Pages in topic: [1 2] > | Recent viruses in emails - some form of bugbear? (Community: 'Yes') Thread poster: Rishi Miranhshah
|
Since yesterday, I'm receiving other translators' mails in my inbox, not intended for me. The attachments are blocked by my anti-virus for being potentially harmful - file extentions are .scr The mails appear to be genuine mails (quoting translation rates...) My second concern is whether they're reaching their intended recipients. Does anyone have an idea, if it's some form of a virus trying to multiply??? | | | smorales30 Local time: 04:25 English to Spanish + ... Yes, it is... | Jun 6, 2003 |
Check the mcafee.com website. What you explain here fits their description of how Bugbear spreads... Be careful! | | | Uldis Liepkalns Latvia Local time: 05:25 Member (2003) English to Latvian + ...
Tanatos, aka Bugbear: I-Worm.Tanatos.b (aka Bugbear.b) Tanatos.b is a worm virus spreading via the Internet as an email attachment. The worm also infects Windows EXE files, spreads over local networks and has a built-in backdoor routine. The worm itself is a Windows PE EXE file about 72KB in length when compressed by UPX and encrypted over UPX compression. The decompressed size is about 170KB. The worm's code is written in Microsoft Visual C++. Tanatos.b has the ... See more Tanatos, aka Bugbear: I-Worm.Tanatos.b (aka Bugbear.b) Tanatos.b is a worm virus spreading via the Internet as an email attachment. The worm also infects Windows EXE files, spreads over local networks and has a built-in backdoor routine. The worm itself is a Windows PE EXE file about 72KB in length when compressed by UPX and encrypted over UPX compression. The decompressed size is about 170KB. The worm's code is written in Microsoft Visual C++. Tanatos.b has the following text strings in its body: w32shamur W32.Shamur tanatos Installing While installing the worm copies itself to the Windows start-up directory under a random name. No regstry keys are affected. The worm also creates following files in the Windows system directory: gpflmvo.dll - keylogger DLL (about 6K of size) zpknpzk.dll - its internal data file shtchs.dll - its internal data file Tanatos also creates the following file in the Windows directory: %rnd name%.dat - its internal data file and the next file in the Temp directory: vba%rnd%.tmp file - worm installed copy Spreading To send infected messages the worm uses a built-in SMTP engine. The worm searches for victim emails in following files on the available disks: *.ODS, INBOX.*, *.MMF, *.NCH, *.MBX, *.EML, *.TBB, *.DBX The infected messages have different Subject, Body, and File Attachment names that are selected from many variants: Subject: The file attachment name is randomly selected by several methods: 1. The worm looks for *.INI files in ??? and in case a "%filename%.INI" file is found, the worm sends itself with the "%filename%.%ext" name where %ext% is randomly selected from the list: ".scr", ".pif", ".exe". 2. The worm randomly selects attached file names from following variants: readme, Setup, Card, Docs, news, image, images, pics, resume, photo, video, music, song, data The file name extension is also randomly selected from the same variants: ".scr", ".pif", ".exe". 3. The worm looks for *.BMP, *.DOC, *.GIF, *.JPG, *.RTF and other files and uses their full names as the %filename% for the infected attachment. In this case they have double extensions, for example: doc1.doc.exe euro.gif.scr table.xls.pif 4. "setup.exe" The infected emails randomly have the IFrame security breach that runs upon the opening the an infected email. In the rest of the messages the worm activates only when a user clicks on the attached file. Infecting EXE files While infecting a file the worm writes itself to the end of the file. The worm's copy is "incorporated" into the victim machine's file structure as a "standard" .EXE file in the "Program Files" directory. Copy names include: winzipwinzip32.exe kazaakazaa.exe ICQIcq.exe DAPDAP.exe Winampwinamp.exe AIM95aim.exe LavasoftAd-aware 6Ad-aware.exe TrillianTrillian.exe Zone LabsZoneAlarmZoneAlarm.exe StreamCastMorpheusMorpheus.exe QuickTimeQuickTimePlayer.exe WS_FTPWS_FTP95.exe MSN Messengermsnmsgr.exe ACDSee32ACDSee32.exe AdobeAcrobat 4.0ReaderAcroRd32.exe CuteFTPcutftp32.exe FarFar.exe Outlook Expressmsimn.exe RealRealPlayerrealplay.exe Windows Media Playermplayer2.exe WinRARWinRAR.exe adobeacrobat 5.0readeracrord32.exe Internet Exploreriexplore.exe in Windows directory: winhelp.exe notepad.exe hh.exe mplayer.exe regedit.exe scandskw.exe Infecting - networks The Tanatos.b worm accounts for all network resources, then copies itself to available resource (drives) startup folders using random .EXE names or the name, "setup.exe". The worm also looks for "standard" .EXE files (the same list as above) on shared resource drives, and infects them. Backdoor Tanatos.b opens port 1080 - reports disk and file info - copies, deletes requested file - reports active applications - terminates requested application - runs local file by master's request - receives a file from master and runs it - logs keyboard and sends it to master - opens HTTP server Other Tanatos.b terminates active debuggers, anti-virus and firewall processes: ZONEALARM.EXE WFINDV32.EXE WEBSCANX.EXE VSSTAT.EXE VSHWIN32.EXE VSECOMR.EXE VSCAN40.EXE VETTRAY.EXE VET95.EXE TDS2-NT.EXE TDS2-98.EXE TCA.EXE TBSCAN.EXE SWEEP95.EXE SPHINX.EXE SMC.EXE SERV95.EXE SCRSCAN.EXE SCANPM.EXE SCAN95.EXE SCAN32.EXE SAFEWEB.EXE RESCUE.EXE RAV7WIN.EXE RAV7.EXE PERSFW.EXE PCFWALLICON.EXE PCCWIN98.EXE PAVW.EXE PAVSCHED.EXE PAVCL.EXE PADMIN.EXE OUTPOST.EXE NVC95.EXE NUPGRADE.EXE NORMIST.EXE NMAIN.EXE NISUM.EXE NAVWNT.EXE NAVW32.EXE NAVNT.EXE NAVLU32.EXE NAVAPW32.EXE N32SCANW.EXE MPFTRAY.EXE MOOLIVE.EXE LUALL.EXE LOOKOUT.EXE JEDI.EXE IOMON98.EXE IFACE.EXE ICSUPPNT.EXE ICSUPP95.EXE ICMON.EXE ICLOADNT.EXE ICLOAD95.EXE IBMAVSP.EXE IBMASN.EXE IAMSERV.EXE IAMAPP.EXE FRW.EXE FPROT.EXE FP-WIN.EXE FINDVIRU.EXE F-STOPW.EXE F-PROT95.EXE F-PROT.EXE F-AGNT95.EXE ESPWATCH.EXE ESAFE.EXE ECENGINE.EXE DVP95_0.EXE DVP95.EXE CLEANER3.EXE CLEANER.EXE CLAW95CF.EXE CLAW95.EXE CFINET32.EXE CFINET.EXE CFIAUDIT.EXE CFIADMIN.EXE BLACKICE.EXE BLACKD.EXE AVWUPD32.EXE AVWIN95.EXE AVSCHED32.EXE AVPUPD.EXE AVPTC32.EXE AVPM.EXE AVPDOS32.EXE AVPCC.EXE AVP32.EXE AVP.EXE AVNT.EXE AVKSERV.EXE AVGCTRL.EXE AVE32.EXE AVCONSOL.EXE AUTODOWN.EXE APVXDWIN.EXE ANTI-TROJAN.EXE ACKWIN32.EXE _AVPM.EXE _AVPCC.EXE _AVP32.EXE LOCKDOWN2000.EXE
[Edited at 2003-06-06 22:08] ▲ Collapse | |
|
|
the email text comes from the person's own document file | Jun 6, 2003 |
yes - happened to me yesterday (FROM a client - better that than the other way around!). The (long) text of the email message referred to a legitimate subject that I am familiar with from the company, so naturally I assumed it was okay. My Norton program stopped me from opening the email's attachment. Only much later did I get another email from the client explaining they had a virus. The bug apparently picks a document the user has stored on their computer in the "My Documents" file at r... See more yes - happened to me yesterday (FROM a client - better that than the other way around!). The (long) text of the email message referred to a legitimate subject that I am familiar with from the company, so naturally I assumed it was okay. My Norton program stopped me from opening the email's attachment. Only much later did I get another email from the client explaining they had a virus. The bug apparently picks a document the user has stored on their computer in the "My Documents" file at random and uses that document as the text inserted into the email message. (that "at random" part, IMHO, is the scariest thing about it...I mean, don't we all have things in that file NOT meant for general consumption!!) Hope you can clear everything up quickly. ▲ Collapse | | | So, how do you get rid of it? | Jun 7, 2003 |
even with my antivirus, I was infected two days ago. It's the first time that I am infected, therefore, I am a little confused about what I have to do. regards, Dinorah | | | two2tango Argentina Local time: 23:25 Member English to Spanish + ... Before you kill the sender read this | Jun 7, 2003 |
It is important to know that the apparent virus sender is most probably innocent. I found this information that could help avoid many a misunderstanding: "The BugBear.b: worm looks for e-mail addresses in resident files in the infected computer and then uses them to generate both the "From" and the "To" fields of the mail it uses to propagate itself. In other words, when you get an infected mail, it doesn't mean that the apparent sender's computer is infected. In fact ... See more It is important to know that the apparent virus sender is most probably innocent. I found this information that could help avoid many a misunderstanding: "The BugBear.b: worm looks for e-mail addresses in resident files in the infected computer and then uses them to generate both the "From" and the "To" fields of the mail it uses to propagate itself. In other words, when you get an infected mail, it doesn't mean that the apparent sender's computer is infected. In fact it means that both addresses (To and From) were found in the infected computer. " Source: http://www.alertalab.com.ar/alertalab/default.asp (a good on-line free Spanish-language virus report) ▲ Collapse | | | Uldis Liepkalns Latvia Local time: 05:25 Member (2003) English to Latvian + ... Re: So, how do you get rid of it? | Jun 7, 2003 |
Try to visit www.kaspersky.com They promissed to release free downloadable desinfector tool by yeterday evening, so it should be there and available. Sinc.- Uldis Dinorah María Tijerino-Acosta wrote: even with my antivirus, I was infected two days ago. It's the first time that I am infected, therefore, I am a little confused about what I have to do. regards, Dinorah | |
|
|
Clarisa Moraña United States Local time: 21:25 Member (2002) English to Spanish + ... Try this link | Jun 7, 2003 |
Dinorah María Tijerino-Acosta wrote: even with my antivirus, I was infected two days ago. It's the first time that I am infected, therefore, I am a little confused about what I have to do. regards, Dinorah Dinorah, try fix it downloading the following link http://securityresponse.symantec.com/avcenter/FixBugb.exe Regards, Clarisa Moraña | | |
I'll try it! Regards, Dinorah Thanks a lot, I tried it and it worked perfectly. The virus also infected me with a "Trojan" virus so along with the instructions given by Symantec I also got rid of it. Thanks a lot! Regards, Dinorah
[Edited at 2003-06-08 01:25] | | | Hold on, though | Jun 8, 2003 |
Hi This is an updated version of the bugbear virus and the downloadable product that has been available for months does not seem to detect it. Do we wait for KASPERSKY to have ready a fix-it tool, or what else can be done I wonder? regards Spencer | | | Fiona N�voa Portugal Local time: 03:25 Member (2003) Portuguese to English + ...
Hi Dinorah, I've also had trouble with bugbear but I received an email from the Panda Antivirus programme telling me how to get rid of any problems. Take a look at the Panda site because it worked for me: http://www.pandasoftware.com Regards, FiBi | |
|
|
Uldis Liepkalns Latvia Local time: 05:25 Member (2003) English to Latvian + ... Kaspersky promissed removal tool by Thuesday or Friday evening, | Jun 9, 2003 |
so it should be available. Uldis Spencer Allman wrote: Hi This is an updated version of the bugbear virus and the downloadable product that has been available for months does not seem to detect it. Do we wait for KASPERSKY to have ready a fix-it tool, or what else can be done I wonder? regards Spencer | | | SimplyMe (X) English to German www.symantec.com has that removal tool | Jun 9, 2003 |
Symantec.com offers a free detection and removal tool. You need to specify an email address - but download and scan starts immediately after entering - so you don't have to specify your real address... (Maybe good to know...) | | | Readiris.DUS.exe 97k Byte | Jun 17, 2003 |
This is what I got from an agency under the title of "Tools for your business". Being cautious I did not open it but asked the sender if he had sent it to me - and he told me that he had a virus... I tried SimpleMe's hint of McAfee and it seems that my computer has not been infected (yet). But anyway, it seems that all one can do is to be on one's guard all the time and not to trust anybody (which, in my opinion, is a quite dreadful outlook). | | | Pages in topic: [1 2] > | To report site rules violations or get help, contact a site moderator: You can also contact site staff by submitting a support request » Recent viruses in emails - some form of bugbear? (Community: 'Yes') CafeTran Espresso | You've never met a CAT tool this clever!
Translate faster & easier, using a sophisticated CAT tool built by a translator / developer.
Accept jobs from clients who use Trados, MemoQ, Wordfast & major CAT tools.
Download and start using CafeTran Espresso -- for free
Buy now! » |
| Anycount & Translation Office 3000 | Translation Office 3000
Translation Office 3000 is an advanced accounting tool for freelance translators and small agencies. TO3000 easily and seamlessly integrates with the business life of professional freelance translators.
More info » |
|
| | | | X Sign in to your ProZ.com account... | | | | | |