Computer Consultant <[EMAIL PROTECTED]> wrote:From Computer Consultant Sun May 22 20:57:28 2005 To: computerconsultant <[EMAIL PROTECTED]> From: Computer Consultant <[EMAIL PROTECTED]> Date: Sun, 22 May 2005 20:57:28 -0700 (PDT) Subject: ComputerConsultant German Virus Information
German Virus Information A new e-mail virus is circulating. The original virus appears as an attachment to a message written in German, which should greatly cut down on the number of people at OU who open it by mistake. Still, an English-wrapped version probably isn't far off. Virus Profile: W32/[EMAIL PROTECTED] Name: W32/[EMAIL PROTECTED] Risk Assessment - Home Users:Low - Corporate Users:LowDate Discovered:2/18/2002Date Added:2/19/2002Origin:GermanyLength:437760Type:Internet WormSubType:Win32DAT Required:4187Virus Family Statistics (over the past 30 days)Virus NameInfected FilesScanned Files% Infected ComputersW32/[EMAIL PROTECTED] Characteristics-- Update 2/20/2002 -- AVERT has lowered the risk assesment to LOW. This is a new worm seen by AVERT researchers in Germany and the UK today, 19 Feb 2002. This worm has its own SMTP e-mailing engine which gets e-mail addresses from the Microsoft Outlook address book and .pl, .php, .htm, .shtm, and .cgi files, storing them in the file kernei32.daa. The worm gets the system default SMTP server from a registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\ Accounts\SMTP Server It stores this and other server details (hardcoded within the worm) in the file kernei32.das. The worm copies itself to the Windows folder with a randomly selected name, and creates registry run key value to load the worm at startup: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Runonce It also replaces notepad.exe and copies the original notepad.exe to notedpad.exe. The worm's payload is to delete all not-locked files from drive c: The virus arrives in an email message with the following information: From: (forged) [EMAIL PROTECTED] Subject: Trojaner-Info Newsletter 18.02.02 (date is updated according to infected machine) Attachment: yawsetup.exe The message is formatted as follows (destination email address removed). Note that the people and websites mentioned are innocent and not the originators of the virus. In full, and translated, this reads: Hello! Welcome to the latest newsletter from Trojaner-Info.de Content: 1. YAW 2.0 - the latest version of our porn-dialer warner **** 1. YAW 2.0 - Our porn-dialer warner in its latest version. Our widely used Dialerwarner YAW is now available in a brand new and enhanced version. Allsubscribers to our newsletter get this version for free with this newsletter.Just start the attached file and YAW 2.0 installs itself. If there are any questions the programmer of this unique tool is available at [...]Have fun with YAW! http://www.trojaner-info.de/dialer/yaw.shtml**** That's it with the latest Trojaner-Info news, thank you for your attention and we wish all ourreaders a pleasant week. The rest is standard newsletter headers. Again, the people and websites mentioned are not the true originators of the virus. At the end of the file is a comment: Als kleines Dankeschön von der Pornoindustrie. Das ist nur der Anfang, wenn ihr nicht aufhoert. Translation of the comment: A little present from the porn-industry. This is just the beginning if you don't stop. Indications of InfectionPresence of the following files in %windir%: NOTEDPAD.EXE KERNEL32.DAA KERNEL32.DAS Method of InfectionRunning yawsetup.exe will infect the system. Removal Instructions All Users : Use current engine and DAT files for detection and removal. Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). Additional Windows ME/XP removal considerations AliasesI-Worm.Yarner.a (AVP), I-Worm.Yarner.b (AVP), Trojan.Yaw.20 (MkS_vir), [EMAIL PROTECTED] (NAV), W32/Yarner (Sophos), W32/[EMAIL PROTECTED] (Norman), Web! __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com [Non-text portions of this message have been removed] -- www.ITCENTER.or.id - Komunitas Teknologi Informasi Indonesia Info, Gabung, Keluar, Mode Kirim : [EMAIL PROTECTED] ::: Hapus bagian yang tidak perlu (footer, dst) saat reply! ::: ## Jobs: itcenter.or.id/jobs ## Bursa: itcenter.or.id/bursa ## $$ Iklan/promosi : www.itcenter.or.id/sponsorship $$ Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/ITCENTER/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/