Thursday, July 31, 2008

A letter viruses list and explanation

A letter viruses: Scroll down the page and choose the desired name:

A-204 (Jerusalem)

Jerusalem virus

Name: Jerusalem

Also known as: A-204, 1808(EXE), 1813(COM), ArabStar, BlackBox, BlackWindow, Friday13th, HebrewUniversity, Israeli, PLO, Russian

Type: File infector

Affects: PCs

Discovered: October 1, 1987
Note: the Jerusalem virus was originally thought to have originated in Israel as it was first discovered in a Hebrew university there. However, antivirus researchers received new evidence in 1991 that points to Italy as being the originating country.

Description: The Jerusalem virus is one of the older and certainly one of the more commonly known viruses. Several variants of Jerusalem exist, infecting both .EXE and .COM files found on the system. The first of the Jerusalem viruses contained a bug that caused it to repeatedly infect the EXE files over and over, until eventually the file sizes overwhelmed computer resources.

Jerusalem has a malicious payload that activates each Friday the 13th, deleting any programs run on that day. The virus causes a general slowdown of the computer thirty minutes after an infected program is run and also causes the screen to roll up two lines. Some minor variants of Jerusalem do not cause the screen anomaly, making their presence harder to detect by the naked eye.

A4F-Spoof and HOAX

AOL4Free Hoax

Description: The AOL4Free saga is part hoax, part reality. First, there is a Macintosh program named aol4free (note, it does not use the filename aol4free.com) Second, there is hoax generated that stated aol4free.com deleted files on users hard drives. Finally, there is a Trojan by the same name, which has been dubbed A4F-Spoof by the antivirus vendors to avoid confusion. (The assumption is that the hoax was a spin-off of the Mac program, and the Trojan a spin-off of the hoax).

Example of hoax email:

Anyone who recieves this must send it to as many people as you can. It is essential that this problem be reconciled as soon as possible.

A few hours ago, I opened an E-mail that had the subject heading of aol4free.com

Within seconds of opening it, a window appeared and began to display my files that were being deleted. I immediately shut down my computer, but it was too late. This virus wiped me out.

It ate the Anti-Virus Software that comes with the Windows '95 Program along with F-Prot AVS. Neither was able to detect it. Please be careful and send this to as many people as possible, so maybe this new virus can be eliminated.

Remember:
Hoaxes are a waste of both time and money. Please don't forward them on to others. And if you are tempted to forward something just in case, read the article Toxic Excuses instead.

A.I.D.S. HOAX

A.I.D.S Virus Hoax

Description: With its bad grammar and ALL CAPS, this alleged virus warning is a classic example of a hoax. The hoax urgently warns of a malicious virus that will "EAT AWAY AT YOUR MEMORY".

Example of hoax email:

THERE IS A VIRUS GOING AROUND CALLED THE A.I.D.S VIRUS. IT WILL ATTACH ITSELF INSIDE YOUR COMPUTER AND EAT AWAY AT YOUR MEMORY THIS MEMORY IS IRREPLACEABLE. THEN WHEN IT'S FINISHED WITH MEMORY IT INFECTS YOUR MOUSE OR POINTING DEVICE. THEN IT GOES TO YOUR KEY BOARD AND THE LETTERS YOU TYPE WILLNOT REGISTER ON SCREEN.

BEFORE IT SELF TERMINATES IT EATS 5MB OF HARD DRIVE SPACE AND WILL DELETE ALL PROGRAMS ON IT AND IT CAN SHUT DOWN ANY 8 BIT TO 16 BIT SOUND CARDS RENDERING YOUR SPEAKERS USELESS. IT WILL COME IN E-MAIL CALLED "OPEN:VERY COOL! :) DELETE IT RIGHT AWAY. THIS VIRUS WILL BASICLY RENDER YOUR COMPUTER USELESS. YOU MUST PASS THIS ON QUICKLY AND TO AS MANY PEOPLE AS POSSLE!!!!!

Anniv911 worm

11September.exe

Chet worm misleads in bid to infect

The day prior to the first anniversary of the September 11 tragedy, a new email worm exploiting the date made its debut. Dubbed W32/Anniv911 by the discoverers and W32/Chet by antivirus vendors, the Chet worm arrives in email with an attachment named '11september.exe '. The filename contains what is known as a trailing space, possibly bypassing some content filtering and antivirus software vulnerable to this exploit.

The worm message has the subject line 'All people!!' and contains the following text:

Dear ladies and gentlemen!
The given letter does not contain viruses, and is not Spam. We ask you to be in earnest to this letter. As you know America and England have begun bombardment of Iraq, cause of its threat for all the world. It isn't the truth. The real reason is in money laundering and also to cover up traces after acts of terrorism September, 11, 2001. Are real proofs of connection between Bush and Al-Qaeda necessary for you? Please! There is a friendly dialogue between Bin Laden and the secretary of a state security of USA in the given photos. In the following photo you'll see, how FBI discusses how to strike over New York to lose people as much as possible. And the document representing the super confidential agreement between CIA and Al-Qaeda is submitted to your attention. All this circus was specially played to powder brains!! You'll find out the truth. Naked truth, instead of TV showed.

For your convenience, and to make letter less, all documentary materials (photos and MS Word documents) are located in one EXE file. Open it, and all materials will be installed on your computer. You will receive the freshest and classified documents automatically from our site. It isn't a virus! You can trust us absolutely. We hope, that it will open your eyes on many things occurring in this world.

Of course, if you believe the claims in the text and open the supposedly 'virus-free' attachment, you will become infected with the W32/Anniv911 a.k.a. Chet worm and it will in turn send itself out from your machine in a bid to mislead and infect even more users.

The worm was first detected by MessageLabs, a managed service provider that specializes in email security, and reported to AVIEN and AVI-EWS, rapid information exchange groups designed to stem the flow of viruses.

Removing the Worm
Search for and delete the following files:

C:\BOOT.TXT
C:\WINDOWS\SYSTEM\SYNCHOST1.EXE

Locate the following Registry Key:

HKEY_CURRENT_USER

and delete the Value: DefaultLcid3="2"

Locate the following Registry Key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\run

and delete the Value: ICQ1="C:\WINDOWS\SYSTEM\synchost1.exe"

Risk Factor
Antivirus vendors began issuing updates to detect the Chet worm hours after it was discovered. Fortunately, due to a bug in the worm's code, it is unlikely to run properly and thus poses little risk of spread. However, attention should be paid to the social engineering aspect of the Chet worm message, as other virus writers might attempt to use similar messages to tempt users into opening their viral files. Email attachments received unexpectedly should be viewed with suspicion. MailDefense effectively and automatically removes potentially harmful attachments and content from email and is a good solution for those who are seeking an additional layer of protection between updates or simply wish to have enhanced protection for their email.

Anti

Anti virus

Name: Anti

Also known as:

Type: Macintosh application infector

Affects: System 6 Macintoshes running Finder

Discovered: In France

Description: According to reports from Bigelow's Virus Troubleshooting guide, authored by Ken Dunham, ANTI infects only applications and not the System file. Due to a bug in the virus, all the Code 1 resource attributes are cleared. This can result in an affected application using memory less effectively. This damage cannot be corrected by disinfection; optimally affected files should be restored from a clean backup. There are two variants of the ANTI virus. ANTI.A renders ANTI.B inoperable.

AntiCMOS

AntiCMOS

Name: AntiCMOS

Also known as: Gaxelle Lenart LiXi

Type: Resident Boot sectors MBR virus

Affects: PCs

Discovered: June 1994; Hong Kong

Description: Common boot sector virus affecting both hard drives and floppy disks. Spread by booting from infected floppy diskette. Diskettes used in the infected machine will likely become infected as well. Two variants: AntiCMOS.a and AntiCMOS.b.

AntiEXE

AntiEXE virus

Name: AntiEXE

Also known as: D3, NewBug, Anti-Exe, BootDr79, NC-Boot

Type: Boot sector MBR Stealth virus

Affects: PCs

Discovered: 1995

Description: Common boot sector virus affecting both hard drives and floppy disks. Spread by booting from infected floppy diskette. Diskettes used in the infected machine will likely become infected as well. Uses stealth techniques to hide its presence in the boot sector. Tries to thwart standard behavior-blockers by redirected BIOS disk interrupt 13h to interrupt D3h instead.

Anthrax

Anthrax virus

PR needs vaccine against virus vype

As if there are not enough legitimate acts of terrorism in the world, public relations folks went into overdrive regarding a broken email-borne virus that should have been dubbed "the little virus that couldn't". Even worse, the crippled virus was originally dubbed VBS.Antrax by Panda Software. (Antrax is the Spanish word for Anthrax).

Though virus analyzers noted that VBS.VBSWG.AF, a.k.a. Antrax virus, intends "to send itself via MAPI email but fails due to bugs in the script", that wasn't enough to stop hyperactive public relations teams, who quickly issued a media release on the non-event. CNN then acted on the release and reported the information during their broadcast. Even Reuters picked up the story, claiming that once "the attachment is opened the worm spreads itself to everyone listed in the email address book." In reality, the file fails to attach itself to the outgoing email, and thus the worm self-destructs on its very first try.

"It is disappointing to see some of our competitors hyping up a virus like this, particularly in the current political climate," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "Anti-virus companies should act responsibly when it comes to virus alerts. Sadly, on this occasion, it's possible that the only thing which will spread is greater confusion and panic amongst the public."

Just another worm
VBS.VBSWG.AF is just another VBS script virus. Like others, its intent is to spread via email. Unlike others, lame coding makes this impossible. The email, should you ever receive it (doubtful) carries the subject line: Antrax Info and body which reads:

si no sabes que es el antrax o cuales son sus efectos aquite mando una foto para que veas los efectos que tiene.

Nota:la foto esta un poco fuerte.

In English, this translates to:

If you don't know what antrax is or what the results of it are, please see the attached picture so that you can see the results that it has.

Note: the picture might be too strong.

The attached file is named "antraxinfo.vbs".

The virus also modifies the SCRIPT.INI file used with mIRC to facilitate spread via Internet Relay Chat.

AOL4FREE HOAX

AOL4Free Hoax

Description: The AOL4Free saga is part hoax, part reality. First, there is a Macintosh program named aol4free (note, it does not use the filename aol4free.com) Second, there is hoax generated that stated aol4free.com deleted files on users hard drives. Finally, there is a Trojan by the same name, which has been dubbed A4F-Spoof by the antivirus vendors to avoid confusion. (The assumption is that the hoax was a spin-off of the Mac program, and the Trojan a spin-off of the hoax).

Example of hoax email:

Anyone who recieves this must send it to as many people as you can. It is essential that this problem be reconciled as soon as possible.

A few hours ago, I opened an E-mail that had the subject heading of aol4free.com

Within seconds of opening it, a window appeared and began to display my files that were being deleted. I immediately shut down my computer, but it was too late. This virus wiped me out.

It ate the Anti-Virus Software that comes with the Windows '95 Program along with F-Prot AVS. Neither was able to detect it. Please be careful and send this to as many people as possible, so maybe this new virus can be eliminated.

APost worm

Don't Read this Readme

The APost virus disguises itself as readme.exe

On September 3, 2001, Labor Day holiday in the U.S. and Canada, a new email virus began spreading. The virus, dubbed APost, sends itself as an attachment named Readme.exe. Legitimate Readme files are generally text only (carrying the .TXT extension and not the .EXE extension used by the virus). Readme files accompany nearly every software program distributed and serve to provide valuable installation, configuration, and compatibility information about that software. The new, viral readme.exe could cause confusion among those persons who do not have file extension viewing enabled. By default, Microsoft® has this feature turned off in Windows, likely causing many to be left unaware of the true nature of the file. The Attachments Center provides tips on turning this feature on.

Alex Shipp, Senior Anti-Virus Technologist for MessageLabs initially reported the virus and antivirus vendor Sophos quickly followed with an alert of their own. Analysis performed by Alexey Podrezov, virus researcher for F-Secure Corp indicates the APost virus arrives via an email with the following characteristics:

Subject: As per your request!

Body: Please find attached file for your review.
I look forward to hear from you again very soon. Thank you

Attachment: readme.exe

If the readme.exe file is opened, the worm displays the following message box:


Image provided courtesy of F-Secure

If the user clicks the Open button, a second message box is displayed:


Image provided courtesy of F-Secure

The worm copies itself to the root of all local and mapped drives and sends itself to all recipients listed in the Microsoft® Outlook address book. The Sent items folder, however, will not reflect the worm's emails as they are deleted automatically after sending.

Manual removal instructions
Edit the Registry to remove the 'macrosoft' subkey from the following key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Search the root of all local and network drives, as well as floppies, for the file README.EXE and delete it.

Locate and delete the file README.EXE from the Windows directory. If the file cannot be deleted, make the registry modification noted above, reboot the system, and then delete the file.

ArabStar

Jerusalem virus

Also known as: A-204, 1808(EXE), 1813(COM), ArabStar, BlackBox, BlackWindow, Friday13th, HebrewUniversity, Israeli, PLO, Russian

Type: File infector

Affects: PCs

Discovered: October 1, 1987
Note: the Jerusalem virus was originally thought to have originated in Israel as it was first discovered in a Hebrew university there. However, antivirus researchers received new evidence in 1991 that points to Italy as being the originating country.

Description: The Jerusalem virus is one of the older and certainly one of the more commonly known viruses. Several variants of Jerusalem exist, infecting both .EXE and .COM files found on the system. The first of the Jerusalem viruses contained a bug that caused it to repeatedly infect the EXE files over and over, until eventually the file sizes overwhelmed computer resources.

Jerusalem has a malicious payload that activates each Friday the 13th, deleting any programs run on that day. The virus causes a general slowdown of the computer thirty minutes after an infected program is run and also causes the screen to roll up two lines. Some minor variants of Jerusalem do not cause the screen anomaly, making their presence harder to detect by the naked eye.

Ashar

Name: Brain Virus

Also known as: Ashar, (C)Brain, Clone, Nipper, Pakistani, PakistaniBrain

Type: Memory resident stealth boot sector infector

Affects: PCs

Discovered: January 1986

Description: The Brain virus is a memory resident stealth boot sector infector that changes the infected disk's volume label to "(c) brain" or "(c) ashar" depending on variant.

While no longer in-the-wild, Brain achieved notoriety for being the first known PC virus. It infected boot sectors, hooking into INT13. If the virus were resident in memory, the boot sector would look normal.

AutoStart Worm

AutoStart Worm

Name: AutoStart worm

Also known as:

Type: Macintosh application infector

Affects: PowerPC Macintoshes and compatibles, typically running QuickTime v2.0 with the "Enable CD-ROM AutoPlay" option enabled

Discovered: Hong Kong

Description: As with any worm, the AutoStart worm makes copies of itself, rather than infecting other files. According to reports from Bigelow's Virus Troubleshooting guide, authored by Ken Dunham, Autostart begins by copying itself to the root directory as an invisible QuickTime AutoStart application. It then copies itself to the Extensions folder. Data destruction occurs with A, B, E, and F variants. Variants C and D have no malicious payload, and in fact attempt to remove the other variants. Filenames are typically DB, BD, DELDB, Desktop Print Spooler, Desktop Printr Spooler, or DELDesktop Print Spooler. There exist similarly named files which are legitimate, so caution should be exercised if removing these files.

Avril

Avril, Lirva, Naith

A worm by any other name is still a worm

Language helps us to easily communicate with one another. By assigning names to people, places, and things, we are able to identify them to ourselves and others. Now imagine if common items were all assigned random names at the whim of whoever interacted with it. The name would then become meaningless inasmuch as it would provide no ready means of identification and provide little help to communication. That's exactly the current situation with viruses - each vendor assigns whatever name they see fit. This free for all poses no benefit to users, who are then left to fend for themselves in determining what the virus is and whether they are protected from it. Such is again the case with the Avril, Lirva, Naith virus - a single email worm with a half dozen names assigned to it. Both McAfee and Symantec have dubbed this threat W32/Lirva.a@MM. MessageLabs refers to it as W2/Naith.A-mm, Central Command as Worm/Avril.A, and Sophos as W32/Avril-A. F-Secure simply calls it Lirva. Believing simple is good, this article will also refer to the email worm as Lirva.

According to Gergely Erdelyi of F-Secure, Lirva is a password stealing mass-mailing e-mail worm that uses several different methods to spread. In addition to email, Lirva spreads via mIRC, ICQ, KaZaA, and open shares via Windows networked drives. As with previous threats, such as the equally schizophrenically named Yaha variants, Lirva disables antivirus and security applications installed on the infected system. Because newly spreading viruses are not detectable by signature-based scanners without a special update, this leaves users vulnerable to not only the infection, but the inability to obtain the updates needed for detection and disinfection. It also leaves the system vulnerable to further threat, because the software designed to protect the system no longer functions properly. This situtation is worsened by the fact that Lirva (like the Yaha variants, Klez.H and others), takes advantage of a an old vulnerability in Microsoft products that allows the worm to infect automatically when the email carrying the virus is read or even just previewed. The vulnerability affects unpatched versions of Microsoft's Internet Explorer 5.01 or 5.5 (and in many cases, IE 6.x), which can allow attachments to be automatically executed simply by reading - or in some cases, previewing, the email message. Outlook and Outlook Express, and any mail other client that relies upon Internet Explorer to render HTML email messages are vulnerable to this exploit. To ensure you are protected from this vulnerability and others, visit the Windows Update site and allow it to scan your system for necessary security patches.

Lirva harvests email addresses from files on the system ending with any of the following extensions: .DBX, .MBX, .WAB, .HTML, .EML, .HTM, .TBB, .SHTML, .NCH, and .IDX and sends itself to those addresses with email subject lines, message body, and attachment names which have been randomly selected from pre-defined lists in the worm's code.

The worm pays dubious homage to Canadian singer Avril Lavigne, causing the Internet Explorer browser to open to her website on the 7th, 11th, and 24th of each month. Lirva also displays a series of colorful ellipses on the desktop.

Detecting the Worm
Because Lirva copies itself as hidden system files with randomly generated names, identifying the files can be difficult. However, a registry key created by the worm provides an easy means to determine whether an infection has taken place. The key, HKEY_LOCAL_MACHINE\Software\HKLM\Software\OvG\Avril Lavigne, can be easily searched for by following the steps below.

Searching the Registry

Click Start
Click Run
Type REGEDIT and click OK
Click Edit | Find
Type Avril Lavigne
Click Find Next

or you can manually browse the registry to see if the key exists:
HKEY_LOCAL_MACHINE\Software\HKLM\Software\OvG\Avril Lavigne

Removing the Worm
Because antivirus software on the system is frequently disabled by this worm, the safest bet for proper detection and removal of Lirva is the use of an online scanner. Trend Micro's free online virus scanner Housecall is ideally suited for this purpose.

No comments:

How to Get files from the directory - One more method

 import os import openpyxl # Specify the target folder folder_path = "C:/Your/Target/Folder"  # Replace with the actual path # Cre...