Welcome Guest ( Log In | Register )

 
Your Kudos
Your Kudos Ranking --
2 Pages V  1 2 >  
Reply to this topicStart new topic
>  Don't want to be infected on a computer virus?
   
 
20--jamesy--07
  Post#1 | Jan 24 2005, 19:24 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
620
Increase this members Kudos



Playing: GTA IV 48.99%
Weapon: Slingshot
Posts: 775
Member No.: 35
Joined: 23-October 04
*********

I think Sasser is gone now but I dont know. But anyway:

NEW VIRUS
QUOTE
If you get sent a file from someone through MSN Messenger under the following filenames:

  • drunk_lol.pif,
  • webcam_004.pif,
  • sexy_bedroom.pif,
  • naked_party.pif,
  • love_me.pif. Please cancel them. This is a virus called Brobia.A. Please send this to all your contacts.




edit by *d13: made it a bit easier to read, because of it importance

This post has been edited by DeRCT13: Jan 24 2005, 19:51


--------------------
IPB Image
 
Ephonetica
  Post#2 | Jan 24 2005, 19:53 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
2200
Increase this members Kudos



Weapon: Magnum
Posts: 3,912
Member No.: 8
Joined: 13-October 04
*****************

And dont accept .exe, .vbs, .scr, .bat, .com and .pif if you don't trust it.

Btw, I'm pinning this.. please post ALL of the virus warnings here, aswell as discussing them

Pinned!

This post has been edited by DeRCT13: Jan 24 2005, 19:54


--------------------
IPB Image

bad as ass.
 
j-dawg
  Post#3 | Jan 25 2005, 03:33 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
250
Increase this members Kudos

Playing: with my fat rolls teehee
Weapon: Paintball gun
Posts: 1,377
Member No.: 40
Joined: 23-October 04
***********

wtf is .pif


--------------------
IPB Image
 
Mister V
  Post#4 | Jan 25 2005, 15:14 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
1940
Increase this members Kudos



Playing: Mass Effect
Weapon: Submarine
Posts: 10,079
Member No.: 21
Joined: 14-October 04
*************************

of course, who would open an exe randomly sent by somebody. ive got that sent to me already 100 times via Hotmail.

ive always though .pif were pics...?


--------------------
IPB Image
Then God said, "Let there be win",
and there was win, and it was good.
 
Pvt. Blackhawk
  Post#5 | Jan 25 2005, 23:47 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
530
Increase this members Kudos



Playing: Paintball
Weapon: Bow and Arrow
Posts: 2,539
Member No.: 26
Joined: 23-October 04
***************

pif=some random file extension. i guess the virus programmer made that so people would mistake them for pictures. i know when i first read those, the first thing that came into my mind was pictures.


--------------------
IPB Image
"The only bad "F-word" is FCC." -Tom Morello on censorship
USMC
 
Gruntarus
  Post#6 | Jan 26 2005, 05:17 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
10
Increase this members Kudos

Playing: RUNESCAPE
Weapon: BB Gun
Posts: 1,027
Member No.: 274
Joined: 7-November 04
**********

Reminds me of those bleach's.

Jif & Cif
 
ringwraith
  Post#7 | Jan 26 2005, 20:36 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
660
Increase this members Kudos



Weapon: Sword
Posts: 2,111
Member No.: 97
Joined: 25-October 04
**************

This is from the 17th, so it's a little late, but here it is. I got this info from someone else at work, but I verified the source is Trend Micro.

Daffy AFI - WORM_ZAFI.D (Medium Risk)
WORM_ZAFI.D is a memory-resident, mass-mailing worm that is currently spreading in-the-wild. On December 14 Trend Micro declared a Yellow Alert to control the spread of this worm. It uses its own built-in Simple Mail Transfer Protocol (SMTP) engine to send malicious Christmas greetings. It runs on Windows 98, ME, NT, 2000, and XP.

Upon execution, this mass-mailing, memory-resident worm displays a message box. It drops a copy of itself as NORTON UPDATE.EXE, and drops copies of itself as .DLL files with 8-character random file names. Some .DLL files are copies of itself while others are email log files in the Windows system folder. It also drops a log file called S.CM in the root folder. It then adds a registry entry that allows it to automatically execute at every system startup.

This worm drops a copy of itself using either of the following filenames:

WINAMP 5.7 NEW!.EXE
ICQ 2005A NEW!.EXE
It drops the file in folders that contain one of the following strings:

share
upload
music
Most file-sharing applications, such as *****, Shareaza, and Morpheus, use folder names with these strings when sharing files through peer-to-peer (P2P) networks. P2P users who search for Winamp and ICQ installers may inadvertently download this dropped AFI copy instead.

This worm uses its own built-in Simple Mail Transfer Protocol (SMTP) engine, which allows it to send malicious Christmas greetings without having to use other email applications like Outlook Express. The language used in the message body is dependent on the domain of the email recipient. For example, When the Top Level Domain of the user's email address is .COM, the message is sent in English. When the Top Level Domain of the user's email address is .DE, the message is sent in German. Please visit the Technical Details of this virus description to view samples and screen shots of the email it sends.

It searches the following files for target email addresses:

ADB
ASP
DBX
EML
FPT
HTM
INB
MBX
PHP
PMR
SHT
TBB
TXT
WAB
However it skips email addresses that contain the following strings:

admi
cafee
google
help
hotm
info
kasper
micro
msn
panda
secur
sopho
suppor
syman
trend
use
viru
webm
win
yaho
This worm terminates antivirus and firewall programs. It searches for folders and files from all folders found on the system. It then reads the contents of the files and checks whether the string ?firewall or virus? exists. If three or more files contain the specific string, the folder name is stored in a registry entry. When all the folders are obtained, it then traverses the specific registry entry. If the folder name contains the following strings, it terminates all executable files running in the folders:

cafee
Kasper
panda
secure
sopho
syman
trend
viru


--------------------
 
Mister V
  Post#8 | Jan 26 2005, 21:37 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
1940
Increase this members Kudos



Playing: Mass Effect
Weapon: Submarine
Posts: 10,079
Member No.: 21
Joined: 14-October 04
*************************

QUOTE(ringwraith @ Jan 26 2005, 20:36 )
Most file-sharing applications, such as *****, Shareaza, and Morpheus
*


Such as what was that? tongue.gif

anyway, thanks for the warning, ill read this thread surely every day!

______
yeah, you gotta be dumb, Winamp 5.7 doesnt exist. biggrin.gif


--------------------
IPB Image
Then God said, "Let there be win",
and there was win, and it was good.
 
ringwraith
  Post#9 | Jan 27 2005, 05:22 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
660
Increase this members Kudos



Weapon: Sword
Posts: 2,111
Member No.: 97
Joined: 25-October 04
**************

Oh, I hadn't noticed that the forum filtered that out. If I type it again, it will probably block it again, so I'll say it like this K4Z4A.
Sorry guys for trying to evade the filters, I'm not trying to promote it.


--------------------
 
Meldince
  Post#10 | Jan 27 2005, 05:28 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
220
Increase this members Kudos



Playing: Halo 2//TO:KOL
Idiot Mod
Posts: 2,506
Member No.: 6
Joined: 13-October 04
***************

pif is an OLD windows shortcut/command file used to open exe's, usually MS-DOS ones, and you could add command line suffixes and switches to it...


--------------------
A Force To Be Reckoned With
IPB Image
Mission Guide Now Up!

IPB Image
 
20--jamesy--07
  Post#11 | Jan 29 2005, 00:37 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
620
Increase this members Kudos



Playing: GTA IV 48.99%
Weapon: Slingshot
Posts: 775
Member No.: 35
Joined: 23-October 04
*********

1 month and 1 week i had this new pc and no viruses just spyware
one more thing what does that virus do?

This post has been edited by Ryder: Jan 29 2005, 00:39


--------------------
IPB Image
 
ringwraith
  Post#12 | Jan 29 2005, 05:16 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
660
Increase this members Kudos



Weapon: Sword
Posts: 2,111
Member No.: 97
Joined: 25-October 04
**************

WORM_BAGLE.AZ is another variant in the BAGLE family. This worm arrives as an email attachment, and once executed, it sends copies of itself to all email addresses it gathers from files with certain extensions, and skips those addresses that contain particular strings. The email it sends is spoofed, and may appear to have come from a familiar email address. The worm drops a copy of itself into the Windows system folder, and looks for folders that have the string "shar", then drops copies of itself using file names with .EXE extensions (it assumes that these folders are shared). In addition, this worm displays various icons and terminates several processes, most of which are related to antivirus and security programs. This worm ceases to perform most of its malicious routines on April 25, 2006 or later. It is currently spreading in-the-wild and infecting computers running Windows 95, 98, ME, 2000, and XP.

Upon execution, this worm drops a copy of itself using the following file names into the Windows system folder:

sysformat.exe
sysformat.exeopen
sysformat.exeopenopen
It then creates two registry entries. One registry enty allows it to execute at every Windows startup. By adding this entry, it enters an infinite loop in 100-millisecond intervals. As a result, this worm can never be deleted as long as it is in memory. The second registry entry is used to determine how long it has executed on a system. If this registry entry indicates that it is 25 days from its first execution, this worm uninstalls itself from the system. It also uninstalls itself when the system date is April 25, 2006 or later.

It looks for folders that have the string "shar" and drops copies of itself using the following file names:

1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
This worm attempts to propagate via email using its own Simple Mail Transfer Protocol (SMTP) engine. It searches for email addresses with certain extensions. View the full list of extensions.

It sends email with the following details:

Subject: (any of the following)

Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Message body: (any of the following)

Thanks for use of our software.
Before use read the help
Attachments: (any of the following file names)

guupd02
Jol03
siupd02
upd02
viupd02
wsd01
zupd02
(with any of the following extensions)

COM
CPL
EXE
SCR
The worm skips email addressess that contain certain strings. It terminates specific processes, mostly related to antivirus and security programs. It also attempts to connect to, and download files from, certain Web sites. View the complete list of strings, processes and Web sites.

Several registry entries associated with WORM_NETSKY variants are also deleted, and mutexes are created to prevent NETSKY variants from running on the systems already infected with this BAGLE worm.

This worm opens opens a port and listens for commands coming from a remote malicious user. It executes these commands on an infected system, providing the remote malicious user virtual control over the system.


--------------------
 
Ephonetica
  Post#13 | Jan 30 2005, 22:09 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
2200
Increase this members Kudos



Weapon: Magnum
Posts: 3,912
Member No.: 8
Joined: 13-October 04
*****************

Again, never open attachments you don't trust.


--------------------
IPB Image

bad as ass.
 
Nico
  Post#14 | Jan 30 2005, 23:47 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
3740
Increase this members Kudos



THE REVIVALATOR
Posts: 6,812
Member No.: 18
Joined: 13-October 04
*********************

never open trojan.exe
i think it's a virus, not sure though


--------------------
TNENIMMI SI LAVIVER UG
Nico's the name, bumping's the game
 
Gruntarus
  Post#15 | Jan 30 2005, 23:59 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
10
Increase this members Kudos

Playing: RUNESCAPE
Weapon: BB Gun
Posts: 1,027
Member No.: 274
Joined: 7-November 04
**********

QUOTE(Shadow @ Jan 30 2005, 13:47 )
never open trojan.exe
i think it's a virus, not sure though
*



Thats ovious. What hacker would name is virus trojan? laugh.gif

The only ppl that can send me mail is my friends. (and gf)
 
Meldince
  Post#16 | Jan 31 2005, 16:01 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
220
Increase this members Kudos



Playing: Halo 2//TO:KOL
Idiot Mod
Posts: 2,506
Member No.: 6
Joined: 13-October 04
***************

Trojan condoms might name it trojan. Maybe it's a lil program that you can learn about safe sex with!


--------------------
A Force To Be Reckoned With
IPB Image
Mission Guide Now Up!

IPB Image
 
MachineGunFunk
  Post#17 | Feb 2 2005, 21:41 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
0
Increase this members Kudos

Playing: BrainBread, k?
Weapon: Water Pistol
Posts: 330
Member No.: 36
Joined: 23-October 04
******

QUOTE(Meldince @ Jan 31 2005, 13:01 )
Trojan condoms might name it trojan. Maybe it's a lil program that you can learn about safe sex with!
*


laugh.gif


--------------------
This is not a signature.
 
Faze 2k-SS
  Post#18 | Feb 3 2005, 02:02 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
120
Increase this members Kudos

Weapon: Water Bomb
Posts: 456
Member No.: 958
Joined: 30-January 05
*******

I remain one of the people which did not offer to recieve a tainted .pif or any other type of virus laden file.


--------------------
IPB Image
IPB Image
IPB Image
IPB Image
IPB Image

You can tell a man's interests by looking at his signature... this is as close as you can get.

Somewhere in the world every 3 seconds, a woman gives birth to a child. Somebody has got to find this woman and stop her.
 
Mister V
  Post#19 | Feb 3 2005, 14:45 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
1940
Increase this members Kudos



Playing: Mass Effect
Weapon: Submarine
Posts: 10,079
Member No.: 21
Joined: 14-October 04
*************************

well, i did not receive any .PIF, but i regularly get an email with no subject, inside is the writing "Nekid pix!! Look inside!!!" with a 50KB .ZIP attachment... yawn.gif they ought to invent something new...

@Mel: laugh.gif yeah, its a 3D simulator laugh.gif you gotta have a special joystick to run it puke.gif

anyway, what I wanted to say about the trojan.exe is that maybe the hacker was thinking this way: people will laugh, because they will say "theres no dumb hackers who name their viruses Trojan" and will open the file! and - tada! - trojan tongue.gif



This post has been edited by Mister V: Feb 3 2005, 14:48


--------------------
IPB Image
Then God said, "Let there be win",
and there was win, and it was good.
 
Meldince
  Post#20 | Feb 3 2005, 16:02 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
220
Increase this members Kudos



Playing: Halo 2//TO:KOL
Idiot Mod
Posts: 2,506
Member No.: 6
Joined: 13-October 04
***************

lots actually work on the presumption that the person is a f****** idiot and won't pay attention and open it anyway.

Sadly, he's correct.


--------------------
A Force To Be Reckoned With
IPB Image
Mission Guide Now Up!

IPB Image
 
MachineGunFunk
  Post#21 | Feb 3 2005, 16:56 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
0
Increase this members Kudos

Playing: BrainBread, k?
Weapon: Water Pistol
Posts: 330
Member No.: 36
Joined: 23-October 04
******

I am getting every day an e-maill whit this subject:''Im in love'' in it there is no message and there is an 99kb attachment. The sender e-mail adress is always from someone of a forum that i am registred.


--------------------
This is not a signature.
 
Meldince
  Post#22 | Feb 3 2005, 18:07 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
220
Increase this members Kudos



Playing: Halo 2//TO:KOL
Idiot Mod
Posts: 2,506
Member No.: 6
Joined: 13-October 04
***************

so report it to the forum adminstrators and block the guy.


--------------------
A Force To Be Reckoned With
IPB Image
Mission Guide Now Up!

IPB Image
 
Mister V
  Post#23 | Feb 3 2005, 19:16 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
1940
Increase this members Kudos



Playing: Mass Effect
Weapon: Submarine
Posts: 10,079
Member No.: 21
Joined: 14-October 04
*************************

err, yeah, you should do that, but it might be that:
1-either that guy got a worm which sends over the spam emails, so he isnt resposible
2-or...that guy's in love rolleyes.gif


--------------------
IPB Image
Then God said, "Let there be win",
and there was win, and it was good.
 
ringwraith
  Post#24 | Feb 5 2005, 05:49 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
660
Increase this members Kudos



Weapon: Sword
Posts: 2,111
Member No.: 97
Joined: 25-October 04
**************

QUOTE(Meldince @ Feb 3 2005, 08:02 )
lots actually work on the presumption that the person is a f****** idiot and won't pay attention and open it anyway.

Sadly, he's correct.
*



It's so true, where I work, we tell people to stay away from attachments, but they still open them up. Unfortunately sometimes they come disguised as zip files from spoofed internal company addresses. Making it look like the file was sent from a co-worker. We just tell them, when in doubt contact the sender and make sure.

Fortunately we've upgraded the spam filter for the email gateway and have powerful virus protection. They added an internet pass through filter called websense, that keeps us from going to certain websites, so that should keep people from getting spyware from certain places on the internet.

Unfortunately it also means I can't visit g-unleashed when I'm at work any more, because it's a gaming site. wallbash.gif


--------------------
 
Gruntarus
  Post#25 | Feb 5 2005, 08:37 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
10
Increase this members Kudos

Playing: RUNESCAPE
Weapon: BB Gun
Posts: 1,027
Member No.: 274
Joined: 7-November 04
**********

QUOTE(Mister V @ Feb 3 2005, 09:16 )

2-or...that guy's in love rolleyes.gif
*




maybe it was me.
 
20--jamesy--07
  Post#26 | Feb 10 2005, 12:43 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
620
Increase this members Kudos



Playing: GTA IV 48.99%
Weapon: Slingshot
Posts: 775
Member No.: 35
Joined: 23-October 04
*********

QUOTE(ringwraith @ Feb 5 2005, 02:49 )
Unfortunately it also means I can't visit g-unleashed when I'm at work any more, because it's a gaming site.  wallbash.gif
*


same for me at school this site is catorised as f****** games fury.gif f****** filter

This post has been edited by Ryder: Feb 10 2005, 12:44


--------------------
IPB Image
 
Lucas
  Post#27 | Feb 15 2005, 13:11 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
2110
Increase this members Kudos



The Undutchable
Posts: 1,491
Member No.: 1
Joined: 12-October 04
***********

QUOTE(Ryder @ Feb 10 2005, 09:43 )
same for me at school this site is catorised as f****** games fury.gif f****** filter
*


Oh man, I really hate those filters..

I'm glad I don't have to live with them happy.gif


--------------------
 
ringwraith
  Post#28 | Feb 16 2005, 04:12 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
660
Increase this members Kudos



Weapon: Sword
Posts: 2,111
Member No.: 97
Joined: 25-October 04
**************

At least I'm more productive at work laugh.gif



--------------------
 
20--jamesy--07
  Post#29 | Mar 6 2005, 20:23 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
620
Increase this members Kudos



Playing: GTA IV 48.99%
Weapon: Slingshot
Posts: 775
Member No.: 35
Joined: 23-October 04
*********

offtopic.gif get back on topic

WERES THE REPORT BUTTON
MR. V told ppl to use 1stpage 2000 DONT

http://securityresponse.symantec.com/avcen...windowbomb.html


--------------------
IPB Image
 
ringwraith
  Post#30 | Mar 8 2005, 00:22 + Quote Post Go to the top of the page
User is offline
Mini Profile
PM
660
Increase this members Kudos



Weapon: Sword
Posts: 2,111
Member No.: 97
Joined: 25-October 04
**************

Source Trend Micro

Worm Befriends Trojan - WORM_BAGLE.BE (Medium Risk)
On March 1, Trend Micro declared a Medium Risk alert for WORM_BAGLE.BE. This non-destructive worm propagates by email, using addresses gathered from the Windows Address Book. It employs another malware, TROJ_BAGLE.BE, to create a worm-Trojan propagation cycle where the worm mass-mails copies of the Trojan. The Trojan, in turn, downloads copies of the worm from a long list of predefined Web sites. TROJ_BAGLE.BE carries malicious routines different from those exhibited by WORM_BAGLE.BE. In addition to downloading copies of its worm counterpart, this Trojan terminates several antivirus and security-related processes. It also prevents the user from accessing antivirus Web sites. The worm infects computers running Windows 98, ME, NT, 2000, and XP.

This mass-mailing worm arrives in a system as a downloaded file of TROJ_BAGLE.BE. Upon execution, it drops a copy of itself in the Windows system folder as the file WINDLHHL.EXE. It creates several registry entries keys that enable it to automatically execute at every system startup.

The worm propagates by mass-mailing copies of TROJ_BAGLE.BE whhich, in turn, attempts to download a copy of this worm from several Web sites. It gathers recipients email addresses from the contacts found in the Windows Address Book. It also attempts to download the file EML.EXE into the Windows folder. This file contains a list of recipients to send email to, but the contents of the file may change at any time. It attempts to download this file every 100 milliseconds until it succeeds.

The worm attempts to contact to a Simple Mail Transfer Protocol (SMTP) server to send emails. If it is unable to contact this server, it uses its own SMTP engine. It may also obtain the affected system?s Mail Exchanger (MX) server for its mass-mailing routine. If the Mail Exchanger server is not available, it uses the server 217.5.97.137.

The email message it sends out contains the following details:

Subject: <Blank>
Message body: (any of the following)
price
new price
Attachment: (any of the following)
08_price.zip
new__price.zip
new_price.zip
newprice.zip
price_08.zip
price_new.zip
price2.zip

Note that the attached file is a .ZIP copy of TROJ_BAGLE.BE. It contains a file named DOC_<decimal number>.EXE. Since the worm gathers email addresses from the Windows Address book (WAB), the sender indicated in the From: field may be familiar.

This worm also as a backdoor component that opens and listens to TCP port 80, and sets the infected system up to act as a Web server. It may allow a malicious user to take control of an infected system by logging on using a pre-set password, and may allow remote users to upload a file onto the Web server. It then attempts to download the file from the Web server (which is actually the infected machine, since it is set up as a Web server), using a specific URL. It saves the downloaded file into the Windows system folder as RE_FILE.EXE. After downloading, it then executes the file.

This worm attempts to remove the following registry entries from the key:

9XHtProtect
Antivirus
EasyAV
FirewallSvr
HtProtect
ICQ Net
ICQNet
Jammer2nd
KasperskyAVEng
MsInfo
My AV
NetDy
Norton Antivirus AV
PandaAVEngine
SkynetsRevenge
Special Firewall Service
SysMonXP
Tiny AV
Zone Labs Client Ex
service

Top 10 Most Prevalent Global Malware
(from February 25 to March 3, 2005)
HTML_NETSKY.P
WORM_NETSKY.P
JAVA_BYTEVER.A
COOKIE_1020
COOKIE_45
COOKIE_1802
COOKIE_281
TROJ_SMALL.SN
TROJ_AGENT.AAB
TROJ_BAGLE.BE




--------------------
 
1 User(s) are reading this topic:
 
 
2 Pages V  1 2 >
Reply to this topicStart new topic
 
 
 
- Choose Skin: