terminate processes that contain the following strings in their name: ANTIV AVP F-PROT NAV NMAIN SCAN TASKM VIRUS VSHW VSS Most options, like registry key names, IRC and SMTP server names, port numbers and action sequences are pre-configured in a special data file that is encrypted and stored in the worm's EXE file resources. ################# ################# ################# http://www.kav.ch/avpve/worms/email/fizzer.stm

Powered by: JBB v.2.0.4 Copyright ©2000-2006, www.javarea.de.