MFIORI
Sun Jul 09 14:00:01 CDT 2006
"David H. Lipman" wrote:
> From: "MFIORI" <MFIORI@discussions.microsoft.com>
>
> | Uhmm, let me think... I'm just mentioning "these NEW infectors" in order to
> | warn internet users, so they can update their security products. I think that
> | information is the "key" of everything. Are you satisfied now?
>
> Not really because it is YOUR text.
>
> You should be qouting an authorative source of this information and you should include the
> URL of the source you quoted.
>
> For example in the first warning, you mentioned "Oscarbot.IV" and did not use its full name
> is "W32/Oscarbot.IV.worm" and the fact that this is Panda's name for this infector. Robear
> Dyer (aka; PA Bear) posted a waring about this on June 30th. He "properly" quoted a news
> article and posted the URL of said article.
>
> BTW: Here is a Virus Total report of a sample I submitted on June 30th.
>
> AntiVir 6.35.0.19 06.30.2006 Worm/IRCBot.7643
> Authentium 4.93.8 06.30.2006 Possibly a new variant of W32/Threat-HLLIM-based!Maximus
> Avast 4.7.844.0 06.29.2006 no virus found
> AVG 386 06.30.2006 no virus found
> BitDefender 7.2 06.30.2006 BehavesLike:Trojan.FWDisable
> CAT-QuickHeal 8.00 06.30.2006 (Suspicious) - DNAScan
> ClamAV devel-20060426 06.30.2006 no virus found
> DrWeb 4.33 06.30.2006 no virus found
> eTrust-InoculateIT 23.72.53 06.30.2006 no virus found
> eTrust-Vet 12.6.2283 06.30.2006 no virus found
> Ewido 3.5 06.30.2006 Backdoor.IRCBot.st
> Fortinet 2.77.0.0 06.30.2006 W32/IRCBot.ST!tr.bdr
> F-Prot 3.16f 06.30.2006 Possibly a new variant of W32/Threat-HLLIM-based!Maximus
> Ikarus 0.2.65.0 06.30.2006 Backdoor.Win32.IRCBot.BV
> Kaspersky 4.0.2.24 06.30.2006 Backdoor.Win32.IRCBot.st
> McAfee 4797 06.30.2006 W32/Opanki.worm.gen
> Microsoft 1.1481 06.30.2006 Backdoor:Win32/IRCbot.R
> NOD32v2 1.1635 06.30.2006 a variant of Win32/IRCBot.OO
> Norman 5.90.21 06.30.2006 W32/Suspicious_M.gen
> Panda 9.0.0.4 06.30.2006 W32/Oscarbot.IV.worm
> Sophos 4.07.0 06.30.2006 W32/Cuebot-K
> Symantec 8.0 06.30.2006 no virus found
> TheHacker 5.9.8.167 06.30.2006 no virus found
> UNA 1.83 06.30.2006 no virus found
> VBA32 3.11.0 06.30.2006 Backdoor.Win32.IRCBot.st
> VirusBuster 4.3.7:9 06.30.2006 no virus found
>
>
> --
> Dave
>
http://www.claymania.com/removal-trojan-adware.html
>
http://www.ik-cs.com/got-a-virus.htm
>
>
>
Sorry. I forgot that.
Here's the original message:
- Panda Software's Weekly Report on Viruses and Intruders -
Virus Alerts, by Panda Software (
http://www.pandasoftware.com)
Madrid, July 7, 2006 - The Oscarbot.IV, Peerbot.B and Netsad.B worms are the
subject of this week's PandaLabs report.
Oscarbot.IV is a worm that opens several communication ports on infected
computers, allowing attackers to access the system remotely. It also drops
the Protestor.A Trojan on the system, which can capture screenshots and steal
user data. Oscarbot.IV spreads via America On Line Instant Messenger, sending
messages to all active user contacts. When run, it is installed on the system
as a service called "Windows Genuine Advantage Validation Notification",
trying to pass itself off as a Microsoft antipiracy service and ensuring it
is run on every system startup.
Peerbot.B can open a backdoor to receive commands from an attacker via IRC.
It can also steal data from SQL Server or Mysql databases on the computer,
which it then sends out via email. When run, the worm creates several files
on the system, such as Taskdrv.exe (a copy of the worm itself) and
Libmysql.dll, a library belonging to the Mysql database. Peerbot.B can spread
using email or P2P file-sharing programs. It creates numerous files in the
shared folders in P2P programs under names that refer to cracks for
well-known applications and games. When other users of the P2P program run a
search, they could find the infected files of the initial victim among the
results. To avoid detection, Peerbot.B terminates a long list of processes
related mainly with security tools, firewalls or even other malware. It also
modifies the hosts file to block access to web pages related with security
products.
Netsad.B is a worm that spreads as an email attachment, using messages such
as "sharing files is the essence of living". It also uses several P2P
applications, including Kazaa or Emule, creating copies of itself in shared
folders so that it can be downloaded by other users. Netsad.B can only
operate if the computer has Microsoft .NET framework 2.0. When run, it
creates a copy of itself called winservices.cab.bak.exe in the Windows
system folder. It also creates copies of itself with a variety of names,
including some related to antiviruses, in the other system drives. In order
to remain hidden, the worm terminates a series of security-related processes,
leaving the computer vulnerable to further attack.
For further information about these and other computer threats, visit Panda
Software's Encyclopedia.
Find out more about the company at:
http://www.pandasoftware.es/sobre_panda/companyprofile/15aniversario.asp
------------------------------------------------------------------------