[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Indice por Tema
]
[hackmeeting] Ojo al virus
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Como ya habrá sufrido alguno de vosotros (hey, Hubble),
alguien
desde infoshop ha descargado un virus, llamado W95/MTX@M
Ahí va lo que dicen los de McAffee
(http://vil.nai.com/vil/dispVirus.asp?virus_k=98797) :
Profile
Virus Name
Risk Assessment
W95/MTX.gen@M
Medium
Virus Characteristics
Update - November 30, 2000:
AVERT recommends all users add .PIF extension to
enable scanning some forms of this threat as well
as
other threats which use .PIF techniques.
Update - September 19, 2000:
McAfee AVERT has raised the ARA for this virus from
Low to Medium based on customer samples received to
date.
Removal of this virus requires 4095 DAT files. This
virus
was discovered by McAfee AVERT Aug 23, 2000.
This is a 32bit PE file infector for Windows 9x/NT
systems.
This virus modifies WSOCK32.DLL in an effort to
hook
SMTP traffic as an attachment. This virus searches
for
available shares through Network Neighborhood in an
effort to transfer to host systems.
W32/MTX@MM is a combination of a Virus, Worm and
Backdoor.
-Worm/Backdoor part: As it has mailing capabilities
users
may receive an e-mail with a file attachment, the
name of
the attachment is variable, but it may be like:
I_am_sorry_doc.pif, or zipped_files.exe etc.
Regardless of
the deceiving filename and extension, the attached
file as
such is in fact a 32 bit "pe" file. (Portable
Excutable file,
common on win9x/winNT).
-Virus part: the virus also modified 32 bit pe
files, like
.EXE and .DLL, in the windows folder. It m
When the user doubleclicks on the attached file, several
files are being dropped.Dropped files (some are
marked
Hidden) may be :
IE_PACK.EXE,
MTX_.EXE,
WIN32.DLL
WSOCK32.MTX
The file WININIT.INI is modified to replace calling
of the
regular wsock32.dll with the dropped file
wsock32.mtx
after next reboot. MTX_.EXE runs from the system
registry
at Windows startup and is memory resident when the
virus
is first executed on the system.
MTX_.EXE runs as a process and makes Internet calls
every 2 minutes on the system in communication on
TCP
port 1137.
Y ahí van las instrucciones para su eliminación:
Use specified engine and DAT files for detection
and removal.
Windows 95/98 systems require rebooting to MS-DOS
mode and
scanning with the command line scanner SCANPM in
order to clean
such files as EXPLORER.EXE and TASKMON.EXE.
The WSOCK32.DLL file can be restored from backup.
This can be
done by:
Windows 98/2000/ME
- Click the START MENU|RUN, type SFC and click OK.
- Choose Extract one file from the installation
disk
- Type C:\WINDOWS\SYSTEM\WSOCK32.DLL in the box and
click
Start.
- In the Restore from box type
C:\WINDOWS\OPTIONS\CABS or
browse to the Win98 directory on your Windows98
CD-ROM
- Click OK and follow remaining prompts
Wsock32.dll file exists within the Precopy1.cab
cabinet file on the
Windows 98 CD-ROM.
Windows95
WSOCK32.DLL can be found in the following CAB
files:
Win95_11.cab on the Windows 95 CD-ROM
Win95_18.cab on the Windows 95 OSR2 CD-ROM
Win95_12.cab on the Windows 95 DMF disks
Win95_19.cab on the Windows 95 non-DMF disks
Below is an example for standard Windows 95
- Click the START MENU|SHUT DOWN choose RESTART IN
MS-DOS
MODE
- Type: EXTRACT /A
C:\WINDOWS\OPTIONS\CABS\WIN95_11.CAB
WSOCK32.DLL /L C:\WINDOWS\SYSTEM
or
- Insert your Windows95 CD-ROM and type:
EXTRACT /A D:\WIN95\WIN95_11.CAB WSOCK32.DLL /L
C:\WINDOWS\SYSTEM Where D: is your CD-ROM drive
WindowsNT 4.0
Rename the Wsock32.dll file in the Windows\System32
folder to
Wsock32.old.
For information about how to rename a file, click
Start, click Help, click
the Index tab, type renaming, and then double-click
the ''Renaming files''
topic.
Click Start, point to Programs, and then click
Command Prompt.
Type cd\, and then press ENTER.
Insert the Windows NT CD-ROM into the CD-ROM drive,
and then
close the Windows NT screen if it appears.
Type the following line at the command prompt, and
then press ENTER.
expand <drive>:\i386\wsock32.dl_
c:\<windows>\system32\wsock32.dll
where <drive> is the drive letter assigned to your
CD-ROM drive,
and where <windows> is the name of the folder in
which
Windows NT is installed.
Type exit, and then press ENTER to return to
windows.
Si alguien quiere diseccionarlo, he guardado una copia.
Buena suerte.
- --
Salu2. Arturo Quirantes
(PGP key 0x4E2031EC)
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5i
iQA/AwUBOoJHttPjg85OIDHsEQLZigCfVaxSTjc9yHVQobdP6JpO2flK9mgAnAgf
UxDM3WBWGR2Wv5+ONEZhe2bM
=m3xe
-----END PGP SIGNATURE-----