[aspdedotnet] Re: Phantomkiller

[Christoph Schittko]

Ja, das ist ein Virus: Einen Entferner gibts und unter: http:[EMAIL PROTECTED]     mehr info: - Virus name: BadTrans - Official name: W32/BadTrans.B@mm - Number of copies seen so far: 12,280 - Time & Date first Captured: 23 Nov 2001 18:40:36 GMT from UK - Origin of first intercepted copy: UK - Number of countries seen active: 37 - Top three most active countries: UK, US, Germany This is a mass mailing virus which uses an unusual and potentially devastating way of spreading by replying to unread messages in the recipients in-box. Then, the next time Windows is loaded the virus will further spread by replying to unread messages across additional Outlook folders. The virus makes use of the ms01-020 exploit, which means that it can execute on reading or previewing the email from within Microsoft Outlook - it is not necessary to double click on any attachment. A patch to fix this exploit is available from Microsoft. Subject line is selected from an email in the infected user's PC and prefixed with 'Re: ' Attachment: Variable - built up from several elements. Examples include:        S3MSONG.DOC.scr         Pics.DOC.scr         HUMOR.MP3.scr         Sorry_about_yesterday.MP3.pif         README.MP3.scr         ME_NUDE.MP3.scr         fun.MP3.pif         NEWS_DOC.DOC.scr         docs.DOC.pif         images.DOC.pif         HAMSTER.DOC.pif         SEARCHURL.MP3.pif Payload: The virus also drops a password stealing Trojan KDLL.DLL previously identified as Trojan.PSW.Hooker. The trojan component uses key logging to send confidential information (passwords, credit card details etc.) from infected computers to an email address of the virus writer. The trojan component moves itself to the Windows system directory with the filename KERN32.EXE, drops an additional library (key logger) with filename HKSDLL.DLL. The trojan registers itself in the Registry in RunOnce key: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce kernel32 = kern32.exe Windows loads the trojan file on each restart. ----- Original Message ----- From: Josef Wackerl To: aspDEdotnet Sent: Wednesday, December 19, 2001 6:20 PM Subject: [aspdedotnet] Phantomkiller Hallo Liste!   Hab gerade eine Mail von "]SM[Phantomkiller" bekommen als Antwort auf einen �bersetzungsvorschlag f�r "Dispose"...   Da war eine PIF-Datei ("SEARCHURL...") attached die ich nat�rlich naiv und au�erdem schon etwas �bern�chtigt aufgemacht habe. Ist nix sichtbares passiert. Jetzt mache ich mir etwas Sorgen, dass das vielleicht ein Virus ist.   Hat sonst noch jemand sowas bekommen? Und wenn ja, was ist das?   Josef | [aspdedotnet] als [EMAIL PROTECTED] subscribed | http://www.dotnetgerman.com/archiv/aspdedotnet/ = Listenarchiv | Sie k�nnen sich unter folgender URL an- und abmelden: | http://www.dotnetgerman.com/listen/aspDEdotnet.asp | [aspdedotnet] als archive@jab.org subscribed | http://www.dotnetgerman.com/archiv/aspdedotnet/ = Listenarchiv | Sie k�nnen sich unter folgender URL an- und abmelden: | http://www.dotnetgerman.com/listen/aspDEdotnet.asp