| Pages in topic: [1 2] > | Recent viruses in emails - some form of bugbear? (Community: 'Yes') Thread poster: Rishi Miranhshah
|
|---|
Since yesterday, I'm receiving other translators' mails in my inbox, not intended for me. The attachments are blocked by my anti-virus for being potentially harmful - file extentions are .scr
The mails appear to be genuine mails (quoting translation rates...)
My second concern is whether they're reaching their intended recipients.
Does anyone have an idea, if it's some form of a virus trying to multiply???
| | | | smorales30 
Local time: 04:25
English to Spanish
+ ...
| Yes, it is... | Jun 6, 2003 |
Check the mcafee.com website. What you explain here fits their description of how Bugbear spreads... Be careful!
| | | | Uldis Liepkalns
Latvia
Local time: 05:25
Member (2003)
English to Latvian
+ ...
Tanatos, aka Bugbear:
I-Worm.Tanatos.b (aka Bugbear.b)
Tanatos.b is a worm virus spreading via the Internet as an email attachment. The worm also infects Windows EXE files, spreads over local networks and has a built-in backdoor routine.
The worm itself is a Windows PE EXE file about 72KB in length when compressed by UPX and encrypted over UPX compression. The decompressed size is about 170KB. The worm's code is written in Microsoft Visual C++.
Tanatos.b has the ... See more Tanatos, aka Bugbear:
I-Worm.Tanatos.b (aka Bugbear.b)
Tanatos.b is a worm virus spreading via the Internet as an email attachment. The worm also infects Windows EXE files, spreads over local networks and has a built-in backdoor routine.
The worm itself is a Windows PE EXE file about 72KB in length when compressed by UPX and encrypted over UPX compression. The decompressed size is about 170KB. The worm's code is written in Microsoft Visual C++.
Tanatos.b has the following text strings in its body:
w32shamur
W32.Shamur
tanatos
Installing
While installing the worm copies itself to the Windows start-up directory under a random name. No regstry keys are affected.
The worm also creates following files in the Windows system directory:
gpflmvo.dll - keylogger DLL (about 6K of size)
zpknpzk.dll - its internal data file
shtchs.dll - its internal data file
Tanatos also creates the following file in the Windows directory:
%rnd name%.dat - its internal data file
and the next file in the Temp directory:
vba%rnd%.tmp file - worm installed copy
Spreading
To send infected messages the worm uses a built-in SMTP
engine. The worm searches for victim emails in following files on the available
disks:
*.ODS, INBOX.*, *.MMF, *.NCH, *.MBX, *.EML, *.TBB, *.DBX
The infected messages have different Subject, Body, and File Attachment
names that are selected from many variants:
Subject:
The file attachment name is randomly selected by several methods:
1. The worm looks for *.INI files in ??? and in case a "%filename%.INI" file is found, the worm sends itself with the "%filename%.%ext" name where %ext% is randomly selected from the list: ".scr", ".pif", ".exe".
2. The worm randomly selects attached file names from following variants:
readme, Setup, Card, Docs, news, image, images, pics, resume, photo, video, music, song, data
The file name extension is also randomly selected from the same variants:
".scr", ".pif", ".exe".
3. The worm looks for *.BMP, *.DOC, *.GIF, *.JPG, *.RTF and other files
and uses their full names as the %filename% for the infected attachment. In this
case they have double extensions, for example:
doc1.doc.exe
euro.gif.scr
table.xls.pif
4. "setup.exe"
The infected emails randomly have the IFrame security breach that runs upon
the opening the an infected email. In the rest of the messages the worm
activates only when a user clicks on the attached file.
Infecting EXE files
While infecting a file the worm writes itself
to the end of the file. The worm's copy is "incorporated" into the victim
machine's file structure as a "standard" .EXE file in the "Program Files"
directory. Copy names include:
winzipwinzip32.exe
kazaakazaa.exe
ICQIcq.exe
DAPDAP.exe
Winampwinamp.exe
AIM95aim.exe
LavasoftAd-aware 6Ad-aware.exe
TrillianTrillian.exe
Zone LabsZoneAlarmZoneAlarm.exe
StreamCastMorpheusMorpheus.exe
QuickTimeQuickTimePlayer.exe
WS_FTPWS_FTP95.exe
MSN Messengermsnmsgr.exe
ACDSee32ACDSee32.exe
AdobeAcrobat 4.0ReaderAcroRd32.exe
CuteFTPcutftp32.exe
FarFar.exe
Outlook Expressmsimn.exe
RealRealPlayerrealplay.exe
Windows Media Playermplayer2.exe
WinRARWinRAR.exe
adobeacrobat 5.0readeracrord32.exe
Internet Exploreriexplore.exe
in Windows directory:
winhelp.exe
notepad.exe
hh.exe
mplayer.exe
regedit.exe
scandskw.exe
Infecting - networks
The Tanatos.b worm accounts for all network
resources, then copies itself to available resource (drives) startup folders
using random .EXE names or the name, "setup.exe". The worm also looks for
"standard" .EXE files (the same list as above) on shared resource drives, and
infects them.
Backdoor
Tanatos.b opens port 1080
- reports disk and file info
- copies, deletes requested file
- reports
active applications
- terminates requested application
- runs local file
by master's request
- receives a file from master and runs it
- logs
keyboard and sends it to master
- opens HTTP server
Other
Tanatos.b terminates active debuggers, anti-virus and
firewall processes:
ZONEALARM.EXE WFINDV32.EXE WEBSCANX.EXE VSSTAT.EXE VSHWIN32.EXE VSECOMR.EXE
VSCAN40.EXE VETTRAY.EXE VET95.EXE TDS2-NT.EXE TDS2-98.EXE TCA.EXE
TBSCAN.EXE SWEEP95.EXE SPHINX.EXE SMC.EXE SERV95.EXE SCRSCAN.EXE
SCANPM.EXE SCAN95.EXE SCAN32.EXE SAFEWEB.EXE RESCUE.EXE RAV7WIN.EXE
RAV7.EXE PERSFW.EXE PCFWALLICON.EXE PCCWIN98.EXE PAVW.EXE PAVSCHED.EXE
PAVCL.EXE PADMIN.EXE OUTPOST.EXE NVC95.EXE NUPGRADE.EXE NORMIST.EXE
NMAIN.EXE NISUM.EXE NAVWNT.EXE NAVW32.EXE NAVNT.EXE NAVLU32.EXE
NAVAPW32.EXE N32SCANW.EXE MPFTRAY.EXE MOOLIVE.EXE LUALL.EXE LOOKOUT.EXE
JEDI.EXE IOMON98.EXE IFACE.EXE ICSUPPNT.EXE ICSUPP95.EXE ICMON.EXE
ICLOADNT.EXE ICLOAD95.EXE IBMAVSP.EXE IBMASN.EXE IAMSERV.EXE IAMAPP.EXE
FRW.EXE FPROT.EXE FP-WIN.EXE FINDVIRU.EXE F-STOPW.EXE F-PROT95.EXE
F-PROT.EXE F-AGNT95.EXE ESPWATCH.EXE ESAFE.EXE ECENGINE.EXE DVP95_0.EXE
DVP95.EXE CLEANER3.EXE CLEANER.EXE CLAW95CF.EXE CLAW95.EXE CFINET32.EXE
CFINET.EXE CFIAUDIT.EXE CFIADMIN.EXE BLACKICE.EXE BLACKD.EXE AVWUPD32.EXE
AVWIN95.EXE AVSCHED32.EXE AVPUPD.EXE AVPTC32.EXE AVPM.EXE AVPDOS32.EXE
AVPCC.EXE AVP32.EXE AVP.EXE AVNT.EXE AVKSERV.EXE AVGCTRL.EXE
AVE32.EXE AVCONSOL.EXE AUTODOWN.EXE APVXDWIN.EXE ANTI-TROJAN.EXE ACKWIN32.EXE
_AVPM.EXE _AVPCC.EXE _AVP32.EXE LOCKDOWN2000.EXE
[Edited at 2003-06-06 22:08] ▲ Collapse
| | |
|
|
|
| the email text comes from the person's own document file | Jun 6, 2003 |
yes - happened to me yesterday (FROM a client - better that than the other way around!). The (long) text of the email message referred to a legitimate subject that I am familiar with from the company, so naturally I assumed it was okay. My Norton program stopped me from opening the email's attachment. Only much later did I get another email from the client explaining they had a virus.
The bug apparently picks a document the user has stored on their computer in the "My Documents" file at r... See more yes - happened to me yesterday (FROM a client - better that than the other way around!). The (long) text of the email message referred to a legitimate subject that I am familiar with from the company, so naturally I assumed it was okay. My Norton program stopped me from opening the email's attachment. Only much later did I get another email from the client explaining they had a virus.
The bug apparently picks a document the user has stored on their computer in the "My Documents" file at random and uses that document as the text inserted into the email message. (that "at random" part, IMHO, is the scariest thing about it...I mean, don't we all have things in that file NOT meant for general consumption!!)
Hope you can clear everything up quickly. ▲ Collapse
| | | | | So, how do you get rid of it? | Jun 7, 2003 |
even with my antivirus, I was infected two days ago. It's the first time that I am infected, therefore, I am a little confused about what I have to do.
regards,
Dinorah
| | | | two2tango
Argentina
Local time: 23:25
Member
English to Spanish
+ ...
| Before you kill the sender read this | Jun 7, 2003 |
It is important to know that the apparent virus sender is most probably innocent. I found this information that could help avoid many a misunderstanding:
"The BugBear.b: worm looks for e-mail addresses in resident files in the infected computer and then uses them to generate both the "From" and the "To" fields of the mail it uses to propagate itself.
In other words, when you get an infected mail, it doesn't mean that the apparent sender's computer is infected. In fact ... See more It is important to know that the apparent virus sender is most probably innocent. I found this information that could help avoid many a misunderstanding:
"The BugBear.b: worm looks for e-mail addresses in resident files in the infected computer and then uses them to generate both the "From" and the "To" fields of the mail it uses to propagate itself.
In other words, when you get an infected mail, it doesn't mean that the apparent sender's computer is infected. In fact it means that both addresses (To and From) were found in the infected computer. "
Source:
http://www.alertalab.com.ar/alertalab/default.asp
(a good on-line free Spanish-language virus report) ▲ Collapse
| | | | Uldis Liepkalns
Latvia
Local time: 05:25
Member (2003)
English to Latvian
+ ...
| Re: So, how do you get rid of it? | Jun 7, 2003 |
Try to visit www.kaspersky.com
They promissed to release free downloadable desinfector tool by yeterday evening, so it should be there and available.
Sinc.- Uldis
Dinorah María Tijerino-Acosta wrote:
even with my antivirus, I was infected two days ago. It's the first time that I am infected, therefore, I am a little confused about what I have to do.
regards,
Dinorah
| | |
|
|
|
Clarisa Moraña
United States
Local time: 21:25
Member (2002)
English to Spanish
+ ...
| Try this link | Jun 7, 2003 |
Dinorah María Tijerino-Acosta wrote:
even with my antivirus, I was infected two days ago. It's the first time that I am infected, therefore, I am a little confused about what I have to do.
regards,
Dinorah
Dinorah, try fix it downloading the following link
http://securityresponse.symantec.com/avcenter/FixBugb.exe
Regards,
Clarisa Moraña
| | | |
I'll try it!
Regards,
Dinorah
Thanks a lot, I tried it and it worked perfectly. The virus also infected me with a "Trojan" virus so along with the instructions given by Symantec I also got rid of it. Thanks a lot!
Regards,
Dinorah
[Edited at 2003-06-08 01:25]
| | | | | Hold on, though | Jun 8, 2003 |
Hi
This is an updated version of the bugbear virus and the downloadable product that has been available for months does not seem to detect it. Do we wait for KASPERSKY to have ready a fix-it tool, or what else can be done I wonder?
regards
Spencer
| | | | Fiona N�voa
Portugal
Local time: 03:25
Member (2003)
Portuguese to English
+ ...
Hi Dinorah,
I've also had trouble with bugbear but I received an email from the Panda Antivirus programme telling me how to get rid of any problems.
Take a look at the Panda site because it worked for me:
http://www.pandasoftware.com
Regards,
FiBi
| | |
|
|
|
Uldis Liepkalns
Latvia
Local time: 05:25
Member (2003)
English to Latvian
+ ...
| Kaspersky promissed removal tool by Thuesday or Friday evening, | Jun 9, 2003 |
so it should be available.
Uldis
Spencer Allman wrote:
Hi
This is an updated version of the bugbear virus and the downloadable product that has been available for months does not seem to detect it. Do we wait for KASPERSKY to have ready a fix-it tool, or what else can be done I wonder?
regards
Spencer
| | | | SimplyMe (X)
English to German
| www.symantec.com has that removal tool | Jun 9, 2003 |
Symantec.com offers a free detection and removal tool.
You need to specify an email address - but download and scan starts immediately after entering - so you don't have to specify your real address... (Maybe good to know...)
| | | | | Readiris.DUS.exe 97k Byte | Jun 17, 2003 |
This is what I got from an agency under the title of "Tools for your business". Being cautious I did not open it but asked the sender if he had sent it to me - and he told me that he had a virus... I tried SimpleMe's hint of McAfee and it seems that my computer has not been infected (yet). But anyway, it seems that all one can do is to be on one's guard all the time and not to trust anybody (which, in my opinion, is a quite dreadful outlook).
| | | | | Pages in topic: [1 2] > | To report site rules violations or get help, contact a site moderator: You can also contact site staff by submitting a support request » Recent viruses in emails - some form of bugbear? (Community: 'Yes') | CafeTran Espresso | You've never met a CAT tool this clever!
Translate faster & easier, using a sophisticated CAT tool built by a translator / developer.
Accept jobs from clients who use Trados, MemoQ, Wordfast & major CAT tools.
Download and start using CafeTran Espresso -- for free
Buy now! » |
| | Anycount & Translation Office 3000 | Translation Office 3000
Translation Office 3000 is an advanced accounting tool for freelance translators and small agencies. TO3000 easily and seamlessly integrates with the business life of professional freelance translators.
More info » |
|
| | | | X Sign in to your ProZ.com account... | | | | | |
Login to reply/comment 
