login | register | shoutbox

 What happened to the Messenger Plus! forums on msghelp.net?
Shoutbox » MsgHelp Archive » Skype & Technology » Skype & Live Messenger » Virus Alert! W32.Velkbot.A@mm

Virus Alert! W32.Velkbot.A@mm
Author: Message:
Dane
Non-Elite Member
*****

Avatar
Dont ask to ask, just ASK!

Posts: 1621
Reputation: 52
35 / Male / Flag
Joined: Dec 2002
Status: Away
O.P. Wink  Virus Alert! W32.Velkbot.A@mm
Congratulations to Ddunk who discovered this Virus; It has been processed by Segosa and myself.

W32.Velkbot.A is a worm with back door capabilities that spreads through MSN Messenger, Yahoo Messenger and AOL Instant Messenger.

quote:
Originally posted by Symantec Security Response

When W32.Velkbot.A is executed, it performs the following actions:


Sends the following message to all the MSN Messenger, Yahoo Messenger and AOL Instant Messenger contacts on the compromised computer:

Title: rofl
Body: [domain removed]com/pictures.php /r [email address]

Notes:
If the recipient clicks on the above link, a copy of the worm is downloaded. This file is called [email address].
[email address] is an email address specified by the worm.


Copies itself as %System%\winmsg.exe.

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


Adds the value:

"Windows Messenger Messenger" = "winmsg.exe"

to the registry subkeys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

so that W32.Velkbot.A runs every time Windows starts.


Creates a mutex "hedlp32a" to ensure that only one instance of the worm is executed on the computer.


Disables the functionality of the following programs:


Taskmanager
Registry editor


Connects to an IRC server on the afil.canadiangov.info domain and waits for commands from a remote attacker. The remote attacker can perform any of the following actions:


Steals system information
Steals network information
Logs keystrokes
Sends IM message
Downloads a file from internet and executes it

Download: W32.Velkbot.A Removal Tool Developed by Messenger Plus! Zone

Download: Symantec RapidRelease Beta Definitions (Covers this threat)
04-24-2005 06:50 AM
Profile PM Web Find Quote Report
« Next Oldest Return to Top Next Newest »

Messages In This Thread
Virus Alert! W32.Velkbot.A@mm - by Dane on 04-24-2005 at 06:50 AM
RE: Virus Alert! W32.Velkbot.A@mm - by -rafy- on 04-24-2005 at 07:02 AM
RE: Virus Alert! W32.Velkbot.A@mm - by TheGeek on 04-24-2005 at 07:06 AM
RE: Virus Alert! W32.Velkbot.A@mm - by Dane on 04-24-2005 at 07:12 AM
RE: Virus Alert! W32.Velkbot.A@mm - by ddunk on 04-24-2005 at 07:19 AM
RE: Virus Alert! W32.Velkbot.A@mm - by Fergy on 04-24-2005 at 07:20 AM
RE: Virus Alert! W32.Velkbot.A@mm - by Dane on 04-24-2005 at 11:01 AM
RE: Virus Alert! W32.Velkbot.A@mm - by M73A on 04-24-2005 at 11:41 AM
RE: Virus Alert! W32.Velkbot.A@mm - by Dane on 04-24-2005 at 10:13 PM


Threaded Mode | Linear Mode
View a Printable Version
Send this Thread to a Friend
Subscribe | Add to Favorites
Rate This Thread:

Forum Jump:

Forum Rules:
You cannot post new threads
You cannot post replies
You cannot post attachments
You can edit your posts 		HTML is Off
myCode is On
Smilies are On
[img] Code is On