The Computer Guys

Miami to Fort Lauderdale Since 1994 - Thank You!

 

 

We Build the Best & Repair the Rest! ©

 

Alerts July 2002

FAQ Search Virus Alerts Hardware Faqs

 

 

Computer Repair
PC Maintenance
Disaster Recovery
SpyWare Removal
Company Profile
Disclaimer
Contact Information
Home Users

 

 


October 2002 2001 Alerts 2001 Alerts January 2002 Alerts February 2002 Alerts March 2002 Alerts April 2002 Alerts May 2002 Alerts June 2002 Alerts July 2002 Alerts August 2002 Alerts Sept 2002 Alerts Oct 2002 Alerts Nov 2002 Alerts Dec 2002

 

 

 

 

Top 10 malware reported to Sophos in July 2002

Position Last
month		 Malware Percentage of reports
1 1 W32/Klez-H
   17.7%
2 5 W32/Frethem-Fam
   17.0%
3 6 W32/Yaha-E
   16.8%
4 3= W32/Badtrans-B
   5.8%
5 2 W32/ElKern-C
   3.7%
6 7 W32/Magistr-B
   2.5%
7 Re-entry W32/Hybris-B
   1.9%
8 Re-entry W32/Klez-E
   1.7%
9 Re-entry W32/Nimda-A
   1.5%
10 Re-entry W32/Magistr-A
   1.3%
Others 30.1%

 

This section helps you to understand how it behaves
W32/Frethem-Fam is a family of email-aware worms.

The worm arrives in an email with one of the following sets of characteristics:

Subject line: Re: Do your Windows looks like Windows XP? I have found very nice desktop themes!
Message text:
Hello!
Do you like modern design of new Windows XP?! I have found FREE and easy to use desktop themes! You can open attach with website and samples! Enjoy it!!!
Attached file: www.freedesktopthemes.exe

or

Subject line: Re: Your password!
Attached files: Your password placed in password.txt password.exe, password.txt

The message text is blank.
Your password placed in password.txt password.exe is a copy of the worm and password.txt is a text file containing the text "Your password is W8dqwq8q918213".

or

Subject line: Re: Your password!
Message text:
ATTENTION!
You can access
very important
information by
this password
DO NOT SAVE
password to disk
use your mind
now press
cancel
Attached files: decrypt-password.exe, password.txt

Decrypt-password.exe is a copy of the worm and password.txt is a text file containing the text "Your password is W8dqwq8q918213".

The worm uses a MIME header vulnerability and an IFRAME vulnerability so that the attached file is run automatically when the email is viewed on unpatched Microsoft email clients.

Upon execution the worm copies itself to
C:\Windows\Start Menu\Programs\Startup as setup.exe and runs in the background as a process of the same name. Alternatively, for a computer with multi-user setting enabled, the worm could copy itself to
<user profile path>\Start Menu\Programs\Startup. These changes allow the worm to be run automatically next time the computer is restarted or when the same user logs in again.

Some variants of the worm also create a copy of themselves in the Windows folder with the name taskbar.exe. In this case the worm will create the following registry entry to allow the worm to run when Windows is started up:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Task Bar

The trigger condition for the mass-mailing behaviour is dependent on certain dates and the time zone. When triggered, the worm obtains information about the SMTP server from the following registry entry:

HKCU\Software\Microsoft\Internet Account Manager\Accounts\00000001

The worm then sends itself to contacts found in DBX, WAB, MBX, EML, MDB and DAT files (or from DBX files and the Windows Address Book) using its own SMTP engine.

Besides mass-mailing itself, the worm also sends HTTP requests to some CGI scripts located at various remote locations. However, at the time of writing these scripts are no longer available and hence this does not pose a threat.
 

 

Google
 


 



This webpage is optimized for 800 x 600 monitor resolution or above and the latest web browser. 

 

 

 

Copyright © 1998 The Computer Guys

 Back Home Up Next