Virus Warning!!!

[VRVIRGIN 0]

Just got news of a nasty new virus doing the rounds, thought you peeps should be aware of it. It affects hotmail users mainly. Do not under any circumstances open any files received with this name: inviztor @ hotmail . com. If i 've got the translaton right, it reformats your computer and the computers of all your contacts and gains access to all hotmail passwords. All this as soon as you open the file. Hopefully not too late for everyone.

[duncs 0]

cheers for the tip off

[Ferrari VR6 0]

I expect inviztor @ hotmail . com is just another hoax that in itself can be classed as a virus...

Check this one out, very cleverly written and made me pap myself when it arrived in my mailbox as it came from a user in the company i work for...

From: xxxxxxxxxxxxxx

Sent: 02 December 2005 14:57

To: xxxxxxxxxxxxxx

Subject: FW: Important

A new virus has just been discovered that has been classified by Microsoft as the most destructive ever. This virus was discovered yesterday afternoon by McAfee . This virus simply destroys Sector Zero from the hard disk, where vital information for its functioning are stored.This virus acts in the following manner: It sends itself automatically to all contacts on your list with the title:"A Card for You". As soon as the supposed virtual card is opened the computer freezes so that the user has to reboot. When the ctrl+alt+del keys or the reset button are pressed, the virus destroys Sector Zero, thus permanently destroying the hard disk. Yesterday in just a few hours this virus caused panic in New York, according to news broadcast by CNN. This alert was received by an employee of Microsoft itself. So don't open any mails with subject: "A Virtual Card for You." As soon as you get the mail, delete it!! Even if you know the sender !!!

Please pass this mail to all of your friends.Forward this to everyone in your address book. I'm sure most people, like myself, would rather receive this notice 25 times than not at All!

------------------------------------------------------

PLEASE DO NOT PASS THIS MAIL TO ALL OF YOUR FRIENDS, by forwarding these types of warnings on you are actually propagating the virus itself, i have posted the above to make an example of how easy it is for peeps to create panic with an email and fill the internet up with more spam...

But still, it's better to be safe than sorry

[Petesvw 0]

Thanks for letting us know either way.

[fritzenberg 3]

why don`t the geekey scumbag pricks who write these viruses get a life or better still just fuck off and die!!!! ggrrr!

[petervr6 0]

like they aint got nothing better to do sad prats.

[Buzzark 0]

Just got news of a nasty new virus doing the rounds' date=' thought you peeps should be aware of it. It affects hotmail users mainly. Do not under any circumstances open any files received with this name: inviztor @ hotmail . com. If i 've got the translaton right, it reformats your computer and the computers of all your contacts and gains access to all hotmail passwords. All this as soon as you open the file. Hopefully not too late for everyone.

[/quote']

Lol. It's a hoax. Created by individuals even sadder than real virus writers and forwarded by the panicing public.

I work in IT, we get a lot of this and I am forced to spank every user sending these "helpful" messages round our own network.

Your intentions were good, but a better method is to check the validity of such emails you receive before posting it or forwarding it to "all your friends".

There are many virus and hoax databases you can check against.

PS, there isn't a virus around that can wipe your drive, all your contacts drives and also recover account and password info for hotmail - I found that quite funny. !lol

[Ferrari VR6 0]

There's a new high risk email virus doing the rounds (W32.Feebs.D@mm) whether it's related to inviztor @ hotmail . com i don't know but this is no hoax and is absolutely current, the global server team in the company i work for are currenlty lets say... tense

For those who have no idea what all the computer talk is all about, it basically says that the virus is gonna repeatedly pump your pc in every orifice without a rubber and then pass on it's experiences to some arsole who will proabably then rob you! (check the text i've highlighted in red near the bottom)

There are no virus scanner definitions currently written as it's so new so keep an eye out! %-6

Below is some information from the Internet Storm Center and a description from the Symantec WebSite...

---------------------------------------------------------------------------------------------

Published: 2006-01-11,

Last Updated: 2006-01-11 22:28:25 UTC by Daniel Wesemann (Version: 1)

We are currently analyzing a copy of .. something.  Attachment name "message.zip", detection by AV is still thin to nonexistent. When run, the code tries to pull additional files from web servers in Russia, so if you have a chance, you might consider blocking the following TLDs on your proxy / perimeter:

1gb.ru  /  t35.com  /  hzs.nm.ru /  users.cjb.net /  h16.ru

UPDATE 2200UTC:  message.zip contains a file named "Secure E-mail File.hta", which is according to current Virustotal output only detected by Panda and Kaspersky, the latter calls it Worm.Win32.Feebs.k . Samples we've seen come in an email with subject "Secure Message from HotMail.com user". The HTA file is nicely obfuscated, it has 2 obfuscation functions, one being easy unescape, while the other one is a bit more complex. Once it is executed by a user, it will run in the local zone, so it can use various ActiveXObjects. It will try to download executables from 5 web sites (domains listed above), all of which are up and working at this moment.

Symantec

When W32.Feebs.D@mm is executed, it performs the following actions:

1. Drops and executes the following files using a malicious JavaScript, when the .HTA file is viewed:

C:\Command.exe

%UserProfile%\All Users\Start Menu\Programs\Startup\Command.exe

Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

2. Executes the worm, when the JavaScript shows a logon prompt for user name and password as a diversion tactic.

3. Adds the value:

"Stubpath" = "C:\COMMAND.EXE"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

\{CD5AC91B-AE7B-E83A-0C4C-E616075972F3}

4. Adds the value:

"(default)" = "%System\[PATH TO DLL WORM COMPONENT]"

to the registry subkey:

HKEY_CLASSES_ROOT\CLSID\{[RANDOM CLSID]}\InprocServer32

so that it runs every time Windows starts.

5. Adds the value:

"[FILE NAME OF DLL WORM COMPONENT]" = "{[RANDOM CLSID]}"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad

so that it runs every time Windows starts.

6. Sends emails to all addresses found. The email has the following characteristic:

From:

The from address is a combination of one of the following names with one of the following domain names:

Names:

protect

secur

security

securmail

Domains:

@hotmail.com

@gmail.com

@aol.com

@msn.com

@yahoo.com

Subject:

The subject may be the following string:

happy new year

Or alternatively it can be a combination of the following strings:

[sTRING 1]

Secure

Protected

Encrypted

Extended

[sTRING 2]

Mail

E-Mail

Message

Html

[sTRING 3]

[bLANK]

System

Service

Service ([DOMAIN])

from [DOMAIN] user.

[sTRING 4]

Thank you

Sincerely

Best Regards

Subject is a combination of the strings in the following pattern:

[sTRING 1] [sTRING 2] [sTRING 3]

Note: The subject could look like one of the following:

Subject: Protected Message from Gmail.com user.

Subject: Secure Mail Service (HotMail.com)

Subject: Encrypted E-mail from Yahoo.com user.

Message:

You have received [sTRING 1] [sTRING 2] from [DOMAIN] user.

This message is addressed personally for you.

To decrypt your message use the following details:

ID: [RANDOM NUMBERS]

Password: [RANDOM LETTERS]

Keep your password in a safe place and under no circumstances give it

to ANYONE.

[sTRING 1] [sTRING 2] and instruction is attached.

[sTRING 4]

[sTRING 1] [sTRING 2] [sTRING 3],

[DOMAIN]

Note:

The message could look like the following:

You have received Encrypted Message from MSN.com user.

This message is addressed personally for you.

To decrypt your message use the following details:

ID: 44321

Password: mxsjstjgd

Keep your password in a safe place and under no circumstances give it

to ANYONE.

Encrypted Message and instruction is attached.

Best Regards,

Encrypted E-mail Service,

MSN.com

Attachment:

One of the following:

msg.zip

message.zip

data.zip

mail.zip

The attachment contains the worm as an .HTA file with the following name:

[sTRING 1] [sTRING 2] File.HTA

Note:

The attachment could look like one of the following:

Extended Mail File.HTA

Extended E-Mail File.HTA

Secure Mail File.HTA

Secure E-Mail File.HTA

7. Creates the following files:

%System%\MS[RANDOM].exe

%System%\MS[RANDOM]

%System%\MS[RANDOM]32.DLL

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

8. Loads %System%\MS[RANDOM]32.DLL into all active processes and uses rootkit functionalities to hide its files and registry keys.

9. Adds the value:

"web" = "[http://]popcapfree.t35.com/[REMOVED]"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer

10. Stores several registry subkeys containing configuration info, stolen passwords, accounts, and email addresses:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\dat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\cdat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\fdat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\rdat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\sdat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\ldat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\gdat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\pdat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\udat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\idat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\ddat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS[RANDOM 2 LETTERS]\kdat

11. Modifies the value:

"EnableFirewall" = "0"

in the registry subkeys:

HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsFirewall\DomainProfile

HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsFirewall\StandardProfile

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile

to disable the Windows Firewall.

12. Searches for folders that contain the following strings:

downloads

share

incoming

13. Copies itself to any folders that it finds as the following files:

3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip

ACDSee_9_new!_full+crack.zip

Adobe_Photoshop_10_(CS3)_new!_full+crack.zip

Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip

Ahead_Nero_8_new!_full+crack.zip

DivX_7.0_new!_full+crack.zip

ICQ_2006_new!_full+crack.zip

Internet_Explorer_7_new!_full+crack.zip

Kazaa_4_new!_full+crack.zip

Longhorn_new!_full+crack.zip

Microsoft_Office_2006_new!_full+crack.zip

winamp_5.2_new!_full+crack.zip

The .zip file contains a nonmalicious text file that matches the name of the .zip file. It is reported, however, that the text file's name does not include the following string:

_new!_full+crack

14. Attempts to lower security settings on the compromised computer by ending security-related programs and by stopping services with names starting with one of the following strings:

armor2net

armorwall

avgcc

avp6

aws

bgnewsui

blackd

bullguard

ca

ccapp

ccevtmgr

ccproxy

ccsetmgr

dfw

dpf

fbtray

fireballdta

FirePM

firesvc

firewal

fsdfwd

fw

fwsrv

goldtach

hacker

hackereliminator

iamapp

iamserv

internet security

ipatrol

ipcserver

jammer

kaspe

kavpf

keylog

keypatrol

KmxAgent

KmxBiG

KmxCfg

KmxFile

KmxFw

KmxIds

KmxNdis

KmxSbx

kpf4gui

kpf4ss

leviathantrial

looknstop

mcafeefire

mpftray

netlimiter

npfc

npfmsg

npfsvice

npgui

opf

opfsvc

outpost

pavfnsvr

pccpfw

pcipim

pcIPPsC

persfw

rapapp

RapDrv

smc

sndsrvc

spfirewallsvc

spfw

sppfw

sspfwtry2

s-wall

symlcsvc

ton

tzpfw

umxtray

vipnet

vsmon

xeon

xfilter

zapro

zlclient

zonealarm

15. Deletes all the startup registry keys associated with these services under the following subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[sERVICE NAME]

16. Starts a local Web server on TCP port 80. When a user connects to the Web server, it loads the .HTA file and also gives a link to offline.zip which is a zip file containing the worm.

17. May gather sensitive information from the compromised computer by monitoring open windows. This includes monitoring for WebMoney, ICQ and cryptography key files. This information can then be sent to a remote attacker.

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.

If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.

Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.

Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.

Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

[VR6Pete 1,455]

Viruses are a part of every day life, and a contant threat in the I.T industry.

Ensure that you have an UP TO DATE AV application... if you dont want to pay for one, then use AVG FREE (Google it).

Although, if your a Linux Pimp, like me, you wont have this sort of problem, however, if you are running wine applications under linux, or your using your box for public services (http, mail) then you could potentually have viri stored on your system, however due to .exe, .com, .scr not being nativally executable under a *nix environment, you are generally safe. but a scan now and then cant hurt

DOWN WITH MICROSOFT - UP WITH LINUX

[Ferrari VR6 0]

DOWN WITH MICROSOFT - UP WITH LINUX

Lol and agreed!

[Buzzark 0]

Agreed - you need an up to date antivirus solution.

www.avast.com is a very good free one for home users.

W32.Feebs.D@mm is very real, inquizitor I still think is a hoax.