[es] - Novi crv: Mydoom spreading as fast as Sobig

Miloš Vukotić
Podgorica

Član broj: 7996
Poruke: 485
..dle.rnc.net.cable.rogers.com

Profil

Novi crv: Mydoom spreading as fast as Sobig

^{27.01.2004. u 12:05}

Ukratko: Siri se mail-om, ako ne kliknete na attachment nista vam se nece desiti...

Citat:

From: random e-mail address
To: address of the recipient
Subject: random words
Message body: several different mail error messages, such as: Mail transaction failed. Partial message is available
Attachment (with a textfile icon): random name ending with ZIP, BAT, CMD, EXE, PIF or SCR extension
When a user clicks on the attachment, the worm will start Notepad, filled with random characters

Informacije na:
http://news.bbc.co.uk/2/hi/technology/3432639.stm
http://www.f-secure.com/v-descs/novarg.shtml
http://us.mcafee.com/virusInfo/default.asp?id=mydoom

^{27.01.2004. u 12:05}

caiser
Karadzic Miljan
sys-admin wannabe
Frankfurt

Član broj: 4677
Poruke: 2462
*.verat.net

ICQ: 162962030
Sajt: www.miljan.org

Profil

Re: Novi crv: Mydoom spreading as fast as Sobig

^{27.01.2004. u 12:16}

Hehehehehe... izgleda da zlikovac vise nije MS. :)

Aj prevedi!

^{27.01.2004. u 12:16}

Gojko Vujovic
Juniper Networks
Amsterdam, NL

Administrator
Član broj: 1
Poruke: 13173
*.gojko.ss.

Sajt: www.gojkovujovic.com

Profil

Re: Novi crv: Mydoom spreading as fast as Sobig

^{28.01.2004. u 00:05}

Detalji:
http://www.networkmagazine.com...ticle.jhtml?articleID=17501535

Uklanjanje:
http://www.sophos.com/support/disinfection/mydooma.html
http://www.f-secure.com/v-descs/novarg.shtml

^{28.01.2004. u 00:05}

vujke
Ivan Vujić
Mladenovac

Član broj: 366
Poruke: 240
*.vdial.verat.net

Jabber: vujasoft@hotmail.com
ICQ: 318865905

Profil

Re: Novi crv: Mydoom spreading as fast as Sobig

^{28.01.2004. u 00:23}

I meni malopre stize od neki 'svetaca' sa beotela i sezampro-a pa sam morao da se uključim.

Citat:

When executed, the worm opens up a Notepad program with garbage data in it. The worm instals the library shimgapi.dll to the %system% folder. The library is a trojan horse, making remote control of the computer possible, including installation of any program. It opens TCP ports between 3127 - 3198 for communication. The worm copies itself to the taskmon.exe file in the %system% folder.

The worm adds its own keys to the following registry items:
\HKLM\Software\Microsft\Windows\CurrentVersion\Run
\HKCU\Software\Microsft\Windows\CurrentVersion\Run
It adds the keys TaskMon with the value %System%\taskmon.exe - this item launches the worm when the Windows starts.
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
It puts the value %SysDir%\shimgapi.dll to the Default item - this item launches the trojan horse in the Explorer.exe's memory space.
It also creates a subkey in
\HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version
\HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version

The worm will perform the DDoS (distributed denial of service) attack on 1st February 2004 to the site www.sco.com. It will stop all of its activity on 12th February 2004. The trojan horse remains active after this date however.

Čišćenje sa avastom:
http://download4.avast.com/files/eng/aswclnr.exe

:: www.cannonballforums.se :: Tuning forum

^{28.01.2004. u 00:23}

caiser
Karadzic Miljan
sys-admin wannabe
Frankfurt

Član broj: 4677
Poruke: 2462
*.verat.net

ICQ: 162962030
Sajt: www.miljan.org

Profil

Re: Novi crv: Mydoom spreading as fast as Sobig

^{28.01.2004. u 08:02}

Citat:

caiser:
Hehehehehe... izgleda da zlikovac vise nije MS. :)

Ajd sad nek se javi ko je menjao moju poruku? :) I kako to da ne pise da je poruka menjana?

Aj prevedi!

^{28.01.2004. u 08:02}

weB_KiLeR
e-marketing industries, dw programming group

Član broj: 238
Poruke: 1318
*.air.tehnicom.net

ICQ: 106635840

Profil

Re: Novi crv: Mydoom spreading as fast as Sobig

^{28.01.2004. u 08:49}

Citat:

caiser:

Citat:

caiser:
Hehehehehe... izgleda da zlikovac vise nije MS. :)

Ajd sad nek se javi ko je menjao moju poruku? :) I kako to da ne pise da je poruka menjana?

To je garant Gojko usao preko mySQL clienta pa izmenio :)))

^{28.01.2004. u 08:49}

Gojko Vujovic
Juniper Networks
Amsterdam, NL

Administrator
Član broj: 1
Poruke: 13173
*.gojko.ss.

Sajt: www.gojkovujovic.com

Profil

Re: Novi crv: Mydoom spreading as fast as Sobig

^{28.01.2004. u 10:25}

Nisam, kada se menja poslednja poruka u temu ne upisuje se podatak o izmeni.

^{28.01.2004. u 10:25}

caiser
Karadzic Miljan
sys-admin wannabe
Frankfurt

Član broj: 4677
Poruke: 2462
*.datanet.yu

ICQ: 162962030
Sajt: www.miljan.org

Profil

Re: Novi crv: Mydoom spreading as fast as Sobig

^{28.01.2004. u 18:23}

Hehehehe... pazi kad sam znao. Bio si mi sumnjiv od samog pocetka. :) Nego, bolje da si skroz obrisao post jer bez onog quote-a gubi smisao. A onda mozes da obrises i ovaj jer bez onog prvog i on gubi smisao. I naravno i onaj post gore jer je i on bez smisla totalno. :)

Aj prevedi!

^{28.01.2004. u 18:23}