Wilders Security Forums  

Go Back   Wilders Security Forums > Other Security Topics > malware problems & news
Reload this Page VBS.Numgame & W32.Yaha@mm
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Search this Thread
  #1  
Old February 16th, 2002, 03:52 PM
javacool javacool is offline
BrightFort Moderator
  
Join Date: Feb 2002
Posts: 3,879
Default VBS.Numgame & W32.Yaha@mm
Symantec posts details about these two new viruses/worms at the following pages:

http://securityresponse.symantec.com...umgame@mm.html

http://securityresponse.symantec.com...2.yaha@mm.html


Enjoy! *
__________________

*Official BrightFort Website*
*SpywareBlaster*

*Please note: I am not responsible if any advice herein causes any trouble whatsoever *
  #2  
Old February 18th, 2002, 06:40 PM
FanJ
 
Posts: n/a
Default VBS/Numgame-A
Name: VBS/Numgame-A
Aliases: GuessGame
Type: Visual Basic Script worm
Date: 18 February 2002

At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.

Description:

VBS/Numgame-A is an email worm. It spreads as an email with the following properties:

Subject:
Are you <recipient> my valentine?

Message Body:
Hi my valentine, remember me? I ain't seen you in ages! Anyway, check-out and play the attached guess-the-number-game to guess who I am. See you soon, bye-bye!

Attachment:
GuessGame.html
or
GuessGame.vbe

When the HTML file is run it will display a message box
containing the text "Guess Game instructions:" and asking the user to click Yes should an ActiveX dialog box appears.

Depending on the system configuration, an ActiveX warning dialog may then be displayed.

If the user clicks Yes to the ActiveX warning, or no warning appears, the worm will create the file GuessGame.vbe in the Windows directory and execute it.

GuessGame.vbe will first create a copy of itself in the Windows system directory. It will then send an email with the above characteristics to all addresses listed in the user's Outlook Address book.

It will next attempt to set the date to 04-08-1981. Depending on the system settings this will result in the system date changing to 4th August 1981 or 8th April 1981 or remaining unchanged.

It will also set the following registry values in order to
disable the Desktop and the system file checking process.

HKLM\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\SFCDisable = 0xFFFFFF9D

HKCU\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer\NoDesktop = 1

After setting the registry entries the the worm will attempt to delete all files from the local and network drives. On each affected drive it will also create a file named autoexec.bat in an attempt to delete files with the following extensions:

*.SYS
*.DLL
*.OCX
*.CPL
*.DAT
*.COM
*.EXE
*.CAB
*.INI
*.INF
*.VXD
*.DRV
*.DOC
*.XLS
*.MDB
*.PPT
*.MP3
*.JPG
*.TXT
*.HTM
*.HTML
*.HTA
*.ASP
*.ASPX

from the following directories:

\
Desktop,
Program Files,
My Documents,
Windows,
System,
Temp,
Windows\SYSTEM32,
Windows\COMMAND,
Windows\INF,
Windows\SYSBCKUP,
\Documents and Settings,
\Inetpub

or their equivalents (e.g. WINNT\system32)

Lastly the worm will allow the user to play a guessing game to guess a number between 1 and 100.


Read the analysis at
http://www.sophos.com/virusinfo/analyses/vbsnumgamea.html
  #3  
Old February 20th, 2002, 01:54 PM
FanJ
 
Posts: n/a
Default W32/Yaha-A
Name: W32/Yaha-A
Type: Win32 worm
Date: 20 February 2002

At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.

Description:

W32/Yaha-A is an internet worm which spreads using its own SMTP engine. The worm arrives in an email message with the following characteristics:

Subject:
Melt the Heart of your Valentine with this beautiful Screen saver
or
Fw: Melt the Heart of your Valentine with this beautiful Screen saver
Attachment: valentin.scr

If the attached program is opened it runs as a screen saver, but also copies itself to C:\recycled with the filenames msmdm.exe and msscra.exe.

The worm changes the registry key

HKCR\exefile\shell\open\command

so that the worm file msmdm.exe is run before any file with the extension EXE.

W32/Yaha-A uses the Windows address book to find email addresses to send itself to. Email addresses will also be extracted from files with the extension HT*. Addresses found are stored in the files screendback.dll and screend.dll.

The SMTP server used to send the emails is chosen either from the registry or from the following list inside the worm body:

<long list of links deleted>


Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32yahaa.html
 

Wilders Security Forums > Other Security Topics > malware problems & news « Previous Thread | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 07:12 PM.

Contact Us - SSL - Wilders Security - Archive - TOS/Privacy - Top

Powered by vBulletin® Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums