Goanetters, A major virus (mass-mailing) outbreak is ongoing at this moment......Please be wary when opening any documents attached in emails even if they arrive from known family and friends.
Please ensure your anti-virus dat files are up-to-date before any further web-surfing or downloading of emails. Latest updates by product include: * McAfee Viruscan - DAT file 4319 * Symantec Norton AntiVirus - run LiveUpdate as on Jan 26/04 * Grisoft AVG 7.0 - update 261.7.7. * Grisoft AVG 6.0 - update 571. * eTrust Antivirus v7 Signature Updates Files, Version ( 23.63.79 ) * InoculateIT Engine Virus Signature Update Files, Version ( 23.63.79 ) * Inoculan 4.0/InoculateIT 4.5x Virus Signature Update Files, Version ( 45.79 ) * EZ Antivirus 6.x Engine Virus Signature Update Files: ( 6.x/5180 ) * Vet 10.5 Engine Virus Signature Update Files: ( 10.5x/5180 ) * Vet 10.6 Engine Virus Signature Update Files: (10.6x/8111) * Vet 11.2 Engine Virus Signature Update Files: (11.2x/8111) Please read below for more info. - Bosco PS. If anybody uses any other anti-virus solutions, please let me know. For those that don't use any anti-virsu solution.......may the anti-dote be with you !! http://us.mcafee.com/virusInfo/default.asp?id=mydoom *** Virus Information *** Name: W32/[EMAIL PROTECTED] aka [EMAIL PROTECTED] *** Virus Characteristics *** This is a mass-mailing worm that arrives in an email message as follows: From: (spoofed) Subject: (Random) Body: (Varies, such as) The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes) When this file is run it copies itself to the local system with the following filenames: - c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr - %SysDir%\taskmon.exe (Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM) It also uses a DLL that it creates in the Windows System directory: It also uses a DLL that it creates in the Windows System directory: - %SysDir%\shimgapi.dll (4,096 bytes) It creates the following registry entry to hook Windows startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe The worm opens a connection on TCP port 3127 suggesting remote access capabilities. *** Indications of Infection *** Upon executing the virus, Notepad is opened, filled with nonsense characters. Existence of the files and registry entry listed above *** Method of Infection *** This file tries to spread via email and by copying itself to the shared directory for Kazaa clients if they are present. The mailing component harvests address from the local system. Files with the following extensions are targeted: wab adb tbb dbx asp php sht htm txt Additionally, the worm contains strings, which it uses to randomly generate, or guess, addresses. ########################################################################## # Send submissions for Goanet to [EMAIL PROTECTED] # # PLEASE remember to stay on-topic (related to Goa), and avoid top-posts # # More details on Goanet at http://joingoanet.shorturl.com/ # # Please keep your discussion/tone polite, to reflect respect to others # ##########################################################################