What happened to the Messenger Plus! forums on msghelp.net?
Shoutbox » MsgHelp Archive » Skype & Technology » Skype & Live Messenger » Virus Alert! W32.Velkbot.A@mm

Virus Alert! W32.Velkbot.A@mm
Author: Message:
Dane
Non-Elite Member
*****

Avatar
Dont ask to ask, just ASK!

Posts: 1621
Reputation: 52
35 / Male / Flag
Joined: Dec 2002
Status: Away
O.P. Wink  Virus Alert! W32.Velkbot.A@mm
Congratulations to Ddunk who discovered this Virus; It has been processed by Segosa and myself.

W32.Velkbot.A is a worm with back door capabilities that spreads through MSN Messenger, Yahoo Messenger and AOL Instant Messenger.

quote:
Originally posted by Symantec Security Response

When W32.Velkbot.A is executed, it performs the following actions:


Sends the following message to all the MSN Messenger, Yahoo Messenger and AOL Instant Messenger contacts on the compromised computer:

Title: rofl
Body: [domain removed]com/pictures.php /r [email address]

Notes:
If the recipient clicks on the above link, a copy of the worm is downloaded. This file is called [email address].
[email address] is an email address specified by the worm.


Copies itself as %System%\winmsg.exe.

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


Adds the value:

"Windows Messenger Messenger" = "winmsg.exe"

to the registry subkeys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

so that W32.Velkbot.A runs every time Windows starts.


Creates a mutex "hedlp32a" to ensure that only one instance of the worm is executed on the computer.


Disables the functionality of the following programs:


Taskmanager
Registry editor


Connects to an IRC server on the afil.canadiangov.info domain and waits for commands from a remote attacker. The remote attacker can perform any of the following actions:


Steals system information
Steals network information
Logs keystrokes
Sends IM message
Downloads a file from internet and executes it


Download: W32.Velkbot.A Removal Tool Developed by Messenger Plus! Zone

Download: Symantec RapidRelease Beta Definitions (Covers this threat)
04-24-2005 06:50 AM
Profile PM Web Find Quote Report
-rafy-
Full Member
***

Avatar
...

Posts: 355
Reputation: 10
37 / Male / –
Joined: Apr 2005
RE: Virus Alert! W32.Velkbot.A@mm
as long as dumb people continue to open any old link somebody sends them -_-
Rafy.

04-24-2005 07:02 AM
Profile E-Mail PM Find Quote Report
TheGeek
Full Member
***

Avatar
Excuse my geekyness.

Posts: 179
Reputation: 15
34 / Male / –
Joined: Feb 2005
RE: Virus Alert! W32.Velkbot.A@mm
Messages that contain ".pif" are blocked, the contact doesn't receive the message...
[Image: 468x60banner.png]
04-24-2005 07:06 AM
Profile E-Mail PM Web Find Quote Report
Dane
Non-Elite Member
*****

Avatar
Dont ask to ask, just ASK!

Posts: 1621
Reputation: 52
35 / Male / Flag
Joined: Dec 2002
Status: Away
O.P. RE: Virus Alert! W32.Velkbot.A@mm
quote:
Originally posted by Damo.W
im safe:P
i accidentally clicked on a link, but i didnt accept the file inside:P

is it just me or are the .pif things dissapearing these URL's appearing
These are the "New breed", New users think that they need to download there email addy and are WAY more likely to execute it.

I penetrated the IRC server earlier and pissed off the controller a bit, he started DoSing me :P.
04-24-2005 07:12 AM
Profile PM Web Find Quote Report
ddunk
Veteran Member
*****

Avatar

Posts: 1228
Reputation: 51
35 / Male / Flag
Joined: Mar 2004
RE: Virus Alert! W32.Velkbot.A@mm
It (the author) changes everytime, most of these are just miniscule changes of the previous version (like the irc server to connect to).

This post was edited on 04-24-2005 at 07:21 AM by ddunk.
04-24-2005 07:19 AM
Profile E-Mail PM Web Find Quote Report
Fergy
Full Member
***

Avatar

Posts: 164
Reputation: 7
36 / Male / Flag
Joined: Nov 2004
RE: Virus Alert! W32.Velkbot.A@mm
who knows? it could be one person making a batch, or a whole lot of copycat coders
I should change my sig ay?
04-24-2005 07:20 AM
Profile E-Mail PM Find Quote Report
Dane
Non-Elite Member
*****

Avatar
Dont ask to ask, just ASK!

Posts: 1621
Reputation: 52
35 / Male / Flag
Joined: Dec 2002
Status: Away
O.P. RE: Virus Alert! W32.Velkbot.A@mm
quote:
Originally posted by Fergy
who knows? it could be one person making a batch, or a whole lot of copycat coders
There are cases (lots of them) where virus writers will share there code and then other virus writers will modify it (thus, making different "Variants").  Its probably just that, based on what i've seen.
04-24-2005 11:01 AM
Profile PM Web Find Quote Report
M73A
Veteran Member
*****

Avatar


Posts: 3213
Reputation: 37
34 / Male / Flag
Joined: Jul 2004
RE: Virus Alert! W32.Velkbot.A@mm
MORE VIRUSES:@ thanks for the information...disables regedit:| urgh these are really starting to piss me off

[Image: lost7ru.gif]
04-24-2005 11:41 AM
Profile E-Mail PM Find Quote Report
Dane
Non-Elite Member
*****

Avatar
Dont ask to ask, just ASK!

Posts: 1621
Reputation: 52
35 / Male / Flag
Joined: Dec 2002
Status: Away
O.P. RE: Virus Alert! W32.Velkbot.A@mm
quote:
Originally posted by categan
May i check with u guys? after the last update,my computer hang and restart. From that time onwards,i couldn't use msn. It prompt me to redownload my msn. So i remove from my control panel. Now i tried to redownload it,it download halfway before it prompt me "cannot create directory". So what should i do to redownload my msn?
Erm, You need to create a new thread for that problem.  Its not even on the same subject as this thread.

quote:
Originally posted by may73alliance
MORE VIRUSES:@ thanks for the information...disables regedit:| urgh these are really starting to piss me off
According to Symantec, deleting the files will re-enable "Regedit".  I've added an extra measure in my removal tool to make sure that task manager is atleast available, havent confirmed nor denied any reports of Regedit remaining broken.
04-24-2005 10:13 PM
Profile PM Web Find Quote Report
« Next Oldest Return to Top Next Newest »


Threaded Mode | Linear Mode
View a Printable Version
Send this Thread to a Friend
Subscribe | Add to Favorites
Rate This Thread:

Forum Jump:

Forum Rules:
You cannot post new threads
You cannot post replies
You cannot post attachments
You can edit your posts
HTML is Off
myCode is On
Smilies are On
[img] Code is On