Wilders Security Forums  

Go Back   Wilders Security Forums > Other Security Topics > malware problems & news
Reload this Page W32/Prestige
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Search this Thread
  #1  
Old December 12th, 2002, 12:53 AM
Technodrome's Avatar
Technodrome Technodrome is offline
Global Moderator
  
Join Date: Feb 2002
Location: New York
Posts: 2,140
Default W32/Prestige
Virus categories : Worm
Repairable?: Yes
First appeared : 12/10/2002
'In The Wild': No

Basic description : W32/Prestige is a worm that is easy to recognize because it refers to the sinking of Prestige, an oil tanker off the Spanish coast.

It spreads rapidly using the following means of transmission:

E-mail messages with the subject fotos INEDITAS del PRESTIGE en el fondo del Atlantico, which includes an attached file called PRESTIGE.ZIP.
By automatically sending itself via IRC.
The message text entices the user to open the PRESTIGE.ZIP file by claiming that it contains some pictures of the Prestige oil tanker. When the file is opened, however, a window is displayed, which informs the user that a plug-in must be installed to display the pictures. If the user clicks on the Yes button an error message is displayed.

W32/Prestige is not considered dangerous, as its only aim is to spread to other computers. However mass mailing of this virus could cause infected e-mail accounts and IRC chat channels to collapse.

source: http://www.pandasoftware.com


Technodrome

__________________
Classic Trance Hit: PPK - Resurrection
  #2  
Old December 14th, 2002, 09:54 PM
Primrose's Avatar
Primrose Primrose is offline
Security Expert
  
Join Date: Sep 2002
Posts: 2,743
Default Re:W32/Prestige
VSantivirus no. 889 - Year 7 - Fridays 13 of December of 2002

The virus "Prestige", variant of the family "Duksten"
http://www.vsantivirus.com/duksten-fam.htm

By Jose Luis Lopez
videosoft@videosoft.net.uy

The virus " Prestige " (it simulates to contain photographies of the petroleum spill caused by the Prestige oil tanker), is a variant of the W32/Duksten (VSA # 791, http://www.vsantivirus.com/duksten.htm ) and W32/BogusBear.A (VSA # 831, http://www.vsantivirus.com/bogusbear-a.htm ).

Because each laboratory antivirus to him usually puts names different, a same worm with different names can exist confusion when identifying, according to the used antivirus.

This worm in concrete (and its variants), are detected with the following names (in alphabetical order):
Duksten
I-Worm.Duksten.d
I-Worm.Gain
I-Worm.Skudex
Netskudo
Predig
Prestige
W32.Duksten.B@mm
W32.Protex.Worm
W32/BogusBear.A
W32/BogusBear.A
W32/Duksten
W32/Duksten
W32/Duksten.Drp
W32/Duksten.h@MM
W32/Duksten@MM
W32/Prestige
W32/Pretige
W32/Skud
W32/Skudo
Win32.BogusBear.A@mm
Win32.Duksten.H
Win32/BogusBear@MM
Win32/Duksten.H.Worm
Win32/Gex
Worm/Antiax
Worm/BogusBear
Worm/Predig
Worm_Bogusbear.A

All sends a file ZIP as an associate and almost releases to the archives "m_base64.xrf" (version of the codified worm to send by electronic mail in format MIME-encoded), "m_prgrm.zip" (ZIP containing the worm).

Other variants send the associate in format directly EXE.

Some properties of the different variants, all of them encriptadas:


* Variant A

It releases the file "C:\NetSkudo.exe" of 10.240 bytes, is not encriptado).


* Variant B

The message has these characteristics:

Of: "Anti-SirCam" [ Panda@PandaSoft.com ]
Subject: Free Anti-Vir to protect you SirCam Trojan
Attached data: SKUDO.EXE (7.680 bytes, encriptado)


* Variants C and E

One of the following senders:

Of: "Anti29A" [ darknode@dejalo.com ]
Of: "ReEnviaMe" [ Skudo@Seguro.com ]
Of: [ Grupo@Anti29A.net ]

One of the following subjects:

Subject: creative group of virus 29A
Subject: AyudaME, AyudatE... AYudEMonoS! Anti29A - SKUDO

In all the cases:

Attached data: ANTI_29A.EXE (7.680 bytes, encriptado)

This variant usually is sent through the group of the news "es.comp.virus" in a message with the text "you give pain JUA JUA JUA" .


* Variant D

The message has these characteristics:

Of: "Anti-SirCam" [ Panda@PandaSoft.com ]
Subject: Run ThiS Free Anti-Vir to protect you SirCam Trojan
Attached data: SKUDO.EXE (7.680 bytes, not encriptado)


* Variants F and G

One of the following senders:

Of: [ boletin@viralert.net ]
Of: "Alerta_RaPida" [ boletin@viralert.net ]

In all the cases:

Subject: TOTAL protection against W32/Bugbear (30dias)
Attached data: PROTECT.ZIP (it contains a 9.728 EXE of encriptado)

This variant contains the following text in its code:

WKaPCOM bY XRF, 19SePtiembre2002 PandaSoftware, please, rename Duksten to WKaPExE about::Me 198ÄppleIIe.1986Univac1100.1987MV4000. 1988MV20000.1990EpsonPcJ2

* Variant H

To see description of the W32/Prestige (VSA # 888, http://www.vsantivirus.com/prestige.htm )


References:

W32/Duksten. Attached data: SKUDO.ZIP
http://www.vsantivirus.com/duksten.htm

W32/BogusBear.A. A false protection against the Bugbear
http://www.vsantivirus.com/bogusbear-a.htm

W32/Prestige (Predig). False photos of the "Prestige"
http://www.vsantivirus.com/prestige.htm
 

Wilders Security Forums > Other Security Topics > malware problems & news « Previous Thread | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 02:09 PM.

Contact Us - SSL - Wilders Security - Archive - TOS/Privacy - Top

Powered by vBulletin® Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums