Infoweb 2000 di Ribaudo Grazia servizi internet servizi web consulenza e servizi marketing servizi grafici news servizi infoweb 2000 area clienti Infoweb 2000
[news infoweb 2000]  [bollettino virus]  [educazione al web]  [netiquette]  [glossario]  [faq]  [linkexchange]  [home]
Sviluppo applicazioni web in cfml 09-03-08
ACQUISIZIONI 2008 - CIVICO MUSEO PARISI-VALLE
Inaugurazione domenica 9 marzo ore 17.30. Grazia Ribaudo tra gli artisti acquisiti nel 2008 dal Civico Museo Parisi-Valle di Maccagno (VA).

02-06-04 - Worm/Rbot.94208

BASSO Alias: Win32.Rbot
  Tipo: Internet Worm
  Dimensione: 94.208KB
  Piattaforma: Microsoft Windows 9x/ME/NT/2000/XP
     
  Descrizione: Worm/Rbot.94208 is an Internet worm that spreads through the use of the mIRC network.

If executed, the worm copies itself in the \windows\%system% directory under the filename "wserv32.exe". The file "wserv32.exet" gets deleted in the directory (location) it is run. Additionally, the following files are created:

- C:\winerror.html (1,043 bytes)

- C:\Documents and Settings\Makrorechner\Local Settings\Temporary Internet Files\Content.IE5\2NO7YJID\danjef[1].html (3,465 bytes)

- C:\Documents and Settings\Makrorechner\Local Settings\Temporary Internet Files\Content.IE5\QDGV23AF\mtrslib2[1].js (9,361 bytes)

- C:\Documents and Settings\Makrorechner\Local Settings\Temporary Internet Files\Content.IE5\2NO7YJID\init[1].js (835 bytes)

- C:\Documents and Settings\Makrorechner\Local Settings\Temporary Internet Files\Content.IE5\AHQTSRUX\memberembedded[1].js (9,404 bytes)

- C:\Documents and Settings\Makrorechner\Local Settings\Temporary Internet Files\Content.IE5\QDGV23AF\catman[1].js (16,058 bytes)

- C:\Documents and Settings\Makrorechner\Local Settings\Temporary Internet Files\Content.IE5\QDGV23AF\show_ads[2].js (5,676 bytes)

- C:\Documents and Settings\Makrorechner\Application Data\inos.exe (memory resistent, 56,840 bytes)

- C:\WINDOWS\System32\mt-uninstaller.exe (52.161 bytes)

- C:\DOCUME~1\MAKROR~1\LOCALS~1\Temp\ps_install-mt.exe (48,128 bytes)

- C:\WINDOWS\System32\wnsapicc.exe (56,576 bytes)

So that it gets run each time a user restart their computer the following registry keys get added:

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Microsoft Update"="wserv32.exe"

- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"Microsoft Update"="wserv32.exe"
"Ccum"="C:\\Documents and Settings\\Makrorechner\\Application Data\\inos.exe"
"WNST"="C:\\WINDOWS\\System32\\wnsapicc.exe"

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"Microsoft Update"="wserv32.exe"

Worm/Rbot will attempt a connection to the remote IRC server 139-4.84.64.master-link.com:6667 and join a pre-defined channel. Internet Explorer will be open to: h_ttp://www.angelfire.com/ut2//kk/danjef.html
  Consigli:
     
  Link Utili: http://punto-informatico.it/salvapc/index.asp
    http://www.centralcommand.com/virus_descriptions.html





SalvaPC aiuta a difendere il tuo pc!
 
[home] [privacy] INFOWEB 2000, Via XXIV Maggio 10, 20030 Bovisio Masciago (MI)
Tel. 0362.593888, Fax 0362.571270, info@infoweb2000.com