Virus Alert! W32.Velkbot.A@mm |
Author: |
Message: |
Dane
Non-Elite Member
Dont ask to ask, just ASK!
Posts: 1621 Reputation: 52
35 / /
Joined: Dec 2002
Status: Away
|
O.P. Virus Alert! W32.Velkbot.A@mm
Congratulations to Ddunk who discovered this Virus; It has been processed by Segosa and myself.
W32.Velkbot.A is a worm with back door capabilities that spreads through MSN Messenger, Yahoo Messenger and AOL Instant Messenger.
quote: Originally posted by Symantec Security Response
When W32.Velkbot.A is executed, it performs the following actions:
Sends the following message to all the MSN Messenger, Yahoo Messenger and AOL Instant Messenger contacts on the compromised computer:
Title: rofl
Body: [domain removed]com/pictures.php /r [email address]
Notes:
If the recipient clicks on the above link, a copy of the worm is downloaded. This file is called [email address].
[email address] is an email address specified by the worm.
Copies itself as %System%\winmsg.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Adds the value:
"Windows Messenger Messenger" = "winmsg.exe"
to the registry subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
so that W32.Velkbot.A runs every time Windows starts.
Creates a mutex "hedlp32a" to ensure that only one instance of the worm is executed on the computer.
Disables the functionality of the following programs:
Taskmanager
Registry editor
Connects to an IRC server on the afil.canadiangov.info domain and waits for commands from a remote attacker. The remote attacker can perform any of the following actions:
Steals system information
Steals network information
Logs keystrokes
Sends IM message
Downloads a file from internet and executes it
Download: W32.Velkbot.A Removal Tool Developed by Messenger Plus! Zone
Download: Symantec RapidRelease Beta Definitions (Covers this threat)
|
|
04-24-2005 06:50 AM |
|
|
-rafy-
Full Member
...
Posts: 355 Reputation: 10
37 / / –
Joined: Apr 2005
|
RE: Virus Alert! W32.Velkbot.A@mm
as long as dumb people continue to open any old link somebody sends them -_-
|
|
04-24-2005 07:02 AM |
|
|
TheGeek
Full Member
Excuse my geekyness.
Posts: 179 Reputation: 15
34 / / –
Joined: Feb 2005
|
RE: Virus Alert! W32.Velkbot.A@mm
Messages that contain ".pif" are blocked, the contact doesn't receive the message...
|
|
04-24-2005 07:06 AM |
|
|
Dane
Non-Elite Member
Dont ask to ask, just ASK!
Posts: 1621 Reputation: 52
35 / /
Joined: Dec 2002
Status: Away
|
O.P. RE: Virus Alert! W32.Velkbot.A@mm
quote: Originally posted by Damo.W
im safe
i accidentally clicked on a link, but i didnt accept the file inside
is it just me or are the .pif things dissapearing these URL's appearing
These are the "New breed", New users think that they need to download there email addy and are WAY more likely to execute it.
I penetrated the IRC server earlier and pissed off the controller a bit, he started DoSing me .
|
|
04-24-2005 07:12 AM |
|
|
ddunk
Veteran Member
Posts: 1228 Reputation: 51
35 / /
Joined: Mar 2004
|
RE: Virus Alert! W32.Velkbot.A@mm
It (the author) changes everytime, most of these are just miniscule changes of the previous version (like the irc server to connect to).
This post was edited on 04-24-2005 at 07:21 AM by ddunk.
|
|
04-24-2005 07:19 AM |
|
|
Fergy
Full Member
Posts: 164 Reputation: 7
36 / /
Joined: Nov 2004
|
RE: Virus Alert! W32.Velkbot.A@mm
who knows? it could be one person making a batch, or a whole lot of copycat coders
I should change my sig ay?
|
|
04-24-2005 07:20 AM |
|
|
Dane
Non-Elite Member
Dont ask to ask, just ASK!
Posts: 1621 Reputation: 52
35 / /
Joined: Dec 2002
Status: Away
|
O.P. RE: Virus Alert! W32.Velkbot.A@mm
quote: Originally posted by Fergy
who knows? it could be one person making a batch, or a whole lot of copycat coders
There are cases (lots of them) where virus writers will share there code and then other virus writers will modify it (thus, making different "Variants"). Its probably just that, based on what i've seen.
|
|
04-24-2005 11:01 AM |
|
|
M73A
Veteran Member
Posts: 3213 Reputation: 37
34 / /
Joined: Jul 2004
|
RE: Virus Alert! W32.Velkbot.A@mm
MORE VIRUSES thanks for the information...disables regedit urgh these are really starting to piss me off
|
|
04-24-2005 11:41 AM |
|
|
Dane
Non-Elite Member
Dont ask to ask, just ASK!
Posts: 1621 Reputation: 52
35 / /
Joined: Dec 2002
Status: Away
|
O.P. RE: Virus Alert! W32.Velkbot.A@mm
quote: Originally posted by categan
May i check with u guys? after the last update,my computer hang and restart. From that time onwards,i couldn't use msn. It prompt me to redownload my msn. So i remove from my control panel. Now i tried to redownload it,it download halfway before it prompt me "cannot create directory". So what should i do to redownload my msn?
Erm, You need to create a new thread for that problem. Its not even on the same subject as this thread.
quote: Originally posted by may73alliance
MORE VIRUSES thanks for the information...disables regedit urgh these are really starting to piss me off
According to Symantec, deleting the files will re-enable "Regedit". I've added an extra measure in my removal tool to make sure that task manager is atleast available, havent confirmed nor denied any reports of Regedit remaining broken.
|
|
04-24-2005 10:13 PM |
|
|
|