Infoweb 2000 di Ribaudo Grazia servizi internet servizi web consulenza e servizi marketing servizi grafici news servizi infoweb 2000 area clienti Infoweb 2000
[news infoweb 2000]  [bollettino virus]  [educazione al web]  [netiquette]  [glossario]  [faq]  [linkexchange]  [home]
Sviluppo applicazioni web in cfml 09-03-08
ACQUISIZIONI 2008 - CIVICO MUSEO PARISI-VALLE
Inaugurazione domenica 9 marzo ore 17.30. Grazia Ribaudo tra gli artisti acquisiti nel 2008 dal Civico Museo Parisi-Valle di Maccagno (VA).

09-08-04 - Worm/Bagle.AQ

BASSO Alias: W32.Bagle.AC@mm
  Tipo: Internet Worm
  Dimensione: 19,460 bytes
  Piattaforma: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows Server 2003
     
  Descrizione: Worm/Bagle.AQ is an Internet worm that spreads through e-mail by using addresses it collects from files with the following file extensions:

- .adb
- .asp
- .cfg
- .cgi
- .dbx
- .dhtm
- .eml
- .htm
- .jsp
- .mbx
- .mdx
- .mht
- .mmf
- .msg
- .nch
- .ods
- .oft
- .php
- .pl
- .sht
- .shtm
- .stm
- .tbb
- .txt
- .uin
- .wab
- .wsh
- .xls
- .xml

It avoids sending emails to addresses containing one of the following strings:

- @avp.
- @foo
- @iana
- @messagelab
- @microsoft
- abuse
- admin
- anyone@
- bsd
- bugs@
- cafee
- certific
- contract@
- feste
- free-av
- f-secur
- gold-certs@
- google
- help@
- icrosoft
- info@
- kasp
- linux
- listserv
- local
- news
- nobody@
- noone@
- noreply
- ntivi
- panda
- pgp
- postmaster@
- rating@
- root@
- samples
- sopho
- spam
- support
- unix
- update
- winrar
- winzip

The worm will carry the following email characterisitics:

Subject:
Body:
new price

Attachment
- 08_price.zip
- new__price.zip
- new_price.zip
- newprice.zip
- price.zip
- price2.zip
- price_08.zip
- price_new.zip

If executed, the worm copies itself in the \windows\%system% directory under the filenames "windirect.exe" and "_dll.exe".

Worm/Bagle.AQ has the ability to spread over file-shairng applications and over networks by copying itself under the the following filenames in any directory it locates with the letter string "SHAR" in them.

- Microsoft Office 2003 Crack, Working!.exe
- Microsoft Windows XP, WinXP Crack, working Keygen.exe
- Microsoft Office XP working Crack, Keygen.exe
- Porno, sex, orally, anal cool, awesome!!.exe
- Porno Screensaver.scr
- Serials.txt.exe
- KAV 5.0
- Kaspersky anti-virus 5.0
- Porno pics arhive, xxx.exe
- Windows SOURCE code update.doc.exe
- Ahead Nero 7.exe
- Windown Longhorn beta Leak.exe
- Opera 8 New!.exe
- XXX hard core images.exe
- WinAmp 6 New!.exe
- WinAmp 5 pro key gene Crack Update.exe
- Adobe Photoshop 9 full.exe
- Matrix 3 revolution English Subtitles.exe
- ACDSee 9.exe

So that it gets run each time a user restart their computer the following registry key gets added:

- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"erthgdr" = "%SystemDIR%\windll.exe"

The worm will look in the following entries of the Windows registry to determine whether the following entries are present, if so, it will delete them:

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

- "My AV"
- "zone lab Client ex"
- "9XHtProtect"
- "anti-virus"
- "Special Firewall service"
- "service"
- "Tiny AV"
- "ICQNet"
- "HtProtect"
- "NetDy"
- "Jammer2nd"
- "FirewallSvr"
- "MsInfo"
- "SysMonXP"
- "EasyAV"
- "PandaAVEngine"
- "Norton anti-virus AV"
- "KasperskyAVEng"
- "SkynetsRevenge"
- "ICQ Net"
  Consigli:
     
  Link Utili: http://punto-informatico.it/salvapc/index.asp
    http://www.centralcommand.com/virus_descriptions.html





SalvaPC aiuta a difendere il tuo pc!
 
[home] [privacy] INFOWEB 2000, Via XXIV Maggio 10, 20030 Bovisio Masciago (MI)
Tel. 0362.593888, Fax 0362.571270, info@infoweb2000.com