tacitus
08-28-2003, 12:42 PM
I don't think this has been posted before.
I received a email from 'security@microsoft.com' regarding this program.
[ QUOTE ]
From: "Microsoft" <security@microsoft.com> Save Address | Headers
To: <tacitus@iGlide.net>
Date: Thu, 28 Aug 2003 11:20:29 -0600
Subject: Use this patch immediately !
--------------------------------------------------------------------------------
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
patch.exe (Binary attachment)
[/ QUOTE ]
Natrually I did not open this file and did a google search and found this information.
************************************************** *******
NEW THREAT-patch.exe posted Mon, August 18, 2003 (http://www.bbnp.com/shownewsarticle.php?ver=&newsID=35&location=BBnPAn nouncements)
A new virus, posing as an email from Microsoft, offers an attachment named patch.exe---DO NOT OPEN THE ATTACHMENT.
Do not open this message appearing to be from Microsoft offering a patch.
It is a new virus.
READ MORE
W32.Dumaru@mm is a mass-mailing worm that drops an IRC Trojan onto the infected machine. The worm gathers email addresses from certain file types and uses its own SMTP engine to email itself.
**************************************
The email has the following characteristics:
From: "Microsoft"
Subject: Use this patch immediately !
Message:
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
Attachment: patch.exe
****************************************
If you open the attachment, YOU WILL BE INFECTED with this new virus. Installing the patch for the blaster worm will not protect you from this virus!
Update any antivirus software and do not open attachments ending with .exe These are execution files designed to execute a program or command on your computer. Some are harmless, but don't take the chance.
************************************************** *****
Also this from Uruguay
[ QUOTE ]
VSantivirus no. 1138 Year 7, Tuesday 19 of August of 2003
W32/Dumaru.A. False message of Microsoft (patch.exe)
http://www.vsantivirus.com/dumaru-a.htm
Name: W32/Dumaru.A
Type: Worm of Internet
Alias: W32.Dumaru@mm, Win32/Dumaru.A, W32/Dumaru@MM, W32.Dumaru@mm, WORM_DUMARU.A
Date: 19/ago/03
Platform: Windows 32-bit
Size: 9.216 bytes
Tools to clear the worm automatically
This worm, written in Microsoft C++ and tablet with tool UPX, is sent in massive form to all the directions that find in certain archives of the infected machine, in a message that simulates to contain a patch of the Internet Explorer sent by Microsoft:
Of: "Microsoft" < security@microsoft.com >
Subject: Patch uses this immediately!
Attached data: patch.exe
Text:
Dear friend, uses this Internet Explorer patch now!
There plows dangerous virus in the Internet now!
Already dwells than 500,000 infected!
When it is executed, it releases a troyano that allows to be controlled via IRC, and in addition is able to rob passwords of the infected machine, soon to reenviar them to a remote user.
The mail directions of which the message sends, are extracted of all the archives of the hard disk with the following extensions:
abd
dbx
htm
html
tbb
wab
The directions are kept in the following file:
c:\windows\winload.log
The worm copy to if same in the following locations:
c:\windows\dllreg.exe
c:\windows\system\load32.exe
c:\windows\system\vxdmgr32.exe
Also copy to the troyano in the following location:
c:\windows\windrv.exe
NOTE: In all the cases, "C:\Windows" and "C:\Windows\System" can vary according to the installed operating system (with those names by defect in Windows 9x/ME, like "C:\WinNT", "C:\WinNT\System32" in Windows NT/2000 and "C:\Windows\System32" in Windows XP and Windows Server 2003).
The troyano can be connected to a predefined servant of IRC (Internet Relay Chat), and receive you order of a remote user. Also it can rob passwords of the infected user.
The worm modifies the following keys of the registry to autoejecutar itself in each resumption of Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
load32 = C:\windows\system\load32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = explorer.exe c:\winnt\system32\vxdmgr32.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run = c:\windows\dllreg.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
load32 = (a very long entrance, of 260 bytes)
Also it modifies archives WIN.INI and SYSTEM.INI in the C:\Windows folder:
In WIN.INI:
[ Windows ]
run = c:\windows\dllreg.exe
In SYSTEM.INI:
[ boot ]
shell = explorer.exe c:\windows\system\vxdmgr32.exe
Manual repair
Antivirus
1. Update his antivirus with the last definitions
2. Ejecútelos in way I scan, reviewing all its discs
3. Erase the archives detected like infected
Manual erasure of the archives created by the worm
From the Explorer of Windows, it locates and it erases the following archives:
c:\windows\dllreg.exe
c:\windows\system\load32.exe
c:\windows\system\vxdmgr32.exe
c:\windows\windrv.exe
Puncture with the right button on the icon of the "Wastebasket of recycling" in the writing-desk, and select "To drain the recycling wastebasket".
Also erase the electronic messages similar to I decipher before.
To publish the registry
Note: some of the branches in the registry mentioned here, can not be present since it depends on which version of Windows is had installed.
1. Execute the registry publisher: Beginning, to execute, writes REGEDIT and presses ENTER
2. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:
HKEY_LOCAL_MACHINE
\SOFTWARE
\Microsoft
\Windows
\CurrentVersion
\Run
3. Puncture in the folder "Run" and in the panel of the right, under the column "Name", looks for and erases the following entrance:
load32
4. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:
HKEY_LOCAL_MACHINE
\SOFTWARE
\Microsoft
\Windows NT
\CurrentVersion
\Winlogon
5. Puncture in the folder "Winlogon" and in the panel of the right, under the column "Name", looks for and erases the following entrance:
Shell
6. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:
HKEY_CURRENT_USER
\Software
\Microsoft
\Windows NT
\CurrentVersion
\Windows
7. Puncture in the folder "Windows" and in the panel of the right, under the column "Name", looks for and erases the following entrance:
Run
8. Use "Registry", "To leave" to leave the publisher and to confirm the changes.
To publish file WIN.INI and SYSTEM.INI
1. From Beginning, To execute, keys in WIN.INI and presses Enter.
2. Look for the following thing:
[ Windows ]
run = c:\windows\dllreg.exe
It must stay as:
[ Windows ]
run =
3. Record the changes and you leave the notepad.
4. From Beginning, To execute, keys in SYSTEM.INI and presses Enter.
5. Look for the following thing:
[ boot ]
shell = explorer.exe c:\windows\system\vxdmgr32.exe
and déjelo asi ':
[ boot ]
shell = explorer.exe
6. Record the changes and you leave the notepad
7. Reinitiate his computer (Beginning, To extinguish the system, To reinitiate).
Tools to clear the worm automatically
Tool of Symantec
Unload the utility "FxDumaru.exe" (167 Kb) and ejecútela in his system:
http://www.symantec.com/avcenter/FxDumaru.exe
Copyright (c) Symantec 2003.
Additional information
To show the true extensions of the archives
In order to be able to see the true extensions of the archives and in addition visualize those with attributes of "Hidden", asi comes ':
1. Execute the Explorer of Windows
2. Select to the menu ' Ver' (Windows 95/98/NT) or the menu ' Herramientas' (Me/2000/XP Windows), and puncture in ' Opciones' or ' Options of carpetas'.
3. Select the tongue-piece ' Ver'.
4. IT UNMARKS the option "To hide extensions for the types of well-known archives" or similar.
5. In Windows 95/NT, IT MARKS the option "To show to all the archives and hidden folders" or similar.
In Windows 98, under ' Archives ocultos', MARKS ' To show all archivos'.
In Me/2000/XP Windows, in ' Archives and folders ocultos', MARKS ' To show to all the archives and folders ocultos' and DISTANCING ' To hide to protected archives of the system operativó.
6. Puncture in ' Aplicar' and ' Aceptar'.
Cleaning of virus in Windows Me and XP
If the installed operating system is Windows Me or Windows XP, to be able to correctly eliminate this virus of his computer, it will have to deshabilitar before any action, the tool "To recover system" as it is indicated in these articles:
Cleaning of virus in Windows Me
http://www.vsantivirus.com/faq-winme.htm
Cleaning of virus in Windows XP
http://www.vsantivirus.com/faq-winxp.htm
(c) Video Soft - http://www.videosoft.net.uy
(c) VSAntivirus - http://www.vsantivirus.com
[/ QUOTE ]
These people are pissing me off.
I received a email from 'security@microsoft.com' regarding this program.
[ QUOTE ]
From: "Microsoft" <security@microsoft.com> Save Address | Headers
To: <tacitus@iGlide.net>
Date: Thu, 28 Aug 2003 11:20:29 -0600
Subject: Use this patch immediately !
--------------------------------------------------------------------------------
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
patch.exe (Binary attachment)
[/ QUOTE ]
Natrually I did not open this file and did a google search and found this information.
************************************************** *******
NEW THREAT-patch.exe posted Mon, August 18, 2003 (http://www.bbnp.com/shownewsarticle.php?ver=&newsID=35&location=BBnPAn nouncements)
A new virus, posing as an email from Microsoft, offers an attachment named patch.exe---DO NOT OPEN THE ATTACHMENT.
Do not open this message appearing to be from Microsoft offering a patch.
It is a new virus.
READ MORE
W32.Dumaru@mm is a mass-mailing worm that drops an IRC Trojan onto the infected machine. The worm gathers email addresses from certain file types and uses its own SMTP engine to email itself.
**************************************
The email has the following characteristics:
From: "Microsoft"
Subject: Use this patch immediately !
Message:
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
Attachment: patch.exe
****************************************
If you open the attachment, YOU WILL BE INFECTED with this new virus. Installing the patch for the blaster worm will not protect you from this virus!
Update any antivirus software and do not open attachments ending with .exe These are execution files designed to execute a program or command on your computer. Some are harmless, but don't take the chance.
************************************************** *****
Also this from Uruguay
[ QUOTE ]
VSantivirus no. 1138 Year 7, Tuesday 19 of August of 2003
W32/Dumaru.A. False message of Microsoft (patch.exe)
http://www.vsantivirus.com/dumaru-a.htm
Name: W32/Dumaru.A
Type: Worm of Internet
Alias: W32.Dumaru@mm, Win32/Dumaru.A, W32/Dumaru@MM, W32.Dumaru@mm, WORM_DUMARU.A
Date: 19/ago/03
Platform: Windows 32-bit
Size: 9.216 bytes
Tools to clear the worm automatically
This worm, written in Microsoft C++ and tablet with tool UPX, is sent in massive form to all the directions that find in certain archives of the infected machine, in a message that simulates to contain a patch of the Internet Explorer sent by Microsoft:
Of: "Microsoft" < security@microsoft.com >
Subject: Patch uses this immediately!
Attached data: patch.exe
Text:
Dear friend, uses this Internet Explorer patch now!
There plows dangerous virus in the Internet now!
Already dwells than 500,000 infected!
When it is executed, it releases a troyano that allows to be controlled via IRC, and in addition is able to rob passwords of the infected machine, soon to reenviar them to a remote user.
The mail directions of which the message sends, are extracted of all the archives of the hard disk with the following extensions:
abd
dbx
htm
html
tbb
wab
The directions are kept in the following file:
c:\windows\winload.log
The worm copy to if same in the following locations:
c:\windows\dllreg.exe
c:\windows\system\load32.exe
c:\windows\system\vxdmgr32.exe
Also copy to the troyano in the following location:
c:\windows\windrv.exe
NOTE: In all the cases, "C:\Windows" and "C:\Windows\System" can vary according to the installed operating system (with those names by defect in Windows 9x/ME, like "C:\WinNT", "C:\WinNT\System32" in Windows NT/2000 and "C:\Windows\System32" in Windows XP and Windows Server 2003).
The troyano can be connected to a predefined servant of IRC (Internet Relay Chat), and receive you order of a remote user. Also it can rob passwords of the infected user.
The worm modifies the following keys of the registry to autoejecutar itself in each resumption of Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
load32 = C:\windows\system\load32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = explorer.exe c:\winnt\system32\vxdmgr32.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run = c:\windows\dllreg.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
load32 = (a very long entrance, of 260 bytes)
Also it modifies archives WIN.INI and SYSTEM.INI in the C:\Windows folder:
In WIN.INI:
[ Windows ]
run = c:\windows\dllreg.exe
In SYSTEM.INI:
[ boot ]
shell = explorer.exe c:\windows\system\vxdmgr32.exe
Manual repair
Antivirus
1. Update his antivirus with the last definitions
2. Ejecútelos in way I scan, reviewing all its discs
3. Erase the archives detected like infected
Manual erasure of the archives created by the worm
From the Explorer of Windows, it locates and it erases the following archives:
c:\windows\dllreg.exe
c:\windows\system\load32.exe
c:\windows\system\vxdmgr32.exe
c:\windows\windrv.exe
Puncture with the right button on the icon of the "Wastebasket of recycling" in the writing-desk, and select "To drain the recycling wastebasket".
Also erase the electronic messages similar to I decipher before.
To publish the registry
Note: some of the branches in the registry mentioned here, can not be present since it depends on which version of Windows is had installed.
1. Execute the registry publisher: Beginning, to execute, writes REGEDIT and presses ENTER
2. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:
HKEY_LOCAL_MACHINE
\SOFTWARE
\Microsoft
\Windows
\CurrentVersion
\Run
3. Puncture in the folder "Run" and in the panel of the right, under the column "Name", looks for and erases the following entrance:
load32
4. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:
HKEY_LOCAL_MACHINE
\SOFTWARE
\Microsoft
\Windows NT
\CurrentVersion
\Winlogon
5. Puncture in the folder "Winlogon" and in the panel of the right, under the column "Name", looks for and erases the following entrance:
Shell
6. In the left panel of the publisher, it punctures in sign "+" until opening the following branch:
HKEY_CURRENT_USER
\Software
\Microsoft
\Windows NT
\CurrentVersion
\Windows
7. Puncture in the folder "Windows" and in the panel of the right, under the column "Name", looks for and erases the following entrance:
Run
8. Use "Registry", "To leave" to leave the publisher and to confirm the changes.
To publish file WIN.INI and SYSTEM.INI
1. From Beginning, To execute, keys in WIN.INI and presses Enter.
2. Look for the following thing:
[ Windows ]
run = c:\windows\dllreg.exe
It must stay as:
[ Windows ]
run =
3. Record the changes and you leave the notepad.
4. From Beginning, To execute, keys in SYSTEM.INI and presses Enter.
5. Look for the following thing:
[ boot ]
shell = explorer.exe c:\windows\system\vxdmgr32.exe
and déjelo asi ':
[ boot ]
shell = explorer.exe
6. Record the changes and you leave the notepad
7. Reinitiate his computer (Beginning, To extinguish the system, To reinitiate).
Tools to clear the worm automatically
Tool of Symantec
Unload the utility "FxDumaru.exe" (167 Kb) and ejecútela in his system:
http://www.symantec.com/avcenter/FxDumaru.exe
Copyright (c) Symantec 2003.
Additional information
To show the true extensions of the archives
In order to be able to see the true extensions of the archives and in addition visualize those with attributes of "Hidden", asi comes ':
1. Execute the Explorer of Windows
2. Select to the menu ' Ver' (Windows 95/98/NT) or the menu ' Herramientas' (Me/2000/XP Windows), and puncture in ' Opciones' or ' Options of carpetas'.
3. Select the tongue-piece ' Ver'.
4. IT UNMARKS the option "To hide extensions for the types of well-known archives" or similar.
5. In Windows 95/NT, IT MARKS the option "To show to all the archives and hidden folders" or similar.
In Windows 98, under ' Archives ocultos', MARKS ' To show all archivos'.
In Me/2000/XP Windows, in ' Archives and folders ocultos', MARKS ' To show to all the archives and folders ocultos' and DISTANCING ' To hide to protected archives of the system operativó.
6. Puncture in ' Aplicar' and ' Aceptar'.
Cleaning of virus in Windows Me and XP
If the installed operating system is Windows Me or Windows XP, to be able to correctly eliminate this virus of his computer, it will have to deshabilitar before any action, the tool "To recover system" as it is indicated in these articles:
Cleaning of virus in Windows Me
http://www.vsantivirus.com/faq-winme.htm
Cleaning of virus in Windows XP
http://www.vsantivirus.com/faq-winxp.htm
(c) Video Soft - http://www.videosoft.net.uy
(c) VSAntivirus - http://www.vsantivirus.com
[/ QUOTE ]
These people are pissing me off.