Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Sep 8th, 2008, 10:03am
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Rise of the Worms (pay attention, Mozar!!!)		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Rise of the Worms (pay attention, Mozar!!!)  (Read 486 times)
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
Rise of the Worms (pay attention, Mozar!!!)
« on: May 30th, 2003, 6:37pm »		 Quote Quote  Modify Modify
It seems that, in the past month, I've seen nothing but warnings on worms - here are the latest three to be brought to my attention:-
 
Quote:
Naco.B (W32/Naco.B), Holar.H (W32/Holar.H) and Auric (W32/Auric).  
 
Naco.B is a dangerous worm, as it includes a Trojan component that allows an attacker to gain remote access to certain resources on the affected computer. The actions a hacker could carry out include: opening and closing the CD-ROM tray or switching the mouse button functions.  
 
Naco.B spreads rapidly via e-mail, P2P (peer-to-peer) file sharing programs and ICQ chat channels. When it spreads via e-mail, the message always contains an attached file called WARS.EXE.  
 
Naco.B also sends an e-mail message containing information on the affected computer to the following address: chatza@phreaker.net. The information it sends includes the operating system installed, the version of Internet Explorer installed, the machine name, number and type of drives installed, etc.  
 
Finally, Naco.B disables the security programs installed on the affected computer. In order to do this, it carries out the following actions:  
 
- It ends active processes belonging to antivirus and firewall programs, among others, in the affected computer.  
 
- It looks for files related to different antivirus and security programs and deletes them.  
 
Holar.H is a worm that spreads rapidly via e-mail and uses 'social engineering' to trick users into opening the infected file.  
 
The subject, text and name of the attached files of the message in which Holar.H reaches computers are variable, as they are selected at random from a long list of possibilities. In addition to this file, the e-mail message also includes another attachment, which is selected at random from the affected computer. The sender of the infected message is always:  
Dispatch@McAfee.com.  
 
Finally, Auric is a worm whose effects are more annoying than damaging, as after it has infected a computer it makes it difficult to move the mouse, so that the user cannot place it on the toolbar; changes the color of the windows; every so often, it opens the CD-ROM tray; it creates files on the Windows desktop. However, the greatest danger lies in the fact that it detects and disables certain antivirus programs.  
 
Auric spreads rapidly via e-mail, IRC channels and P2P (peer-to-peer) file sharing programs.  

 
Maybe it's time to have a regular 'Worms' section in the customrules update... (Vampirefo, Acheton?) May as well stop these things with THGuard as well as anything else we use!
IP Logged
... but crap arrives pretty much straight away.
mozar
Highly Honored Mass-Poster
*******





   


Posts: 1524
Re: Rise of the Worms (pay attention, Mozar!!!)
« Reply #1 on: May 30th, 2003, 7:10pm »		 Quote Quote  Modify Modify
  No  problem  here , Ian . Running on-access " WormHunter version Alpha2"  and I have to say : no false positives until today  .
 
   Take  care  ,
                       mozar
 
 
 P.S. : You could also consider to use the russian freeware
 
    " System Safety Monitor  1.9.2 Beta 3 "   from  :
 
    http://maxcomputing.narod.ru/ssme.html?lang=en
 
   I tried it for 3 days and it does work . No conflicts with AV, AT or  FW , no pc slow-downs and used around 4 Mb of RAM .As you can see , didn't have   sandbox   symptoms  . An interesting app indeed.
 
    
« Last Edit: May 30th, 2003, 7:19pm by mozar » IP Logged
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
Re: Rise of the Worms (pay attention, Mozar!!!)
« Reply #2 on: May 31st, 2003, 8:54am »		 Quote Quote  Modify Modify
So, there are useful things on narod.ru after all?
 
I have that domain blocked in several places (IE, Restricted Zones etc) because of the number of spam messages that were either from there or directed through there. It's 6th on my IE block list, so is one of the earliest ones I added.
 
Keep an eye on your in-box, Mozar! It will be interesting to see if anyone else is affected...
« Last Edit: May 31st, 2003, 8:54am by Ian » IP Logged
... but crap arrives pretty much straight away.
mozar
Highly Honored Mass-Poster
*******





   


Posts: 1524
Re: Rise of the Worms (pay attention, Mozar!!!)
« Reply #3 on: May 31st, 2003, 1:33pm »		 Quote Quote  Modify Modify
Ian  ,  I  tested  SSM  more  than  a  week  ago , sent and received e-mails from  Max , the creator of SSM , and everything went absolutely normal  .
  No  spam , no spyware , "bad" cookies  -  on the contrary , Max  answered my e-mail  in the same day , very supportively .
 
  I  use  IE-SPYAD , SpyStopper , Zero PopUp , SpyBot , AdAware and the I.E.6 well configured , non-default . Together with FW+AV+AT and common sense  ... never have a problem of this kind  with any URL.
 
IP Logged
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
Re: Rise of the Worms (pay attention, Mozar!!!)
« Reply #4 on: May 31st, 2003, 5:59pm »		 Quote Quote  Modify Modify
One of my addy's is on most of the world's spam lists, I guess. It's the oldest (of course) and also the one I declare, in plain text, on sites I build etc. It was also the one that I used (in a munged form) on newsgroups. therefore, I've no doubt it's been 'harvested' by spam-bots in the past. Things are quiet at the moment, but every couple of months I get a new batch on that one address only. My other three, plus my wife's, have never been hit by third-party spam (just the occasional thing from the email provider). These are younger (the oldest one is now over 10 years in use, the next oldest is half that).
 
I always examine the headers and source of suspected messages (there's a lot of 'socially-engineered' titles and so on to try and make users open email). Anything with obvious spam gets binned without reading it, along with any multi-part messages that would obviously go straight off to the sender's website to collect the rest, therefore telling them that the address is live, and the spiral continues. I use Sam Spade for a lot of my digging, but CentralOps for simpler DNS stuff since it gives the details in a slightly better format.
 
So I guess it's not even what I do or where I go that has much to do with getting this rubbish - it's just what the dumb spam-bots can pick up on their journeys. I do get a lot directed through Russian providers, though Yahoo is currently the favourite!
IP Logged
... but crap arrives pretty much straight away.
mozar
Highly Honored Mass-Poster
*******





   


Posts: 1524
Re: Rise of the Worms (pay attention, Mozar!!!)
« Reply #5 on: May 31st, 2003, 8:59pm »		 Quote Quote  Modify Modify
 Ian  ,  my  case  is  really  singular . My ISP  provider uses SpamAssassin  ( also with a configurated second filter for our language here  ) but I don't need the app .
  Never received 1 (one) spam in all my life - I know you'll not believe me - in my main e-mail adress .
IP Logged
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
Re: Rise of the Worms (pay attention, Mozar!!!)
« Reply #6 on: May 31st, 2003, 10:08pm »		 Quote Quote  Modify Modify
It sounds like you've got a good service from your ISP! Mine filters email viruses, but only if I choose it's web-based email viewer. If I choose outlook or similar, then AV and the rest is all up to me...
 
Have you ever had a genuine message fall foul of SpamAssassin? Here's hoping it's better than, say, Hotmail's spam filters!
« Last Edit: May 31st, 2003, 10:10pm by Ian » IP Logged
... but crap arrives pretty much straight away.
mozar
Highly Honored Mass-Poster
*******





   


Posts: 1524
Re: Rise of the Worms (pay attention, Mozar!!!)
« Reply #7 on: May 31st, 2003, 10:27pm »		 Quote Quote  Modify Modify
  Never  failled with  O.Express . And  since last month my ISP  installed  a really well  designed AV ( everything designed for UNIX ) with an excellent heuristic plus defs.
  It  is  like  having 2 AVs  here .Last week I asked for a beta here to send me a virus-attachment  and  the e-mail was bounced back to him .But  the trojan passed .
  Ian , my ISP is  a  small one with  lots of  guys  at  the  support  capable  to  talk  about  AV, AT and FW and security&privacy topics.
  As  nothing  is  perfect , I have to use another ISP  to be able to connect by cable . The  Law here determines you have to subscribe 2two ISPs for cable modem users - one for I.E. and other for O.E . Nothing is perfect , mainly  in  my  continent .  
 
IP Logged
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
Re: Rise of the Worms (pay attention, Mozar!!!)
« Reply #8 on: Jun 1st, 2003, 7:56pm »		 Quote Quote  Modify Modify
Cool. Very Cool!
 
Just a shame, as you say, that the law gets involved in the way it does.
 
Although ADSL here in my part of the UK has been rock-steady, (never any downtime), in some parts of the world a second connection would be a life-line for the wired community.
IP Logged
... but crap arrives pretty much straight away.
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register