email viruses and how viruses work?

Discussion in 'OT Technology' started by speedlife, Jan 6, 2003.

  1. speedlife

    speedlife Guest

    can you get viruses just from emails or must an attachment be included? also, if there is an attachment like a word document, can you get it from that?

    i also get this weird email from people with only a subject line and no body. what is this?
     
  2. Dommi

    Dommi Guest

    a virus is simply a compiled script that is executed using flaws in the way that your computer handles scripting. in the case of oe email virii, you will notice that most of the time, the script is embedded in the email, but hte ability to view it as an attachment isnt there. More so,. if you viewed it, it would look like compiled gibirish.
    you can embedd virii in word docs, those are generally referred to as macro virii.
     
  3. speedlife

    speedlife Guest

    so you can get a virus email without even really opening or reading an email?
    i use outlook so whenever i open my email it downloads automatically.

    also, what is that strange email that goes around with only a subject line?
     
  4. Dommi

    Dommi Guest

    Damage

    * Payload: This worm infects executables by creating a hidden copy of the original host file and then overwriting the original file with itself. The hidden copy is encrypted, but contains no viral data. The name of the hidden file is the same as the original file, but with a random extension.
    o Large scale e-mailing: This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment.
    o Releases confidential info: Worm randomly chooses a file from the machine to send along with the worm to recipients. So files with the extensions: ".mp8" or ".txt" or ".htm" or ".html" or ".wab" or ".asp" or ".doc" or ".rtf" or ".xls" or ".jpg" or ".cpp" or ".pas" or ".mpg" or ".mpeg" or ".bak" or ".mp3" or ".pdf" would be attached to e-mail messages along with the viral attachment.

    Distribution

    * Subject of email: Random
    * Name of attachment: Random

    technical details

    When this worm is executed, it does the following:

    It copies itself to \%System%\Wink<random characters>.exe.

    NOTE: %System% is a variable. The worm locates the Windows System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

    It adds the value

    Wink<random characters> %System%\Wink<random characters>.exe

    to the registry key

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    or it creates the registry key

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Wink[random characters]

    and inserts a value in that subkey so that the worm is executed when you start Windows.

    The worm attempts to disable on-access virus scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active processes. The worm removes the startup registry keys used by antivirus products and deletes checksum database files including:

    * Anti-Vir.dat
    * Chklist.dat
    * Chklist.ms
    * Chklist.cps
    * Chklist.tav
    * Ivb.ntz
    * Smartchk.ms
    * Smartchk.cps
    * Avgqt.dat
    * Aguard.dat

    Local and Network Drive copying:
    The worm copies itself to local, mapped, and network drives as:

    * A random file name that has a double extension. For example, Filename.txt.exe.
    * A .rar archive that has a double extension. For example, Filename.txt.rar.


    Email:
    This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers. For example, if the worm encounters the address [email protected] it will attempt to send email via the server smtp.abc123.com.

    The subject line, message bodies, and attachment file names are random. The From address is randomly-chosen from email addresses that the worm finds on the infected computer.

    The worm will search files that have the following extensions for email addresses:

    * mp8
    * .exe
    * .scr
    * .pif
    * .bat
    * .txt
    * .htm
    * .html
    * .wab
    * .asp
    * .doc
    * .rtf
    * .xls
    * .jpg
    * .cpp
    * .pas
    * .mpg
    * .mpeg
    * .bak
    * .mp3
    * .pdf


    In addition to the worm attachment, the worm also may attach a random file from the computer. The file will have one of the following extensions:

    * mp8
    * .txt
    * .htm
    * .html
    * .wab
    * .asp
    * .doc
    * .rtf
    * .xls
    * .jpg
    * .cpp
    * .pas
    * .mpg
    * .mpeg
    * .bak
    * .mp3
    * .pdf


    As a result, the email message would have 2 attachments, the first being the worm and the second being the randomly-selected file.

    The email message that this worms sends is composed of "random" strings. The subject can be one of the following:

    * Worm Klez.E immunity
    * Undeliverable mail--"[Random word]"
    * Returned mail--"[Random word]"
    * a [Random word] [Random word] game
    * a [Random word] [Random word] tool
    * a [Random word] [Random word] website
    * a [Random word] [Random word] patch
    * [Random word] removal tools
    * how are you
    * let's be friends
    * darling
    * so cool a flash,enjoy it
    * your password
    * honey
    * some questions
    * please try again
    * welcome to my hometown
    * the Garden of Eden
    * introduction on ADSL
    * meeting notice
    * questionnaire
    * congratulations
    * sos!
    * japanese girl VS playboy
    * look,my beautiful girl friend
    * eager to see you
    * spice girls' vocal concert
    * japanese lass' sexy pictures


    The random word will be one of the following:

    * new
    * funny
    * nice
    * humour
    * excite
    * good
    * powful
    * WinXP
    * IE 6.0
    * W32.Elkern
    * W32.Klez.E
    * Symantec
    * Mcafee
    * F-Secure
    * Sophos
    * Trendmicro
    * Kaspersky


    The body of the email message is random.

    Email spoofing

    * This worm often uses a technique known as "spoofing." When it performs its email routine. it can use a randomly chosen address that it finds on an infected computer as the "From:" address, numerous cases have been reported in which users of uninfected computers received complaints that they sent an infected message to someone else.

    For example, Linda Anderson is using a computer that is infected with [email protected] Linda is not using a antivirus program or does not have current virus definitions. When [email protected] performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From:" portion of an infected message that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her an infected message, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected.

    If you are using a current version of Norton AntiVirus and have the most recent virus definitions, and a full system scan with Norton AntiVirus set to scan all files does not find anything, you can be confident that your computer is not infected with this worm.
    * There have been several reports that, in some cases, if you receive a message that the virus has sent using its own SMTP engine, the message appears to be a "postmaster bounce message" from your own domain. For example, if your email address is [email protected], you could receive a message that appears to be from [email protected], indicating that you attempted to send email and the attempt failed. If this is the false message that is sent by the virus, the attachment includes the virus itself. Of course, such attachments should not be opened.
    * The message may be disguised as an immunity tool. One version of this false message is as follows:

    Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC.

    NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.
     
  5. Dommi

    Dommi Guest

    that is a snippet of the virus sheet for klez e
    all virii are different and there are tens of thousands
     
  6. speedlife

    speedlife Guest

    extremely helpful. so basically one does not even have to dl an attachment. this can be passed merely through emailing another person?

    how does one get this virus? and how can one get rid of it?
    is there a way to tell who it is exactly from even though it places a random "from:" address?
     
  7. Dommi

    Dommi Guest

    you are trying to put too much specifics on what is really a broad subject
    virus's are too varied to say that there is one commonality amongst all
     
  8. speedlife

    speedlife Guest

    you are correct and i apologize for that, but generally, how wouldone go about handling this situation?

    with all the viruses, there has to be a way to tell what it is and how to diagnose it. is there a general method as to how this type of virus infects and how it is eliminated?
     
  9. Dommi

    Dommi Guest

    Ill tell you this, and I know that 5Gen_prelude will disagree vehemently... Use an intivirus and keep the definitions up to date...
     
  10. speedlife

    speedlife Guest

    5th gen, if you read this any reason why you would disagree?

    also, a question on antivirus software in a company,
    is it installed on each machine or on the server or both
     
  11. Dommi

    Dommi Guest

    the easiest to talk about would be the enterprise edition of norton av.
    that is installed locally, but is server based. The norton av server controls the overall function of the slave nodes as well as the update feature


    **** gotta go, firealarm going off****
     
  12. Dommi

    Dommi Guest

    ok someone let milton loose in the building

    oh well
     
  13. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    I have nothing against virus scanners, I just don't like the idea of relying on them - they're not perfect. It's like spell checkers - great utility, but you shouldn't ever become dependant on them. If you don't have the skillset to stop them and ensure that they don't attack your systems then yes, use a piece of software. No self respecting doctor would hand you a cure-all without knowing how it works and that's what I support. A single-user computer, operated by someone who knows the ins-and-outs of how viruses can be spread doesn't need it. Just don't blame me if your systems dies ;)
     
  14. Dommi

    Dommi Guest

    quick question, what do you do proactively to prevent infection.
    what do you look for when you think you are infected?
     
  15. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    There are two basic ways viruses infect your computer. One, someone accesses your computer from outside and maliciously goes about having some fun. That's something that does need addressing, firewalls are a good start, updating your OS etc... all that good stuff.

    The only other way is to infect the computer yourself (by accident or on purpose). People either a) open up attachments they shouldn't, b) assume a file is clean that they have downloaded and run it, or c) on very rare instances, get infected via a web page (not likely if you keep things up to date but again, the potential is there).

    If I thought I was infected, and on a few occasions I thought I was (turned out to be just too much crap running on the computer), I will scan the computer with a virus checker. But since my computer is constanly getting freshly installed (I just don't like bloated installs), even if I was infected it would be cleaned. If someone else gets infected, I reghost their machine - no chance of it lingering and no fighting with 20 step removal processes (assuming you can identify it). With clients that have only a handful of programs installed and no data files on a c drive, makes it real handy.

    Data files on the server are backed up daily so on the off chance a virus goes apeshit on the network drives, no long term damage can occur (and of course ensuring they only have access to what they need).

    Most viruses can be prevented by using common sense - that jpg your buddy sent you can't damage your computer unless its association has been changed. VBS can be disassociated all together since you rarely run a a vbs script on its own - if you do simply use a different extension and associate it.
     
  16. Dommi

    Dommi Guest

    the only thing I see wrong with that is this
    most of the new breed of virus are set up to infect once the email is opened (read email not attachment) which almost guarantees infection once the mail is downloaded. since you have to click it to delete, and clicking it opens it.
     
  17. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    I don't open it to delete it. But your point is taken - that's a failure of the Email program at any rate - there is no reason why it should run an HTML and accompanying script. I myself use RTF when sending messages - can't stand fancy graphics (thus my distaste for XP ;))
     
  18. Dommi

    Dommi Guest

    shell > *
     

Share This Page