Virus Alert! W32.Velkbot.A@mm - Printable Version
-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Skype & Technology (/forumdisplay.php?fid=9)
+---- Forum: Skype & Live Messenger (/forumdisplay.php?fid=10)
+----- Thread: Virus Alert! W32.Velkbot.A@mm (/showthread.php?tid=43532)
Virus Alert! W32.Velkbot.A@mm by Dane on 04-24-2005 at 06:50 AM
Congratulations to Ddunk who discovered this Virus; It has been processed by Segosa and myself.
W32.Velkbot.A is a worm with back door capabilities that spreads through MSN Messenger, Yahoo Messenger and AOL Instant Messenger.
quote:
Originally posted by Symantec Security Response
When W32.Velkbot.A is executed, it performs the following actions:
Sends the following message to all the MSN Messenger, Yahoo Messenger and AOL Instant Messenger contacts on the compromised computer:
Title: rofl
Body: [domain removed]com/pictures.php /r [email address]
Notes:
If the recipient clicks on the above link, a copy of the worm is downloaded. This file is called [email address].
[email address] is an email address specified by the worm.
Copies itself as %System%\winmsg.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Adds the value:
"Windows Messenger Messenger" = "winmsg.exe"
to the registry subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
so that W32.Velkbot.A runs every time Windows starts.
Creates a mutex "hedlp32a" to ensure that only one instance of the worm is executed on the computer.
Disables the functionality of the following programs:
Taskmanager
Registry editor
Connects to an IRC server on the afil.canadiangov.info domain and waits for commands from a remote attacker. The remote attacker can perform any of the following actions:
Steals system information
Steals network information
Logs keystrokes
Sends IM message
Downloads a file from internet and executes it
Download: W32.Velkbot.A Removal Tool Developed by Messenger Plus! Zone
Download: Symantec RapidRelease Beta Definitions (Covers this threat)
RE: Virus Alert! W32.Velkbot.A@mm by -rafy- on 04-24-2005 at 07:02 AM
as long as dumb people continue to open any old link somebody sends them -_-
RE: Virus Alert! W32.Velkbot.A@mm by TheGeek on 04-24-2005 at 07:06 AM
Messages that contain ".pif" are blocked, the contact doesn't receive the message...
RE: Virus Alert! W32.Velkbot.A@mm by Dane on 04-24-2005 at 07:12 AM
quote:These are the "New breed", New users think that they need to download there email addy and are WAY more likely to execute it.
Originally posted by Damo.W
im safe
i accidentally clicked on a link, but i didnt accept the file inside
is it just me or are the .pif things dissapearing these URL's appearing
I penetrated the IRC server earlier and pissed off the controller a bit, he started DoSing me
.
RE: Virus Alert! W32.Velkbot.A@mm by ddunk on 04-24-2005 at 07:19 AM
It (the author) changes everytime, most of these are just miniscule changes of the previous version (like the irc server to connect to).
RE: Virus Alert! W32.Velkbot.A@mm by Fergy on 04-24-2005 at 07:20 AM
who knows? it could be one person making a batch, or a whole lot of copycat coders
RE: Virus Alert! W32.Velkbot.A@mm by Dane on 04-24-2005 at 11:01 AM
quote:There are cases (lots of them) where virus writers will share there code and then other virus writers will modify it (thus, making different "Variants"). Its probably just that, based on what i've seen.
Originally posted by Fergy
who knows? it could be one person making a batch, or a whole lot of copycat coders
RE: Virus Alert! W32.Velkbot.A@mm by M73A on 04-24-2005 at 11:41 AM
MORE VIRUSES
thanks for the information...disables regedit
urgh these are really starting to piss me off
RE: Virus Alert! W32.Velkbot.A@mm by Dane on 04-24-2005 at 10:13 PM
quote:Erm, You need to create a new thread for that problem. Its not even on the same subject as this thread.
Originally posted by categan
May i check with u guys? after the last update,my computer hang and restart. From that time onwards,i couldn't use msn. It prompt me to redownload my msn. So i remove from my control panel. Now i tried to redownload it,it download halfway before it prompt me "cannot create directory". So what should i do to redownload my msn?
quote:According to Symantec, deleting the files will re-enable "Regedit". I've added an extra measure in my removal tool to make sure that task manager is atleast available, havent confirmed nor denied any reports of Regedit remaining broken.
Originally posted by may73alliance
MORE VIRUSES