From their site: UWA (Universal Widget API) is the next generation of the Netvibes wigdet API, the successor of the Netvibes Mini Module API. With this new release, our API becomes a powerful framework for Web widgets development - not only for Netvibes widgets, but also for many other environments, among which are Apple�s Dashboard and the Google Homepage. With the UWA, you only need one API to build widgets for a host of environments.
Netvibes: Highlights
Summary
Personalized home page with widgets
Category
Widgets
Tags
widgets opensocial
Protocols
JavaScript
Data Formats
XML, JSON, JSONP
API home
http://dev.netvibes.com
Saturday, December 31, 2011
I'm Human API
The I'm Human API is "where humanity wins the fight against machines," according to elxsy.com, the provider of the service. I'm Human is a visual CAPTCHA service which responds with a word, a grid of up to 25 images and the grid numbers which correspond to the correct answers. Humans must select the images that match the words and your application compares the results to the correct answer from the I'm Human API.
I'm Human: Highlights
Summary
Visual CAPTCHA service
Category
Security
Tags
captcha security
Protocols
REST
Data Formats
JSON
API home
http://www.elxsy.com/imhuman/api/
I'm Human: Highlights
Summary
Visual CAPTCHA service
Category
Security
Tags
captcha security
Protocols
REST
Data Formats
JSON
API home
http://www.elxsy.com/imhuman/api/
Google OpenID API
The Google OpenID API lets third-party web sites and applications let visitors sign in using their Google user accounts. The OpenID standard allows users to nor have to set up separate login accounts for different web sites, and conversely, frees web site developers from the task of managing login information and security measures. OpenID achieves this goal by providing a framework in which users can establish an account with an OpenID provider, such as Google, and use that account to sign into any web site that accepts OpenIDs. This page describes how to enable a web site or application to accept a Google user account for federated login.
Google OpenID: Highlights
Summary
OpenID login for Google account users
Category
Security
Tags
OpenID security identity
Protocols
REST
Data Formats
XML
API home
http://code.google.com/apis/accounts/docs/OpenID.html
Google OpenID: Highlights
Summary
OpenID login for Google account users
Category
Security
Tags
OpenID security identity
Protocols
REST
Data Formats
XML
API home
http://code.google.com/apis/accounts/docs/OpenID.html
OneLogin Api
The OneLogin API allows developers to interact with the OneLogin service. OneLogin provides an easy-to-use single sign-on solution for businesses that embrace cloud computing. OneLogin eliminates the need for employees to remember strong passwords and saves them time because they can log into applications with a single click. OneLogin's API supports five basic operations for each entity: read, list, create, update and delete. It uses RESTful protocol and responses are formatted in XML.
OneLogin: Highlights
Summary
Single sign-on solution
Category
Security
Tags
security enterprise cloud sbweb
Protocols
REST
Data Formats
XML
API home
http://support.onelogin.com/entries/113327-introduction
OneLogin: Highlights
Summary
Single sign-on solution
Category
Security
Tags
security enterprise cloud sbweb
Protocols
REST
Data Formats
XML
API home
http://support.onelogin.com/entries/113327-introduction
Waves
Ebys Multimedia had launched Waves!.This is a social network that connects people with friends and others.Why waiting for???
Keep on move!
Keep on move!
MySpace Api
The MySpace Developer Platform (MDP) allows developers to create applications that interact with MySpace members and their social data. With MDP you will be able to create compelling new products that integrate directly into MySpace pages and get exposure to millions of people around the world
MySpace: Highlights
Summary
Social networking service
Category
Social
Tags
social opensocial
Protocols
REST, OAuth, JavaScript, PubSubHubbub
Data Formats
XML, JSON, ATOM
API home
http://wiki.developer.myspace.com/index.php?title=Category:RESTful_API
MySpace: Highlights
Summary
Social networking service
Category
Social
Tags
social opensocial
Protocols
REST, OAuth, JavaScript, PubSubHubbub
Data Formats
XML, JSON, ATOM
API home
http://wiki.developer.myspace.com/index.php?title=Category:RESTful_API
Google Plus Api
Google Plus is a service to share links, photos and other content. The Google Plus API allows developers to access publicly-available Google Plus content, including user information and publicly shared items.
Google Plus: Highlights
Summary
Content sharing service
Category
Social
Tags
microblogging social
Protocols
REST
Data Formats
JSON
API home
https://developers.google.com/+/api/
Google Plus: Highlights
Summary
Content sharing service
Category
Social
Tags
microblogging social
Protocols
REST
Data Formats
JSON
API home
https://developers.google.com/+/api/
Facebook API
The Facebook API is a platform for building applications that are available to the members of the social network of Facebook. The API allows applications to use the social connections and profile information to make applications more involving, and to publish activities to the news feed and profile pages of Facebook, subject to individual users privacy settings. With the API, users can add social context to their applications by utilizing profile, friend, Page, group, photo, and event data. The API uses RESTful protocol and responses are localized and in XML format.
Facebook: Highlights
Summary
Social networking service
Category
Social
Tags
social webhooks
Protocols
REST
Data Formats
XML
API home
http://developers.facebook.com/
Facebook: Highlights
Summary
Social networking service
Category
Social
Tags
social webhooks
Protocols
REST
Data Formats
XML
API home
http://developers.facebook.com/
Facebook Social Plugins Api
Facebook Social Plugins Api
Facebook Social Plugins make a user's friend's social activity available via API. You can see what your friends have liked, commented on or shared on sites across the web. Social Plugins are a basic method of accessing data on Facebook and are specifically designed so none of your data is shared with the sites on which they appear.
All plugins use the Facebook JavaScript SDK.
Dashboard > Directory > Facebook Social Plugins API Profile
Facebook Social Plugins API
* Summary
* Mashups (13)
* How-To
* Developers (13)
* Comments
Facebook Social PluginsTrack this API
Facebook Social Plugins make a user's friend's social activity available via API. You can see what your friends have liked, commented on or shared on sites across the web. Social Plugins are a basic method of accessing data on Facebook and are specifically designed so none of your data is shared with the sites on which they appear.
All plugins use the Facebook JavaScript SDK.
*
* 1
* 2
* 3
* 4
* 5
facebook Social Plugins: Highlights
Summary
Facebook extensions
Category
Social
Tags
widgets social
Protocols
JavaScript
Data Formats
API home
http://developers.facebook.com/docs/plugins
Facebook Social Plugins make a user's friend's social activity available via API. You can see what your friends have liked, commented on or shared on sites across the web. Social Plugins are a basic method of accessing data on Facebook and are specifically designed so none of your data is shared with the sites on which they appear.
All plugins use the Facebook JavaScript SDK.
Dashboard > Directory > Facebook Social Plugins API Profile
Facebook Social Plugins API
* Summary
* Mashups (13)
* How-To
* Developers (13)
* Comments
Facebook Social PluginsTrack this API
Facebook Social Plugins make a user's friend's social activity available via API. You can see what your friends have liked, commented on or shared on sites across the web. Social Plugins are a basic method of accessing data on Facebook and are specifically designed so none of your data is shared with the sites on which they appear.
All plugins use the Facebook JavaScript SDK.
*
* 1
* 2
* 3
* 4
* 5
facebook Social Plugins: Highlights
Summary
Facebook extensions
Category
Social
Tags
widgets social
Protocols
JavaScript
Data Formats
API home
http://developers.facebook.com/docs/plugins
Twitter API
The Twitter micro-blogging service includes two RESTful APIs. The Twitter REST API methods allow developers to access core Twitter data. This includes update timelines, status data, and user information. The Search API methods give developers methods to interact with Twitter Search and trends data. The API presently supports the following data formats: XML, JSON, and the RSS and Atom syndication formats, with some methods only accepting a subset of these formats.
Twitter: Highlights
Summary
Microblogging service
Category
Social
Tags
social microblogging
Protocols
REST
Data Formats
XML, JSON, RSS, Atom
API home
https://dev.twitter.com/docs
Twitter: Highlights
Summary
Microblogging service
Category
Social
Tags
social microblogging
Protocols
REST
Data Formats
XML, JSON, RSS, Atom
API home
https://dev.twitter.com/docs
Flicker Api
Flickr is a photo-sharing community that enables users to upload, tag and comment on their photos and other users photos. The Flickr API provides the ability to view, manipulate, and search photo tags, display photos from a specific user or group, retrieve tags to construct URLs to particular photos or photo group. Flickr also provides an Authentication API for applications that need to perform restricted actions.
You can find more information about the Flickr developer community at code.flickr, including detailed API documentation.
You can find more information about the Flickr developer community at code.flickr, including detailed API documentation.
Lizamoon SQL Injection Campaign Compared
Malware infections such as SQL injection are a well known security problem. Over the past two years we have seen several large-scale infections on the web, e.g. Gumblar.cn and Martuz.cn. Recently, a new SQL injection campaign called Lizamoon has gained a lot of attention. I had expected web sites would become more secure over time and less susceptible to simple security problems, so it is surprising that SQL injection is still a prevalent problem. That let me to wonder: Was Lizamoon as successful as previous infections? In a discussion about this problem, my colleague Panayiotis Mavrommatis suggested that comparing the size of campaigns via search engine result estimates might not be very accurate measurement.
That begs the question of how to assess the impact of infections. While the number of infected URLs is one possible measure, it is skewed by many different factors, e.g. a single vulnerable site contributes a large fraction of the infected URLs and overstates the impact. Instead, counting the number of infected sites might be a better metric. Even so, to judge the relative scale of an infection campaign, it might be helpful to compare it to previous incidents.
Below is a comparison of the Gumblar.cn/, Martuz.cn/ and Lizamoon infections based on Google's Safe Browsing data. The graph shows the number of unique infected sites over a 30 day sliding window.
That begs the question of how to assess the impact of infections. While the number of infected URLs is one possible measure, it is skewed by many different factors, e.g. a single vulnerable site contributes a large fraction of the infected URLs and overstates the impact. Instead, counting the number of infected sites might be a better metric. Even so, to judge the relative scale of an infection campaign, it might be helpful to compare it to previous incidents.
Below is a comparison of the Gumblar.cn/, Martuz.cn/ and Lizamoon infections based on Google's Safe Browsing data. The graph shows the number of unique infected sites over a 30 day sliding window.
Cybercrime 2.0
Cybercrime 2.0: When the Cloud Turns Dark
We recently published an article on web-based malware in ACM's Queue Magazine. It provides a short overview of some of the challenges with detecting malicious web sites such as social engineering and examples of techniques for compromising web sites, e.g. htaccess redirection on Apache, etc. This is the article on which my recent ISSNet talk was based.
We recently published an article on web-based malware in ACM's Queue Magazine. It provides a short overview of some of the challenges with detecting malicious web sites such as social engineering and examples of techniques for compromising web sites, e.g. htaccess redirection on Apache, etc. This is the article on which my recent ISSNet talk was based.
Adobe PDF Vulnerability
Adobe PDF Vulnerability: Stack overflow in Font File parsing
Thursday, September 9. 2010
Metasploit has a great write up on new vulnerability in PDF. The basic problem is a stack overflow when parsing OpenType fonts. In particular, SING Glyphlet tables contain a 27 byte long unique name that is expected to be NUL-terminated and stored in a 28-byte buffer. The vulnerable code is using strcat and lacks bounds checking resulting in a stack overflow.
The PDF in the wild prepares the heap via Javascript and contains multiple different font files that are selected by navigating to a specific page in the PDF based on the viewer version. Each font files has slightly different shell code. It was amusing to see that the attackers after modifying the head and SING tables did not fix up their respective checksums. According to Metasploit, this exploit works under Windows 7 with both DEP and ASLR turned on. Fun Fun. As of now, no patched version is available. The SecBrowsing blog contains instructions with temporary remedies.
Thursday, September 9. 2010
Metasploit has a great write up on new vulnerability in PDF. The basic problem is a stack overflow when parsing OpenType fonts. In particular, SING Glyphlet tables contain a 27 byte long unique name that is expected to be NUL-terminated and stored in a 28-byte buffer. The vulnerable code is using strcat and lacks bounds checking resulting in a stack overflow.
The PDF in the wild prepares the heap via Javascript and contains multiple different font files that are selected by navigating to a specific page in the PDF based on the viewer version. Each font files has slightly different shell code. It was amusing to see that the attackers after modifying the head and SING tables did not fix up their respective checksums. According to Metasploit, this exploit works under Windows 7 with both DEP and ASLR turned on. Fun Fun. As of now, no patched version is available. The SecBrowsing blog contains instructions with temporary remedies.
Google safe browsing API
Reminder: Safe Browsing version 1 API turning down December 1
In May Google announced that Google are ending support for the Safe Browsing protocol version 1 on December 1 in order to focus our resources on the new version 2 API and the lookup service. These new APIs provide simpler and more efficient access to the same data, and they use significantly less bandwidth. If you haven't yet migrated off of the version 1 API, Google encourage you to do so as soon as possible. Our earlier post contains links to documentation for the new protocol version and other resources to help you make the transition smoothly.
After December 1, Google will remove all data from the version 1 API list to ensure that any remaining clients do not have false positives in their database. After January 1, 2012, Google will turn off the version 1 service completely, and all requests will return a 404 error.
Thanks for your cooperation, and enjoy using the next generation of Safe Browsing.
In May Google announced that Google are ending support for the Safe Browsing protocol version 1 on December 1 in order to focus our resources on the new version 2 API and the lookup service. These new APIs provide simpler and more efficient access to the same data, and they use significantly less bandwidth. If you haven't yet migrated off of the version 1 API, Google encourage you to do so as soon as possible. Our earlier post contains links to documentation for the new protocol version and other resources to help you make the transition smoothly.
After December 1, Google will remove all data from the version 1 API list to ensure that any remaining clients do not have false positives in their database. After January 1, 2012, Google will turn off the version 1 service completely, and all requests will return a 404 error.
Thanks for your cooperation, and enjoy using the next generation of Safe Browsing.
Friday, December 30, 2011
most-useful-firefox-addons-for-web-designers-and-developers/
fireBug
Firebug integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page...
FireShot
FireShot creates screenshots of web pages entirely.
The captures can be quickly annotated and:
✓ Uploaded to Facebook, Picasa, Flickr, ..
✓ Saved to disk as PNG/GIF/JPEG/BMP
✓ Copied to clipboard
✓ Printed
✓ E-Mailed
✓ Exported to external editor.
CSS-Validator
Validates a page using the W3C CSS Validator.
Therefore, Screengrab is EOL. Sorry.
Browser-Window-Resizer
Resize your browser to various standard resolution sizes...
*UPDATE - June, 9 2010: The development of this add-on is suspended for lack of time. No new update is planned. Developers wanting to take over, contact us via www.yellowpipe.com
Thursday, December 29, 2011
Jithin Sha M.A
About me
Industry Internet
Occupation developer
Location Changanacherry, Kerala, India
Introduction Studying in 10th Standard St.BERCHMAN'S H.S.S Changanacherry
Industry Internet
Occupation developer
Location Changanacherry, Kerala, India
Introduction Studying in 10th Standard St.BERCHMAN'S H.S.S Changanacherry
Sircam-worm
Sircam is a computer worm that propagates by e-mail from Microsoft Windows systems. It begins with one of the following lines of text and has an attachment consisting of the worm's executable with some file from the infected computer appended.
I send you this file in order to have your advice
I hope you like the file that I send you
I hope you can help me with this file that I send
This is the file with the information you ask for
Te mando este archivo para que me des tu punto de vista
Espero te guste este archivo que te mando
Espero me puedas ayudar con el archivo que te mando
Este es el archivo con la informacion que me pediste
Due to a bug in the worm, the message was rarely sent in any form other than "I send you this file in order to have your advice." This subsequently became an in-joke among those who were using the Internet at the time, and were spammed with e-mails containing this string sent by the worm.
Sircam was notable during its outbreak for the way it distributed itself. Document files (usually .doc or .xls) on the infected computer were chosen at random, infected with the virus and emailed out to email addresses in the host's address book. Opening the infected file resulted in infection of the target computer. During the outbreak, many personal or private files were emailed to people who otherwise should not have gotten them.
It also spreads via open shares on a network. Sircam scans the network for computers with shared drives and copy itself to a machine with an open (non-password protected) drive or directory. A simple RPC (Remote Procedure Call) is then executed to start the process on the target machine, usually unknown to the owner of the now-compromised computer.
Over a year after the initial outbreak, Sircam was still in the top 10 on virus charts.
similer
home
I send you this file in order to have your advice
I hope you like the file that I send you
I hope you can help me with this file that I send
This is the file with the information you ask for
Te mando este archivo para que me des tu punto de vista
Espero te guste este archivo que te mando
Espero me puedas ayudar con el archivo que te mando
Este es el archivo con la informacion que me pediste
Due to a bug in the worm, the message was rarely sent in any form other than "I send you this file in order to have your advice." This subsequently became an in-joke among those who were using the Internet at the time, and were spammed with e-mails containing this string sent by the worm.
Sircam was notable during its outbreak for the way it distributed itself. Document files (usually .doc or .xls) on the infected computer were chosen at random, infected with the virus and emailed out to email addresses in the host's address book. Opening the infected file resulted in infection of the target computer. During the outbreak, many personal or private files were emailed to people who otherwise should not have gotten them.
It also spreads via open shares on a network. Sircam scans the network for computers with shared drives and copy itself to a machine with an open (non-password protected) drive or directory. A simple RPC (Remote Procedure Call) is then executed to start the process on the target machine, usually unknown to the owner of the now-compromised computer.
Over a year after the initial outbreak, Sircam was still in the top 10 on virus charts.
similer
home
Mydoom-worm
Mydoom, also known as W32.MyDoom@mm, Novarg, Mimail.R and Shimgapi, is a computer worm affecting Microsoft Windows. It was first sighted on 26 January 2004. It became the fastest-spreading e-mail worm ever (as of January 2004), exceeding previous records set by the Sobig worm and ILOVEYOU.
Mydoom appears to have been commissioned by e-mail spammers so as to send junk e-mail through infected computers. The worm contains the text message "andy; I'm just doing my job, nothing personal, sorry," leading many to believe that the worm's creator was paid. Early on, several security firms expressed their belief that the worm originated from a programmer in Russia. The actual author of the worm is unknown.
Speculative early coverage held that the sole purpose of the worm was to perpetrate a distributed denial-of-service attack against SCO Group. 25 percent of Mydoom.A-infected hosts targeted www.sco.com with a flood of traffic. Trade press conjecture, spurred on by SCO Group's own claims, held that this meant the worm was created by a Linux or open source supporter in retaliation for SCO Group's controversial legal actions and public statements against Linux. This theory was rejected immediately by security researchers. Since then, it has been likewise rejected by law enforcement agents investigating the virus, who attribute it to organized online crime gangs.
Initial analysis of Mydoom suggested that it was a variant of the Mimail worm—hence the alternate name Mimail.R—prompting speculation that the same persons were responsible for both worms. Later analyses were less conclusive as to the link between the two worms.
Mydoom was named by Craig Schmugar, an employee of computer security firm McAfee and one of the earliest discoverers of the worm. Schmugar chose the name after noticing the text "mydom" within a line of the program's code. He noted: "It was evident early on that this would be very big. I thought having 'doom' in the name would be appropriate."
similer
home
Mydoom appears to have been commissioned by e-mail spammers so as to send junk e-mail through infected computers. The worm contains the text message "andy; I'm just doing my job, nothing personal, sorry," leading many to believe that the worm's creator was paid. Early on, several security firms expressed their belief that the worm originated from a programmer in Russia. The actual author of the worm is unknown.
Speculative early coverage held that the sole purpose of the worm was to perpetrate a distributed denial-of-service attack against SCO Group. 25 percent of Mydoom.A-infected hosts targeted www.sco.com with a flood of traffic. Trade press conjecture, spurred on by SCO Group's own claims, held that this meant the worm was created by a Linux or open source supporter in retaliation for SCO Group's controversial legal actions and public statements against Linux. This theory was rejected immediately by security researchers. Since then, it has been likewise rejected by law enforcement agents investigating the virus, who attribute it to organized online crime gangs.
Initial analysis of Mydoom suggested that it was a variant of the Mimail worm—hence the alternate name Mimail.R—prompting speculation that the same persons were responsible for both worms. Later analyses were less conclusive as to the link between the two worms.
Mydoom was named by Craig Schmugar, an employee of computer security firm McAfee and one of the earliest discoverers of the worm. Schmugar chose the name after noticing the text "mydom" within a line of the program's code. He noted: "It was evident early on that this would be very big. I thought having 'doom' in the name would be appropriate."
similer
home
Koobface-worm
Koobface is a computer worm that targets users of the social networking websites Facebook (its name is an anagram of "Facebook"), MySpace, hi5, Bebo, Friendster and Twitter. Koobface is designed to infect Microsoft Windows and Mac OS X, but also works on Linux (in a limited fashion). Koobface ultimately attempts, upon successful infection, to gather login information for FTP sites, Facebook, and other social media platforms, but not any sensitive financial data.[6] It then uses compromised computers to build a peer-to-peer botnet. A compromised computer contacts other compromised computers to receive commands in a peer-to-peer fashion. The botnet is used to install additional pay-per-install malware on the compromised computer as well as hijack search queries to display advertisements. It was first detected in December 2008 and a more potent version appeared in March 2009. A study by the Information Warfare Monitor, a joint collaboration from SecDev Group and the Citizen Lab in the Munk School of Global Affairs at the University Toronto, has revealed that the operators of this scheme have generated over $2 million in revenue from June 2009 to June 2010.
Koobface spreads by delivering Facebook messages to people who are 'friends' of a Facebook user whose computer has already been infected. Upon receipt, the message directs the recipients to a third-party website, where they are prompted to download what is purported to be an update of the Adobe Flash player. If they download and execute the file, Koobface is able to infect their system. It can then commandeer the computer's search engine use and direct it to contaminated websites. There can also be links to the third-party website on the Facebook wall of the friend the message came from sometimes having comments like LOL or YOUTUBE. If the link is opened the trojan virus will infect the computer and the PC will become a Zombie or Host Computer.
Among the components downloaded by Koobface are a DNS filter program that blocks access to well known security websites and a proxy tool that enables the attackers to abuse the infected PC.
Several variants of the worm have been identified:
Worm:Win32/Koobface.gen!F
Net-Worm.Win32.Koobface.a, which attacks MySpace
Net-Worm.Win32.Koobface.b, which attacks Facebook
WORM_KOOBFACE.DC, which attacks Twitter
W32/Koobfa-Gen, which attacks Facebook, MySpace, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog, Badoo and fubar
W32.Koobface.D
[edit]Hoax Warnings
The Koobface threat is also the subject of many hoax warnings designed to trick social networking users into spreading misinformation across the Internet. Various anti-scam websites such as Snopes.com and ThatsNonsense.com have recorded many instances where alarmist messages designed to fool and panic Facebook users have begun to circulate prolifically using the widely publicized Koobface threat as bait. Popular examples are the "Barack Obama-Clinton Scandal" hoax which was popular in 2010.
Other misconceptions have spread regarding the Koobface threat, including the false assertion that accepting "hackers" as Facebook friends will infect a victim's computer with Koobface, or that Facebook applications are themselves Koobface threats. These claims are untrue. Other rumours assert that Koobface is much more dangerous than other examples of malware and has the ability to delete all of your computer files and "burn your hard disk." However, these rumours are inspired by earlier fake virus warning hoaxes and remain false.
similer
home
Koobface spreads by delivering Facebook messages to people who are 'friends' of a Facebook user whose computer has already been infected. Upon receipt, the message directs the recipients to a third-party website, where they are prompted to download what is purported to be an update of the Adobe Flash player. If they download and execute the file, Koobface is able to infect their system. It can then commandeer the computer's search engine use and direct it to contaminated websites. There can also be links to the third-party website on the Facebook wall of the friend the message came from sometimes having comments like LOL or YOUTUBE. If the link is opened the trojan virus will infect the computer and the PC will become a Zombie or Host Computer.
Among the components downloaded by Koobface are a DNS filter program that blocks access to well known security websites and a proxy tool that enables the attackers to abuse the infected PC.
Several variants of the worm have been identified:
Worm:Win32/Koobface.gen!F
Net-Worm.Win32.Koobface.a, which attacks MySpace
Net-Worm.Win32.Koobface.b, which attacks Facebook
WORM_KOOBFACE.DC, which attacks Twitter
W32/Koobfa-Gen, which attacks Facebook, MySpace, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog, Badoo and fubar
W32.Koobface.D
[edit]Hoax Warnings
The Koobface threat is also the subject of many hoax warnings designed to trick social networking users into spreading misinformation across the Internet. Various anti-scam websites such as Snopes.com and ThatsNonsense.com have recorded many instances where alarmist messages designed to fool and panic Facebook users have begun to circulate prolifically using the widely publicized Koobface threat as bait. Popular examples are the "Barack Obama-Clinton Scandal" hoax which was popular in 2010.
Other misconceptions have spread regarding the Koobface threat, including the false assertion that accepting "hackers" as Facebook friends will infect a victim's computer with Koobface, or that Facebook applications are themselves Koobface threats. These claims are untrue. Other rumours assert that Koobface is much more dangerous than other examples of malware and has the ability to delete all of your computer files and "burn your hard disk." However, these rumours are inspired by earlier fake virus warning hoaxes and remain false.
similer
home
Hybris-Worm
The Hybris Worm is a piece of malicious code that propagates through email messages and newsgroup postings, specifically targeting Windows machines. To become infected a user must execute an attachment received in email or a posting; no special mail or news reader program is required to become infected.
This worm infects the Windows networking library WSOCK32.DLL file, thereby subverting "normal" email behavior. Whenever a user sends an email on an infected machine, the malicious code sends out another email to the same recipient with a copy of itself as an attachment. Based on reports the CERT/CC has received, Hybris only affects Win32 systems and does not contain a destructive payload. However, the malicious code appears to contain code modules that can be upgraded from the web to give it a destructive payload. There are several variants, although all variants have the same behavior with very minor differences.
Versions of Hybris reported to the CERT/CC have these characteristics:
From: Hahaha
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and
polite with Snowhite. When they go out work at mornign, they promissed a
*huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven
Dwarfs enter...
Attachment: .SCR or .EXE file (name randomly chosen from a predefined list)
Or...
From: Hahaha
Subject: Enanito si, pero con que pedazo!
Body: Faltaba apenas un dia para su aniversario de de 18 a?ños. Blanca de Nieve fuera
siempre muy bien cuidada por los enanitos. Ellos le prometieron una *grande*
sorpresa para su fiesta de complea?ños. Al entardecer, llegaron. Tenian un brillo
incomun en los ojos...
Attachment: .SCR or .EXE file (name randomly chosen from a predefined list)
While these characteristics are the most common in reports we have received, it is possible for any mail message to contain Hybris as a file attachment.
Intruders are using open mail relays to propagate Hybris. An "open" mail relay is a mail transport agent (MTA) that is configured to forward mail between senders and recipients who are not a part of the MTA's operational domain."Open mail relays" are sometimes called "open mail servers," "mail relays," "third-party mail servers," or similar names. Intruders who wish to obscure their identity often send mail through an open mail relay. Using an open mail relay from another site is attractive to the intruder because accountability is far less enforceable. For more information on open mail relays, please see
http://maps.vix.com/tsi/ar-what.html
For more details about Hybris, please check an antivirus vendor database. A sample collection is listed on the CERT/CC's Computer Virus Resources page:
http://www.cert.org/other_sources/viruses.html#III
Impact
Sites with open mail relays may be used to send mail to arbitrary third parties with possible malicious payloads such as Hybris. The use of the mail server's cycles and bandwidth can degrade the quality of service.
Solution
It may be possible for an organization to be an open mail relay without knowing it. Generally speaking, there are few circumstances under which a network should have an open mail relay. We encourage sites to review their mail server configuration and evaluate their exposure to this type of abuse.
As good security practice, users should always exercise caution when receiving email with attachments. Disable auto-opening or previewing of email attachments in your mail program. Do not open attachments from an untrusted origins or those that appear suspicious in any way. Finally cryptographic checksums can be used to validate the integrity of the file.
Authors: Ian Finlay, Brian King, Shawn Hernan
similer
home
This worm infects the Windows networking library WSOCK32.DLL file, thereby subverting "normal" email behavior. Whenever a user sends an email on an infected machine, the malicious code sends out another email to the same recipient with a copy of itself as an attachment. Based on reports the CERT/CC has received, Hybris only affects Win32 systems and does not contain a destructive payload. However, the malicious code appears to contain code modules that can be upgraded from the web to give it a destructive payload. There are several variants, although all variants have the same behavior with very minor differences.
Versions of Hybris reported to the CERT/CC have these characteristics:
From: Hahaha
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and
polite with Snowhite. When they go out work at mornign, they promissed a
*huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven
Dwarfs enter...
Attachment: .SCR or .EXE file (name randomly chosen from a predefined list)
Or...
From: Hahaha
Subject: Enanito si, pero con que pedazo!
Body: Faltaba apenas un dia para su aniversario de de 18 a?ños. Blanca de Nieve fuera
siempre muy bien cuidada por los enanitos. Ellos le prometieron una *grande*
sorpresa para su fiesta de complea?ños. Al entardecer, llegaron. Tenian un brillo
incomun en los ojos...
Attachment: .SCR or .EXE file (name randomly chosen from a predefined list)
While these characteristics are the most common in reports we have received, it is possible for any mail message to contain Hybris as a file attachment.
Intruders are using open mail relays to propagate Hybris. An "open" mail relay is a mail transport agent (MTA) that is configured to forward mail between senders and recipients who are not a part of the MTA's operational domain."Open mail relays" are sometimes called "open mail servers," "mail relays," "third-party mail servers," or similar names. Intruders who wish to obscure their identity often send mail through an open mail relay. Using an open mail relay from another site is attractive to the intruder because accountability is far less enforceable. For more information on open mail relays, please see
http://maps.vix.com/tsi/ar-what.html
For more details about Hybris, please check an antivirus vendor database. A sample collection is listed on the CERT/CC's Computer Virus Resources page:
http://www.cert.org/other_sources/viruses.html#III
Impact
Sites with open mail relays may be used to send mail to arbitrary third parties with possible malicious payloads such as Hybris. The use of the mail server's cycles and bandwidth can degrade the quality of service.
Solution
It may be possible for an organization to be an open mail relay without knowing it. Generally speaking, there are few circumstances under which a network should have an open mail relay. We encourage sites to review their mail server configuration and evaluate their exposure to this type of abuse.
As good security practice, users should always exercise caution when receiving email with attachments. Disable auto-opening or previewing of email attachments in your mail program. Do not open attachments from an untrusted origins or those that appear suspicious in any way. Finally cryptographic checksums can be used to validate the integrity of the file.
Authors: Ian Finlay, Brian King, Shawn Hernan
similer
home
Father_Christmas-worm
Worms were first used as a legitimate mechanism for performing tasks in a distributed environment. Network worms were considered promising for the performance of network management tasks in a series of experiments at the Xerox Palo Alto Research Center in 1982. The key problem noted was ``worm management;'' controlling the number of copies executing at a single time. This would be experienced later by authors of malicious worms.
Worms were first noticed as a potential computer security threat when the Christmas Tree Exec [Den90] attacked IBM mainframes in December 1987. It brought down both the world-wide IBM network and BITNET. The Christmas Tree Exec wasn't a true worm. It was a trojan horse with a replicating mechanism. A user would receive an e-mail Christmas card that included executable (REXX) code. If executed the program claimed to draw a Xmas tree on the display. That much was true, but it also sent a copy to everyone on the user's address lists.
The Internet Worm [Spa89] was a true worm. It was released on November 2, 1988. It attacked Sun and DEC UNIX systems attached to the Internet (it included two sets of binaries, one for each system). It utilized the TCP/IP protocols, common application layer protocols, operating system bugs, and a variety of system administration flaws to propagate. Various problems with worm management resulted in extremely poor system performance and a denial of network service.
The Father Christmas worm was also a true worm. It was first released onto the worldwide DECnet Internet in December of 1988. This worm attacked VAX/VMS systems on SPAN and HEPNET. It utilized the DECnet protocols and a variety of system administration flaws to propagate. The worm exploited TASK0, which allows outsiders to perform tasks on the system. This worm added an additional feature; it reported successful system penetration to a specific site.
This worm made no attempt at secrecy; it was not encrypted and sent mail to every user on the system. About a month later another worm, apparently a variant of Father Christmas, was released on a private network. This variant searched for accounts with ``industry standard'' or ``easily guessed'' passwords.
The history of worms displays the same increasing complexity found in the development of PC viruses. The Christmas Tree Exec wasn't a true worm. It was a trojan horse with a replicating mechanism. The Internet Worm was a true worm; it exploited both operating system flaws and common system management problems. The DECnet worms attacked system management problems, and reported information about successful system penetration to a central site.
Several conclusions can be drawn from this information:
worms exploit flaws (i.e, bugs) in the operating system or inadequate system management to replicate.
release of a worm usually results in brief but spectacular outbreaks, shutting down entire networks.
similer
home
Worms were first noticed as a potential computer security threat when the Christmas Tree Exec [Den90] attacked IBM mainframes in December 1987. It brought down both the world-wide IBM network and BITNET. The Christmas Tree Exec wasn't a true worm. It was a trojan horse with a replicating mechanism. A user would receive an e-mail Christmas card that included executable (REXX) code. If executed the program claimed to draw a Xmas tree on the display. That much was true, but it also sent a copy to everyone on the user's address lists.
The Internet Worm [Spa89] was a true worm. It was released on November 2, 1988. It attacked Sun and DEC UNIX systems attached to the Internet (it included two sets of binaries, one for each system). It utilized the TCP/IP protocols, common application layer protocols, operating system bugs, and a variety of system administration flaws to propagate. Various problems with worm management resulted in extremely poor system performance and a denial of network service.
The Father Christmas worm was also a true worm. It was first released onto the worldwide DECnet Internet in December of 1988. This worm attacked VAX/VMS systems on SPAN and HEPNET. It utilized the DECnet protocols and a variety of system administration flaws to propagate. The worm exploited TASK0, which allows outsiders to perform tasks on the system. This worm added an additional feature; it reported successful system penetration to a specific site.
This worm made no attempt at secrecy; it was not encrypted and sent mail to every user on the system. About a month later another worm, apparently a variant of Father Christmas, was released on a private network. This variant searched for accounts with ``industry standard'' or ``easily guessed'' passwords.
The history of worms displays the same increasing complexity found in the development of PC viruses. The Christmas Tree Exec wasn't a true worm. It was a trojan horse with a replicating mechanism. The Internet Worm was a true worm; it exploited both operating system flaws and common system management problems. The DECnet worms attacked system management problems, and reported information about successful system penetration to a central site.
Several conclusions can be drawn from this information:
worms exploit flaws (i.e, bugs) in the operating system or inadequate system management to replicate.
release of a worm usually results in brief but spectacular outbreaks, shutting down entire networks.
similer
home
ExploreZip-worm
ExploreZip, also known as I-Worm.ZippedFiles, is a destructive computer worm which attacks machines running Microsoft Windows. It was first discovered in Israel on June 6, 1999.Worm.ExploreZip is a worm that contains a malicious payload. The worm utilizes Microsoft Outlook, Outlook Express, or Exchange to mail itself out by replying to unread messages in your Inbox. The email attachment is Zipped_files.exe.The worm also searches mapped drives and networked computers for Windows installations. If found, it copies itself to the \Windows folder of the remote computer and then modifies the Win.ini file of the infected computer.On January 8, 2003, Security Response discovered a packed variant of this threat which exhibits the same characteristics. Protection will be available for this new variant in virus definitions dated 1/8/2003 with a version number of 50108q (20030108.017) or greater.
similer
home
similer
home
Daprosy-worm
Daprosy worm is a malicious computer program that spreads via local area network (LAN) connections, spammed e-mails and USB mass storage devices. Infection comes from a single read1st.exe file where several dozen clones are created at once bearing the names of compromised folders. The most obvious symptom of Daprosy infection is the presence of Classified.exe or Do not open - secrets!.exe files from infected folders.
Although first observed in early May 2009,[1] the worm was first announced to the public as Daprosy trojan[2] worm by Symantec on July 2009 and was later identified as Autorun-AMS, Autorun-AMW and Autorun-APL by Sophos.[3] It acquired additional aliases from antivirus companies and others tag it as an incarnation or variation of the Autorun.H.[4][5]
The worm belongs to the “slow” mass mailer category where copies of which are attached and sent to addresses intercepted from the keyboard. The e-mail consists of a promotion of and installation instruction for an imaginary antivirus product purported to remove unknown infections from the computer. While infection cannot occur until the attached worm is renamed and opened, it could spread to system folders in a matter of seconds. It is known to shut down or hang Windows Vista and Windows 7 when attempts to write on the system drive are denied by said operating systems. Also, the worm hides folders and makes them "super hidden" so that data contained in them are not easily accessed.
Precision key logging is the main threat associated with Daprosy infection. Logged keystrokes containing sensitive data could be sent to its author using the worm’s improvised mailing system. Early strains are known to destabilize, corrupt and even stall the operating system due to programming bugs. Said strains appear to be incomplete and were probably created by students or amateur Visual Basic programmers as evidenced by using VB decompilers. Final or later releases of Daprosy worm are prolific online game password stealers. They also pose great threats to banking and other e-commerce establishments.
Daprosy worm is rampant in public Internet cafés with LAN connections and exposed USB mass storage drives. As of October 2009 special scripts are available to remove it from infected computers. Many Windows system were stalled last November 13, 2009. An initial investigation points to the older versions of Daprosy Worm, viz. Sophos Autorun-AMS and Autorun-AMW, which appear to be "Friday the Thirteenth" malwares.
More recent and persistent variants of Daprosy worm are still in circulation. A notable variant, Win32/Kashu.B as identified by Ahnlab, can be removed only by using live CD. Usually, such variants of Daprosy worm are infected by Sality viruses and usually have file size greater than 100 kilobytes. It now appears that Daprosy worm is a natural host to file-infecting viruses since the former is well distributed on all drives. Viral Daprosy exists in many variants which again requires special scripts to remove. Manual removal of worms infected with viruses requires knowledge usually belonging to individuals associated with AV companies.
Daprosy is "active" even in Safe Mode which makes it difficult to manually remove. Its key logging mechanism is so precise that it captures almost everything typed on the keyboard. This ranks Daprosy as one of the most dangerous worm of the last decade.
similer
home
Although first observed in early May 2009,[1] the worm was first announced to the public as Daprosy trojan[2] worm by Symantec on July 2009 and was later identified as Autorun-AMS, Autorun-AMW and Autorun-APL by Sophos.[3] It acquired additional aliases from antivirus companies and others tag it as an incarnation or variation of the Autorun.H.[4][5]
The worm belongs to the “slow” mass mailer category where copies of which are attached and sent to addresses intercepted from the keyboard. The e-mail consists of a promotion of and installation instruction for an imaginary antivirus product purported to remove unknown infections from the computer. While infection cannot occur until the attached worm is renamed and opened, it could spread to system folders in a matter of seconds. It is known to shut down or hang Windows Vista and Windows 7 when attempts to write on the system drive are denied by said operating systems. Also, the worm hides folders and makes them "super hidden" so that data contained in them are not easily accessed.
Precision key logging is the main threat associated with Daprosy infection. Logged keystrokes containing sensitive data could be sent to its author using the worm’s improvised mailing system. Early strains are known to destabilize, corrupt and even stall the operating system due to programming bugs. Said strains appear to be incomplete and were probably created by students or amateur Visual Basic programmers as evidenced by using VB decompilers. Final or later releases of Daprosy worm are prolific online game password stealers. They also pose great threats to banking and other e-commerce establishments.
Daprosy worm is rampant in public Internet cafés with LAN connections and exposed USB mass storage drives. As of October 2009 special scripts are available to remove it from infected computers. Many Windows system were stalled last November 13, 2009. An initial investigation points to the older versions of Daprosy Worm, viz. Sophos Autorun-AMS and Autorun-AMW, which appear to be "Friday the Thirteenth" malwares.
More recent and persistent variants of Daprosy worm are still in circulation. A notable variant, Win32/Kashu.B as identified by Ahnlab, can be removed only by using live CD. Usually, such variants of Daprosy worm are infected by Sality viruses and usually have file size greater than 100 kilobytes. It now appears that Daprosy worm is a natural host to file-infecting viruses since the former is well distributed on all drives. Viral Daprosy exists in many variants which again requires special scripts to remove. Manual removal of worms infected with viruses requires knowledge usually belonging to individuals associated with AV companies.
Daprosy is "active" even in Safe Mode which makes it difficult to manually remove. Its key logging mechanism is so precise that it captures almost everything typed on the keyboard. This ranks Daprosy as one of the most dangerous worm of the last decade.
similer
home
Blaster-worm
The Blaster Worm (also known as Lovsan, Lovesan or MSBlast) was a computer worm that spread on computers running the Microsoft operating systems: Windows XP and Windows 2000, during August 2003.
The worm was first noticed and started spreading on August 11, 2003. The rate that it spread increased until the number of infections peaked on August 13, 2003. Filtering by ISPs and widespread publicity about the worm curbed the spread of Blaster.
On August 29, 2003, Jeffrey Lee Parson, an 18-year-old from Hopkins, Minnesota was arrested for creating the B variant of the Blaster worm; he admitted responsibility and was sentenced to an 18-month prison term in January 2005
According to court papers, the original Blaster was created after a Chinese cracking collective called Xfocus reverse engineered the original Microsoft patch that allowed for execution of the attack.
The worm spread by exploiting a buffer overflow discovered by the Polish cracking group Last Stage of Delirium
in the DCOM RPC service on the affected operating systems, for which a patch had been released one month earlier in MS03-026 and later in MS03-039. This allowed the worm to spread without users opening attachments simply by spamming itself to large numbers of random IP addresses. Four versions have been detected in the wild.
The worm was programmed to start a SYN flood on August 15, 2003[citation needed] against port 80 of windowsupdate.com, thereby creating a distributed denial of service attack (DDoS) against the site. The damage to Microsoft was minimal as the site targeted was windowsupdate.com instead of windowsupdate.microsoft.com to which it was redirected. Microsoft temporarily shut down the targeted site to minimize potential effects from the worm.
The worm contains two messages in its source code. The first:
I just want to say LOVE YOU SAN!!
is why the worm is sometimes called the Lovesan worm. The second:
billy gates why do you make this possible ? Stop making money
and fix your software!!
is a message to Bill Gates, the co-founder of Microsoft and the target of the worm.
The worm also creates the following registry entry so that it is launched every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update=msblast.exe
Although the worm can only spread on systems running Windows 2000 or Windows XP (32 bit) it can cause instability in the RPC service on systems running Windows NT, Windows XP (64 bit), and Windows Server 2003. In particular, the worm does not spread in Windows Server 2003 because it was compiled with the /GS switch, which detected the buffer overflow and shut the RPCSS process down.When infection occurs, buffer overflow makes RPC service crash, leading Windows to display following message and then automatically reboot, usually after 60 seconds. (default RPC service failure behaviour)
Although the worm can only spread on systems running Windows 2000 or Windows XP (32 bit) it can cause instability in the RPC service on systems running Windows NT, Windows XP (64 bit), and Windows Server 2003. In particular, the worm does not spread in Windows Server 2003 because it was compiled with the /GS switch, which detected the buffer overflow and shut the RPCSS process down.When infection occurs, buffer overflow makes RPC service crash, leading Windows to display following message and then automatically reboot, usually after 60 seconds. (default RPC service failure behaviour)
System Shutdown:
This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM
Time before shutdown: hh:mm:ss
Message:
Windows must now restart because the Remote Procedure Call (RPC) Service terminated unexpectedly.
"System Shutdown:
This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM
Time before shutdown: hh:mm:ss
Message:
Windows must now restart because the Remote Procedure Call (RPC) Service terminated unexpectedly."
This was the first indication many users had an infection; it often occurred a few minutes after every startup on compromised machines. A simple resolution to stop countdown is to run the "shutdown -a" command in the Windows command line, causing some side effects such as an empty (without users) Welcome Screen.[citation needed] The Welchia worm had a similar effect. No more than a year later, the Sasser worm surfaced, which caused a similar message to appear.
similer
home
The worm was first noticed and started spreading on August 11, 2003. The rate that it spread increased until the number of infections peaked on August 13, 2003. Filtering by ISPs and widespread publicity about the worm curbed the spread of Blaster.
On August 29, 2003, Jeffrey Lee Parson, an 18-year-old from Hopkins, Minnesota was arrested for creating the B variant of the Blaster worm; he admitted responsibility and was sentenced to an 18-month prison term in January 2005
According to court papers, the original Blaster was created after a Chinese cracking collective called Xfocus reverse engineered the original Microsoft patch that allowed for execution of the attack.
The worm spread by exploiting a buffer overflow discovered by the Polish cracking group Last Stage of Delirium
in the DCOM RPC service on the affected operating systems, for which a patch had been released one month earlier in MS03-026 and later in MS03-039. This allowed the worm to spread without users opening attachments simply by spamming itself to large numbers of random IP addresses. Four versions have been detected in the wild.
The worm was programmed to start a SYN flood on August 15, 2003[citation needed] against port 80 of windowsupdate.com, thereby creating a distributed denial of service attack (DDoS) against the site. The damage to Microsoft was minimal as the site targeted was windowsupdate.com instead of windowsupdate.microsoft.com to which it was redirected. Microsoft temporarily shut down the targeted site to minimize potential effects from the worm.
The worm contains two messages in its source code. The first:
I just want to say LOVE YOU SAN!!
is why the worm is sometimes called the Lovesan worm. The second:
billy gates why do you make this possible ? Stop making money
and fix your software!!
is a message to Bill Gates, the co-founder of Microsoft and the target of the worm.
The worm also creates the following registry entry so that it is launched every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update=msblast.exe
Although the worm can only spread on systems running Windows 2000 or Windows XP (32 bit) it can cause instability in the RPC service on systems running Windows NT, Windows XP (64 bit), and Windows Server 2003. In particular, the worm does not spread in Windows Server 2003 because it was compiled with the /GS switch, which detected the buffer overflow and shut the RPCSS process down.When infection occurs, buffer overflow makes RPC service crash, leading Windows to display following message and then automatically reboot, usually after 60 seconds. (default RPC service failure behaviour)
Although the worm can only spread on systems running Windows 2000 or Windows XP (32 bit) it can cause instability in the RPC service on systems running Windows NT, Windows XP (64 bit), and Windows Server 2003. In particular, the worm does not spread in Windows Server 2003 because it was compiled with the /GS switch, which detected the buffer overflow and shut the RPCSS process down.When infection occurs, buffer overflow makes RPC service crash, leading Windows to display following message and then automatically reboot, usually after 60 seconds. (default RPC service failure behaviour)
System Shutdown:
This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM
Time before shutdown: hh:mm:ss
Message:
Windows must now restart because the Remote Procedure Call (RPC) Service terminated unexpectedly.
"System Shutdown:
This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM
Time before shutdown: hh:mm:ss
Message:
Windows must now restart because the Remote Procedure Call (RPC) Service terminated unexpectedly."
This was the first indication many users had an infection; it often occurred a few minutes after every startup on compromised machines. A simple resolution to stop countdown is to run the "shutdown -a" command in the Windows command line, causing some side effects such as an empty (without users) Welcome Screen.[citation needed] The Welchia worm had a similar effect. No more than a year later, the Sasser worm surfaced, which caused a similar message to appear.
similer
home
Bagle-worm
Bagle (also known as Beagle) is a mass-mailing computer worm affecting all versions of Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, is considerably more virulent.
Bagle uses its own SMTP engine to mass-mail itself as an attachment to recipients gathered from the infected computer. It copies itself to the Windows system directory (Bagle.A as bbeagle.exe, Bagle.B as au.exe) and opens a backdoor on TCP port 6777 (Bagle.A) or 8866 (Bagle.B). It does not mail itself to addresses containing certain strings such as "@hotmail.com", "@msn.com", "@microsoft" or "@avp".
The initial strain, Bagle.A, was first sighted on January 18, 2004. It was not widespread and stopped spreading after January 28, 2004.
The second strain, Bagle.B, was first sighted on February 17, 2004. It was much more widespread and appeared in large numbers; Network Associates rated it a "medium" threat. It is designed to stop spreading after February 25, 2004.
Subsequent variants have later been discovered. Although they have not all been successful, a number remain notable threats.
similer
home
Bagle uses its own SMTP engine to mass-mail itself as an attachment to recipients gathered from the infected computer. It copies itself to the Windows system directory (Bagle.A as bbeagle.exe, Bagle.B as au.exe) and opens a backdoor on TCP port 6777 (Bagle.A) or 8866 (Bagle.B). It does not mail itself to addresses containing certain strings such as "@hotmail.com", "@msn.com", "@microsoft" or "@avp".
The initial strain, Bagle.A, was first sighted on January 18, 2004. It was not widespread and stopped spreading after January 28, 2004.
The second strain, Bagle.B, was first sighted on February 17, 2004. It was much more widespread and appeared in large numbers; Network Associates rated it a "medium" threat. It is designed to stop spreading after February 25, 2004.
Subsequent variants have later been discovered. Although they have not all been successful, a number remain notable threats.
similer
home
BadTrans-worm
BadTrans is a malicious Microsoft Windows computer worm distributed by e-mail. Because of a known vulnerability in older versions of Internet Explorer, some e-mail programs, such as Microsoft's Outlook Express and Microsoft Outlook programs, may install and execute the worm as soon as the e-mail message is viewed.
Once executed, the worm replicates by sending copies of itself to other e-mail addresses found on the host's machine, and installs a keystroke logger, which then captures everything typed on the affected computer. Badtrans then transmits the data to one of several e-mail addresses.
Among the e-mail addresses that received the keyloggers were free addresses at Excite, Yahoo, and IJustGotFired.com. IJustGotFired is a free service of MonkeyBrains, a San Francisco-based Internet service provider. The target address at IJustGotFired began receiving e-mails at 3:23pm on November 24, 2001. Once the account exceeded its quotas, it was automatically disabled, but the messages were still saved as they arrived. The address received over 100,000 keylogs in the first day alone.
In mid-December, the FBI contacted Rudy Rucker, Jr., owner of MonkeyBrains, and requested a copy of the keylogged data. All of that data was stolen from the victims of the worm; it includes no information about the creator of Badtrans. Instead of complying with the FBI request, MonkeyBrains published a database website http://badtrans.monkeybrains.net for the public to determine if a given address has been compromised. The database does not reveal the actual passwords or keylogged data
Once executed, the worm replicates by sending copies of itself to other e-mail addresses found on the host's machine, and installs a keystroke logger, which then captures everything typed on the affected computer. Badtrans then transmits the data to one of several e-mail addresses.
Among the e-mail addresses that received the keyloggers were free addresses at Excite, Yahoo, and IJustGotFired.com. IJustGotFired is a free service of MonkeyBrains, a San Francisco-based Internet service provider. The target address at IJustGotFired began receiving e-mails at 3:23pm on November 24, 2001. Once the account exceeded its quotas, it was automatically disabled, but the messages were still saved as they arrived. The address received over 100,000 keylogs in the first day alone.
In mid-December, the FBI contacted Rudy Rucker, Jr., owner of MonkeyBrains, and requested a copy of the keylogged data. All of that data was stolen from the victims of the worm; it includes no information about the creator of Badtrans. Instead of complying with the FBI request, MonkeyBrains published a database website http://badtrans.monkeybrains.net for the public to determine if a given address has been compromised. The database does not reveal the actual passwords or keylogged data
Abraxas-VIRUS
VARIANT: Abraxas, Alien, ARCV-1, Bamestra, Cinco, Eclypse, Gold
VARIANT: Jo, Kersplat, McWhale, Mimic, Page, Schrunch, Small-ARCV
VARIANT: Swansong, Tim, Walkabout, Warez, Z10
and approximately 200 other variants
VARIANT: Math-Test
The PS-MPC.Math-test virus was found from the CD-ROM disk "Software Vault, Collection 2" in October 1993. The infection was discovered when a private person from Helsinki, Finland, contacted F-Secure Ltd at the end of October. This person's computer was almost completely infected by the virus.
PS-MPC.Math-test is one of the viruses created with Phalcon/Skism Mass Produced Code Generator. The virus stays resident in memory and infects practically all executed COM and EXE programs. It activates every day between 9 and 10 a.m., displays some simple summing problems and demands that the user solve them. If the user doesn't get the answer right, the virus won't execute the requested program.
The infected file is located in the directory 18 of the CD-ROM, and it is contained inside the packet 64BLAZER.ZIP. The same directory contains also a clean version of the program, by the name 64BLAZE.ZIP.
similer
home
VARIANT: Jo, Kersplat, McWhale, Mimic, Page, Schrunch, Small-ARCV
VARIANT: Swansong, Tim, Walkabout, Warez, Z10
and approximately 200 other variants
VARIANT: Math-Test
The PS-MPC.Math-test virus was found from the CD-ROM disk "Software Vault, Collection 2" in October 1993. The infection was discovered when a private person from Helsinki, Finland, contacted F-Secure Ltd at the end of October. This person's computer was almost completely infected by the virus.
PS-MPC.Math-test is one of the viruses created with Phalcon/Skism Mass Produced Code Generator. The virus stays resident in memory and infects practically all executed COM and EXE programs. It activates every day between 9 and 10 a.m., displays some simple summing problems and demands that the user solve them. If the user doesn't get the answer right, the virus won't execute the requested program.
The infected file is located in the directory 18 of the CD-ROM, and it is contained inside the packet 64BLAZER.ZIP. The same directory contains also a clean version of the program, by the name 64BLAZE.ZIP.
similer
home
Wednesday, December 28, 2011
Jerusalem virus
1.2 The 1813 ("Jerusalem") Virus
One of the oldest PC-DOS viruses, and probably the most common, is the 1813 virus, also called (among other things) the Jerusalem, the Jerusalem-B, the Friday the 13th, the Black Friday, the Black Hole, the Morbus Waiblingen, and the sUMsDos. When a file infected with the 1813 virus is executed, the virus is loaded into memory, and any file executed via the DOS "execute program" function thereafter (until the next power-off or reboot) will be infected. This includes EXE and COM programs invoked from the DOS command line, as well as overlays (1) that are called by other programs. This technique of infecting things as they are used is one of the features that most of the currently-common viruses share. When an infected program is executed on Friday the 13th (any month, any year but 1987), it will erase programs that are executed, rather than infecting them.
1.2.1 Spread
The 1813 virus spreads from machine to machine by way of infected files; when an infected program travels (on diskette, over a LAN, by download from a host computer or bulletin board system, or otherwise) from one computer to another, the destination computer will become infected as soon as the infected program is executed. The virus has no power to spread between machines itself; it relies on people intentionally sharing software or machines in order to spread. Some common spread scenarios include:
Shared machines - If a computer is used by many different people, it can serve as a center of infection. If someone has run an infected program on the machine, the infection has probably spread to programs on the machine's hard disk; if other users bring their own programs on diskette and run them on the machine, those programs are likely to become infected, and the infection will be spread on diskette to other machines. Shared machines are therefore one important place to apply virus protection programs.
Shared diskettes - There are many diskettes that are routinely carried from machine to machine; these include diagnostic diskettes, product demos, and so on. If such a diskette becomes infected, the infection can quickly spread to many machines. Shared diskettes should therefore be protected; the most effective protection is a write-protect tab!
Popular programs - There are some programs (games, demos, animations, and so on) that are very popular; anyone who gets a copy of one of these programs is likely to want to pass it on (or at least show it off) to other people. If one of these programs becomes infected, the infection can spread quickly to many machines; users should therefore be educated in the dangers of running such programs without first employing virus detectors or other anti-virus measures.
LAN servers - If a program on a LAN server that is used by many workstations on the LAN becomes infected, a large percentage of workstations on the LAN can become infected very quickly (sometimes within an hour or two). Programs on LAN servers should be carefully checked for viruses, and LAN access controls for shared programs should be set up correctly. One common mistake is to have the LAN "logon" program in a place where anyone on the LAN can write to it; this setup means that if any workstation on the LAN becomes infected, the logon program will quickly become infected, and then every workstation that logs onto the LAN will immediately be infected. Properly maintained, LAN servers can be a good way to make virus-free programs available to many machines; set up incorrectly, they can be just the opposite!
1.2.2 Symptoms
In general, the most reliable symptom of a computer virus is an alert from a good anti-virus program. Machines properly protected by an anti-virus program should never experience the more serious symptoms of the virus! In any large organization or community, though, there will be at least a few machines not properly protected, and support people (Help Desks, Information Centers, repair groups, and so on) should be aware of symptoms that might mean a virus has infected an unprotected system. The 1813 virus is actually one of the more obvious of the common PC-DOS viruses. It has a number of intentional effects, and a number of bugs, which can cause infected systems to behave oddly even before the virus "activates" on Friday the 13th. The likely symptoms include:
Shortage of disk space and/or growth in size of programs (when the virus infects a file, it adds approximately 1813 bytes to the size of the file),
An occasional decrease in the apparent speed of the infected computer (users have described this as, for instance, "the machine suddenly started typing at 1200 baud"),
The scrolling or blanking of a small rectangular area in the upper left quadrant of the screen (the "black hole" effect),
The message "Program too big to fit in memory" when certain often-used EXE programs are run (due to a bug in the virus, it will continually re-infect most EXE programs, eventually causing them to be too large to run),
Malfunctioning of a few infected EXE programs: programs "lock up", or report unexpected error conditions or inability to load functions. (This is due to another bug in the virus that sometimes destroys part of the infected program.)
The first three of these symptoms are reasonably reliable signs of an infection; the last two can be from any of various causes. But in any case, checking a malfunctioning computer for known viruses with an anti-virus tool is generally a quick and easy process, and a useful addition to a support person's toolkit. Machines infected with the 1813 virus are often misdiagnosed as having software or hardware problems, leading to wasted time (as parts are replaced and tests run), and to the risk of spreading the infection via diagnostic diskettes.
1.2.3 Damage
The 1813 is not a particularly destructive virus. At the time it loads itself into memory, it asks DOS for the current date. If the day of the week is a Friday, the day of the month is 13, and the year is not 1987, the virus "activates". Once the virus has activated, any program executed via the DOS "execute program" call, described above, is erased. Users will generally notice this quite quickly (as all the programs they try to use turn out not to exist!), and it is not generally hard to recover from (programs can be re-installed from their original distribution diskettes, or re-created from source files). The fact that the virus is not intentionally very destructive does not mean that protection against it isn't cost-effective. Systems infected with the virus do not work very well, and are capable of spreading the infection beyond the immediate business or community. Cleanup is therefore necessary; the earlier the virus was detected, the simpler cleanup will be. Erasing a few infected files from one diskette is cheap; scanning and cleaning up hundreds of unprotected systems after the fact can be very expensive. When cleaning up after a memory-resident virus like the 1813 (and the other viruses discussed in this paper), it is vital to make sure that the virus is not in memory during the cleanup process! Otherwise the virus is likely to re-infect objects as they are cleaned up, and cleanup will not be successful. To ensure that no virus is active in memory, power off the infected system and reboot it from a write-protected diskette that is known to be free of viruses; then during cleanup use only programs that are known not to be infected.
1.2.4 Protection
The 1813 virus is relatively easy to detect and prevent, and virtually every commercial anti-virus product can deal with it. The virus makes no attempt to hide itself, and infected files are easily recognized as such by even the simplest known-virus scanner. Products which load into memory and block unauthorized attempts to alter programs are also generally successful against it. The fact that the virus is still so common is a sign that all too many machines still lack even the simplest protection against computer viruses.
similer
home
One of the oldest PC-DOS viruses, and probably the most common, is the 1813 virus, also called (among other things) the Jerusalem, the Jerusalem-B, the Friday the 13th, the Black Friday, the Black Hole, the Morbus Waiblingen, and the sUMsDos. When a file infected with the 1813 virus is executed, the virus is loaded into memory, and any file executed via the DOS "execute program" function thereafter (until the next power-off or reboot) will be infected. This includes EXE and COM programs invoked from the DOS command line, as well as overlays (1) that are called by other programs. This technique of infecting things as they are used is one of the features that most of the currently-common viruses share. When an infected program is executed on Friday the 13th (any month, any year but 1987), it will erase programs that are executed, rather than infecting them.
1.2.1 Spread
The 1813 virus spreads from machine to machine by way of infected files; when an infected program travels (on diskette, over a LAN, by download from a host computer or bulletin board system, or otherwise) from one computer to another, the destination computer will become infected as soon as the infected program is executed. The virus has no power to spread between machines itself; it relies on people intentionally sharing software or machines in order to spread. Some common spread scenarios include:
Shared machines - If a computer is used by many different people, it can serve as a center of infection. If someone has run an infected program on the machine, the infection has probably spread to programs on the machine's hard disk; if other users bring their own programs on diskette and run them on the machine, those programs are likely to become infected, and the infection will be spread on diskette to other machines. Shared machines are therefore one important place to apply virus protection programs.
Shared diskettes - There are many diskettes that are routinely carried from machine to machine; these include diagnostic diskettes, product demos, and so on. If such a diskette becomes infected, the infection can quickly spread to many machines. Shared diskettes should therefore be protected; the most effective protection is a write-protect tab!
Popular programs - There are some programs (games, demos, animations, and so on) that are very popular; anyone who gets a copy of one of these programs is likely to want to pass it on (or at least show it off) to other people. If one of these programs becomes infected, the infection can spread quickly to many machines; users should therefore be educated in the dangers of running such programs without first employing virus detectors or other anti-virus measures.
LAN servers - If a program on a LAN server that is used by many workstations on the LAN becomes infected, a large percentage of workstations on the LAN can become infected very quickly (sometimes within an hour or two). Programs on LAN servers should be carefully checked for viruses, and LAN access controls for shared programs should be set up correctly. One common mistake is to have the LAN "logon" program in a place where anyone on the LAN can write to it; this setup means that if any workstation on the LAN becomes infected, the logon program will quickly become infected, and then every workstation that logs onto the LAN will immediately be infected. Properly maintained, LAN servers can be a good way to make virus-free programs available to many machines; set up incorrectly, they can be just the opposite!
1.2.2 Symptoms
In general, the most reliable symptom of a computer virus is an alert from a good anti-virus program. Machines properly protected by an anti-virus program should never experience the more serious symptoms of the virus! In any large organization or community, though, there will be at least a few machines not properly protected, and support people (Help Desks, Information Centers, repair groups, and so on) should be aware of symptoms that might mean a virus has infected an unprotected system. The 1813 virus is actually one of the more obvious of the common PC-DOS viruses. It has a number of intentional effects, and a number of bugs, which can cause infected systems to behave oddly even before the virus "activates" on Friday the 13th. The likely symptoms include:
Shortage of disk space and/or growth in size of programs (when the virus infects a file, it adds approximately 1813 bytes to the size of the file),
An occasional decrease in the apparent speed of the infected computer (users have described this as, for instance, "the machine suddenly started typing at 1200 baud"),
The scrolling or blanking of a small rectangular area in the upper left quadrant of the screen (the "black hole" effect),
The message "Program too big to fit in memory" when certain often-used EXE programs are run (due to a bug in the virus, it will continually re-infect most EXE programs, eventually causing them to be too large to run),
Malfunctioning of a few infected EXE programs: programs "lock up", or report unexpected error conditions or inability to load functions. (This is due to another bug in the virus that sometimes destroys part of the infected program.)
The first three of these symptoms are reasonably reliable signs of an infection; the last two can be from any of various causes. But in any case, checking a malfunctioning computer for known viruses with an anti-virus tool is generally a quick and easy process, and a useful addition to a support person's toolkit. Machines infected with the 1813 virus are often misdiagnosed as having software or hardware problems, leading to wasted time (as parts are replaced and tests run), and to the risk of spreading the infection via diagnostic diskettes.
1.2.3 Damage
The 1813 is not a particularly destructive virus. At the time it loads itself into memory, it asks DOS for the current date. If the day of the week is a Friday, the day of the month is 13, and the year is not 1987, the virus "activates". Once the virus has activated, any program executed via the DOS "execute program" call, described above, is erased. Users will generally notice this quite quickly (as all the programs they try to use turn out not to exist!), and it is not generally hard to recover from (programs can be re-installed from their original distribution diskettes, or re-created from source files). The fact that the virus is not intentionally very destructive does not mean that protection against it isn't cost-effective. Systems infected with the virus do not work very well, and are capable of spreading the infection beyond the immediate business or community. Cleanup is therefore necessary; the earlier the virus was detected, the simpler cleanup will be. Erasing a few infected files from one diskette is cheap; scanning and cleaning up hundreds of unprotected systems after the fact can be very expensive. When cleaning up after a memory-resident virus like the 1813 (and the other viruses discussed in this paper), it is vital to make sure that the virus is not in memory during the cleanup process! Otherwise the virus is likely to re-infect objects as they are cleaned up, and cleanup will not be successful. To ensure that no virus is active in memory, power off the infected system and reboot it from a write-protected diskette that is known to be free of viruses; then during cleanup use only programs that are known not to be infected.
1.2.4 Protection
The 1813 virus is relatively easy to detect and prevent, and virtually every commercial anti-virus product can deal with it. The virus makes no attempt to hide itself, and infected files are easily recognized as such by even the simplest known-virus scanner. Products which load into memory and block unauthorized attempts to alter programs are also generally successful against it. The fact that the virus is still so common is a sign that all too many machines still lack even the simplest protection against computer viruses.
similer
home
Melissa worm
First found on March 26, 1999, Melissa came to be one of the most infamous computer worms the world has ever seen. It shut down Internet mail systems that became clogged with infected e-mails propagating the worm.
Melissa was first distributed in the Usenet discussion group alt.sex. The virus was inside a file called "List.DOC", which contained passwords that allow access into 80 pornographic websites. The worm's original form was sent via e-mail to many people.
Melissa was written by David L. Smith in Eatontown, New Jersey, and named after a lap-dancer he encountered in Florida. The creator of the virus called himself Kwyjibo, but was shown to be identical to macrovirus writers VicodinES and Alt-F11 who had several Word-files with the same characteristic Globally Unique Identifier (GUID), a serial number that was earlier generated with the network card MAC address as a component.
Worm Specifications
Melissa can spread on word processor Microsoft Word 97 and Word 2000. It can mass mail itself from e-mail client (MUA) Microsoft Outlook 97 or Outlook 98. The worm does not work on any other versions of Word, including Word 95. The worm cannot mass mail itself by any other mail client, even Outlook Express.
If a Word Document containing the virus, either LIST.DOC or another file infected, is downloaded and opened, then the macro in the document, which had the virus, runs and attempts to mass mail itself.
When the virus mass mails, it collects the first 50 entries from the alias list, or address book, and sends it to the e-mail addresses from those names.
Melissa.A/Original Version
This is what infected e-mails say:
From:
Subject: Important message from
To:
Attachment: LIST.DOC
Body: Here is that document you asked for ... don't show anyone else ;-)
If the worm already has sent itself, or cannot spread that way due to a lack of an internet connection or a lack of Outlook, the worm spreads to other Word Documents on the computer. Other infected documents can also be mailed. If confidential data is inside the document, the recipient of the e-mail containing the document can view it.
The worm's activation routine inserts quotes from "The Simpsons" into other documents. If the minutes of the hour of the computer's clock match the day of the month (I.E. 7:09 on the 9th day of the 7th month). Quotes include phrases like "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." The alias of the author, "Kwyjibo", is also a Simpsons reference.
Melissa.I/Empirical
This variant can send using any of these subject line and body combinations, all of which are different from Melissa's original form.
1. Subject: Question for you...
Body: It's fairly complicated so I've attached it.
2. Subject: Check this!!
Body: This is some wicked stuff!
3. Subject: Cool Web Sites
Body: Check out the Attached Document for a list of some of the best Sites on the Web
4. Subject: 80mb Free Web Space!
Body: Check out the Attached Document for details on how to obtain the free space. It's cool, I've now got heaps of room.
5. Subject: Cheap Software
Body: The attached document contains a list of web sites where you can obtain Cheap Software
6. Subject: Cheap Hardware
Body: I've attached a list of web sites where you can obtain Cheap Hardware"
7. Subject: Free Music
Body: Here is a list of places where you can obtain Free Music.
8. Subject: * Free Downloads
Body: Here is a list of sites where you can obtain Free Downloads.
NOTE: The asterisk "*" in the 8th subject can be any random character that the worm specifies in the e-mail.
This version uses a different registry key, named "Empirical", to check if the worm had already mass mailed itself.
This version has another payload; if the number of minutes equals the number of hours, the worm will insert the phrase "All empires fall, you just have to know where to push." The virus then clears the flag that it had mass mailed itself from the registry. As soon as Word is restarted, a new document is created, a document is opened, or a document is closed, the worm will mass mail itself again.
Melissa.O
This version sends itself to 100 people in the alias list instead of 50. This is the e-mail message it sends:
Subject:Duhalde Presidente
Body: Programa de gobierno 1999 - 2004.
Melissa.U
This version is like Melissa.A, but it has several notable differences. The module name it uses is named "Mmmmmmm". This version only sends itself to 4 recipients instead of 50. This is what the infected e-mail looks like:
Subject: Pictures (Username)
Body: what's up ?
The worm puts the name that the sender's copy of Word is registered to where it says Username in the Subject.
The following strings can be placed in documents: "Loading... No", and ">>>>Please check Outlook Inbox Mail<<<<".
The virus also deletes critical files. Before deleting the files, it strips them of their archive, hidden, and read-only attributes, which make them fair game for deletion.
C:\\Command.com
C:\\Io.sys
C:\\Ntdetect.com
C:\\Suhdlog.dat
D:\\Command.com
D:\\Io.sys
D:\\Suhdlog.dat
Melissa.V
This variant is akin to Melissa.U. However, this variant sends itself to 40 different e-mail addresses in the address book. This is the subject line of the infected e-mail that it sends. There is no body.
Subject: My Pictures (Username)
The worm puts the name that the sender's copy of Word is registered to where it says Username in the Subject.
After this variant has mailed itself, it deletes all files from the root of the following drives: F, H, I, L-Q, S, X, and Z.
After that, the virus shows a message box. It has the text: "Hint: Get Norton 2000 not McAfee 4.02".
Melissa.W
This is the same as Melissa.A, except that it does not lower macro security settings in Word 2000.
Melissa.AO
This is what the e-mails from this version contain:
Subject: Extremely URGENT: To All E-Mail User -
Attachment: Infected Active Document
Body: This announcement is for all E-MAIL user. Please take note that our E-Mail Server will down and we recommended you to read the document which attached with this E-Mail.
Melissa.AO's payload occurs on the 10am on the 10th day of each month. The payload consists of the worm inserts the following string into the document: "Worm! Let's We Enjoy."
similer
home
Melissa was first distributed in the Usenet discussion group alt.sex. The virus was inside a file called "List.DOC", which contained passwords that allow access into 80 pornographic websites. The worm's original form was sent via e-mail to many people.
Melissa was written by David L. Smith in Eatontown, New Jersey, and named after a lap-dancer he encountered in Florida. The creator of the virus called himself Kwyjibo, but was shown to be identical to macrovirus writers VicodinES and Alt-F11 who had several Word-files with the same characteristic Globally Unique Identifier (GUID), a serial number that was earlier generated with the network card MAC address as a component.
Worm Specifications
Melissa can spread on word processor Microsoft Word 97 and Word 2000. It can mass mail itself from e-mail client (MUA) Microsoft Outlook 97 or Outlook 98. The worm does not work on any other versions of Word, including Word 95. The worm cannot mass mail itself by any other mail client, even Outlook Express.
If a Word Document containing the virus, either LIST.DOC or another file infected, is downloaded and opened, then the macro in the document, which had the virus, runs and attempts to mass mail itself.
When the virus mass mails, it collects the first 50 entries from the alias list, or address book, and sends it to the e-mail addresses from those names.
Melissa.A/Original Version
This is what infected e-mails say:
From:
Subject: Important message from
To:
Attachment: LIST.DOC
Body: Here is that document you asked for ... don't show anyone else ;-)
If the worm already has sent itself, or cannot spread that way due to a lack of an internet connection or a lack of Outlook, the worm spreads to other Word Documents on the computer. Other infected documents can also be mailed. If confidential data is inside the document, the recipient of the e-mail containing the document can view it.
The worm's activation routine inserts quotes from "The Simpsons" into other documents. If the minutes of the hour of the computer's clock match the day of the month (I.E. 7:09 on the 9th day of the 7th month). Quotes include phrases like "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." The alias of the author, "Kwyjibo", is also a Simpsons reference.
Melissa.I/Empirical
This variant can send using any of these subject line and body combinations, all of which are different from Melissa's original form.
1. Subject: Question for you...
Body: It's fairly complicated so I've attached it.
2. Subject: Check this!!
Body: This is some wicked stuff!
3. Subject: Cool Web Sites
Body: Check out the Attached Document for a list of some of the best Sites on the Web
4. Subject: 80mb Free Web Space!
Body: Check out the Attached Document for details on how to obtain the free space. It's cool, I've now got heaps of room.
5. Subject: Cheap Software
Body: The attached document contains a list of web sites where you can obtain Cheap Software
6. Subject: Cheap Hardware
Body: I've attached a list of web sites where you can obtain Cheap Hardware"
7. Subject: Free Music
Body: Here is a list of places where you can obtain Free Music.
8. Subject: * Free Downloads
Body: Here is a list of sites where you can obtain Free Downloads.
NOTE: The asterisk "*" in the 8th subject can be any random character that the worm specifies in the e-mail.
This version uses a different registry key, named "Empirical", to check if the worm had already mass mailed itself.
This version has another payload; if the number of minutes equals the number of hours, the worm will insert the phrase "All empires fall, you just have to know where to push." The virus then clears the flag that it had mass mailed itself from the registry. As soon as Word is restarted, a new document is created, a document is opened, or a document is closed, the worm will mass mail itself again.
Melissa.O
This version sends itself to 100 people in the alias list instead of 50. This is the e-mail message it sends:
Subject:Duhalde Presidente
Body: Programa de gobierno 1999 - 2004.
Melissa.U
This version is like Melissa.A, but it has several notable differences. The module name it uses is named "Mmmmmmm". This version only sends itself to 4 recipients instead of 50. This is what the infected e-mail looks like:
Subject: Pictures (Username)
Body: what's up ?
The worm puts the name that the sender's copy of Word is registered to where it says Username in the Subject.
The following strings can be placed in documents: "Loading... No", and ">>>>Please check Outlook Inbox Mail<<<<".
The virus also deletes critical files. Before deleting the files, it strips them of their archive, hidden, and read-only attributes, which make them fair game for deletion.
C:\\Command.com
C:\\Io.sys
C:\\Ntdetect.com
C:\\Suhdlog.dat
D:\\Command.com
D:\\Io.sys
D:\\Suhdlog.dat
Melissa.V
This variant is akin to Melissa.U. However, this variant sends itself to 40 different e-mail addresses in the address book. This is the subject line of the infected e-mail that it sends. There is no body.
Subject: My Pictures (Username)
The worm puts the name that the sender's copy of Word is registered to where it says Username in the Subject.
After this variant has mailed itself, it deletes all files from the root of the following drives: F, H, I, L-Q, S, X, and Z.
After that, the virus shows a message box. It has the text: "Hint: Get Norton 2000 not McAfee 4.02".
Melissa.W
This is the same as Melissa.A, except that it does not lower macro security settings in Word 2000.
Melissa.AO
This is what the e-mails from this version contain:
Subject: Extremely URGENT: To All E-Mail User -
Attachment: Infected Active Document
Body: This announcement is for all E-MAIL user. Please take note that our E-Mail Server will down and we recommended you to read the document which attached with this E-Mail.
Melissa.AO's payload occurs on the 10am on the 10th day of each month. The payload consists of the worm inserts the following string into the document: "Worm! Let's We Enjoy."
similer
home
code red worm
Computers that were infected by CodeRed have stopped propagating this worm as of July 28, 2001, due to its logic of going into infinite sleep mode. Although there was much speculation as to whether this worm would wake up again on August 1, 2001, Symantec Security Response's analysis of the CodeRed worm indicates that a re-infection will not re-awaken already infected computers.
If the worm is once again injected into the Internet, it can only affect computers that still have the vulnerability on the Web server. Previously infected computers can be re-infected if they have not been patched. Symantec Security Response advises users of IIS4.0 and 5.0 to apply the Microsoft patch before August 1. Security Response will continue to monitor CodeRed activities on the Internet and will post updates to this page when available.
The CodeRed Worm affects Microsoft Index Server 2.0 and the Windows 2000 Indexing service on computers running Microsoft Windows NT 4.0 and Windows 2000, which run IIS 4.0 and 5.0 Web servers. The worm uses a known buffer overflow vulnerability contained in the Idq.dll file. Information about this vulnerability and a Microsoft patch is located at: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp.
A Cumulative Patch for IIS that includes the four patches released to date is available at: http://www.microsoft.com/technet/security/bulletin/MS01-044.asp.
System administrators are encouraged to apply the Microsoft patch to prevent infection of this worm and other unauthorized access.
For information on the various ways to check for this threat and the underlying vulnerability, or if you are using Symantec Enterprise Firewall, refer to the Additional Information section below.
similer
home
If the worm is once again injected into the Internet, it can only affect computers that still have the vulnerability on the Web server. Previously infected computers can be re-infected if they have not been patched. Symantec Security Response advises users of IIS4.0 and 5.0 to apply the Microsoft patch before August 1. Security Response will continue to monitor CodeRed activities on the Internet and will post updates to this page when available.
The CodeRed Worm affects Microsoft Index Server 2.0 and the Windows 2000 Indexing service on computers running Microsoft Windows NT 4.0 and Windows 2000, which run IIS 4.0 and 5.0 Web servers. The worm uses a known buffer overflow vulnerability contained in the Idq.dll file. Information about this vulnerability and a Microsoft patch is located at: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp.
A Cumulative Patch for IIS that includes the four patches released to date is available at: http://www.microsoft.com/technet/security/bulletin/MS01-044.asp.
System administrators are encouraged to apply the Microsoft patch to prevent infection of this worm and other unauthorized access.
For information on the various ways to check for this threat and the underlying vulnerability, or if you are using Symantec Enterprise Firewall, refer to the Additional Information section below.
similer
home
autorun-inf-virus
There is a much simple way to remove the Autorun.inf file. Genreally when you refresh the windows explorer view a bounded virus process recreates this file. This file is attached to many events of windows explorer including OPEN, REFRESH, etc. Simple stept to remove the virus activation:
You must close opened explorer windows.
1. open up a command prompt (i.e. cmd.exe) >> to load it go to Run, type cmd, enter.
2. Now to remove virus's attributes (in order to delete it type following line by line and execute them pressing enter.
e.g.
F:\
F:\attrib -s -r -h *.* If there are any malicious EXE files those are now visible so if unnecessary delete them too.
F:\del autorun.inf
3. After finishing above, quickly remove the pen as soon as posible (just after executing del command).
4. Now your pen is without virus activation config. file. Now you can safely delete unnecessary EXE files on it.
similer
home
You must close opened explorer windows.
1. open up a command prompt (i.e. cmd.exe) >> to load it go to Run, type cmd, enter.
2. Now to remove virus's attributes (in order to delete it type following line by line and execute them pressing enter.
e.g.
F:\
F:\attrib -s -r -h *.* If there are any malicious EXE files those are now visible so if unnecessary delete them too.
F:\del autorun.inf
3. After finishing above, quickly remove the pen as soon as posible (just after executing del command).
4. Now your pen is without virus activation config. file. Now you can safely delete unnecessary EXE files on it.
similer
home
Tuesday, December 27, 2011
Subscribe to:
Posts (Atom)