Loading ...
Sorry, an error occurred while loading the content.

6556Fw: [stamboom_drenthe] Informatie over virussen.

Expand Messages
  • Pieke en Frouwkje v/d Schaaf-Beckeringh.
    Dec 1, 2001
    • 0 Attachment
      ----- Oorspronkelijk bericht -----
      Van: "Piet Molema" <p.molema@...>
      Aan: "Lange kinderen mailiglist" <langekinderen@yahoogroups.com>; "HW
      Mailinglist" <NLD-HOEKSCHE-WAARD-L@...>; "Drenthe mailinglist"
      <stamboom_drenthe@yahoogroups.com>; "Groningen mailinglist"
      <groningen-genealogy@egroups.com>; <westerwolde@egroups.com>;
      <Bellingwolde@egroups.com>; "mailinglist zeeland"
      <Zeeland-genealogy@yahoogroups.com>
      Verzonden: donderdag 29 november 2001 22:15
      Onderwerp: [stamboom_drenthe] Informatie over virussen.


      > All,
      >
      > Hieronder het verhaal van eSafe over Badtrans (een virus dat momenteel
      > rondzwerft en voor veel onnodig dataverkeer zorgt) en een tip om Windows
      > goed te configureren.
      >
      > Ik wordt net als vele anderen gestoord van iedereen die het internet op
      gaat
      > zonder condoom eh sorry ... een up-to-date virusscanner.
      > Een week de scanner niet geupdate levert een scanner op uit de PREHISTORIE
      > !!!!
      >
      > Dagelijks komen hier virussen binnen door klojo's die een pc gebruiken
      > zonder virusscanner of een die niet geupdate is.
      >
      > Ik heb het (elders) al vaker gemeld, maar het kan geen kwaad om het te
      > herhalen.
      > Begin met het volgende: configureer windows goed! Kijk daarvoor op de
      pagina
      > van de DOSgg/Windos gg.
      > http://www.windos.nl/veiligh.html
      >
      > Bestudeer het en volg de instructies op. Dat voorkomt heeeeel veeeeeeel
      > problemen ..... ook bij anderen waarmee je correspondeert.
      >
      > P.S.: dit is een off-topic bericht. Reageer daarom niet in de groep/lijst.
      >
      > Met vriendelijke groeten,
      > Piet Molema
      > Webmasters: Genealogie Groningen, Drenthe, Zeeland, Hoeksche Waard,
      > Wegwijzer Genealogie en Archieven in Nederland:
      > http://home.hccnet.nl/p.molema
      > Listowner Malinglist NLD-Hoeksche-Waard:
      > NL - http://home.hccnet.nl/p.molema/hwmail.htm
      > Eng - http://lists.rootsweb.com/index/intl/NLD/NLD-HOEKSCHE-WAARD.html
      > Host query boards Groningen, Drenthe, Zeeland, Hoeksche Waard
      > Co-moderator Mailinglist Genealogy Zeeland:
      > http://home.hccnet.nl/p.molema/zemail.htm
      > Webmaster: Lange kinderen http://home.hccnet.nl/p.molema/langkind
      >
      > --------------------------------------------------------------------------
      --
      > -------------
      >
      > CSRT Alert - Medium Risk
      > =======================
      >
      > Win32.BadtransII
      > and Win32.Badtrans.dll
      >
      > Alias: W32/Badtrans-B, BADTRANS.B, WORM_BADTRANS.B, W32/Badtrans@MM,
      > W32.Badtrans.B@mm, W32/BadTrans.B-mm
      > Threat Level: Medium
      > Platforms: 95, 98, ME, NT, 2000
      > Updated on: 27 November, 2001
      > Arrival Form: Email
      > Type: Win32, Trojan, Worm
      > Damage: Steal information, Other
      >
      > -----------------------------------------------------------------------
      >
      > Analysis
      > ========
      > Win32.BadTransII is an email spreading vandal which attempts to install a
      > spying keystroke logger on infected machines and tries to steal access
      > passwords to connections. When arriving by email this vandal run
      > automatically by using an Outlook Express exploit known as the X-WAV
      > exploit.
      > More information about this exploit and a patch is available form
      > Microsoft:
      >
      http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
      > bulletin/MS01-020.asp
      >
      > ** eSafe products proactively protect against this exploit even without a
      > vandal/virus update **
      >
      > Infection
      > ---------
      > The arriving email will have a the following format:
      >
      > From: a list of random email addresses
      > Subject: random words out of the following list: Humor, fun, docs, info
      > Body: No body text
      > Attached file: random attached file name with a double extension.
      > The list of possible names:
      > Pics
      > images
      > New_Napster_Site
      > README
      > stuff
      > SETUP
      > Card
      > Me_nude
      > Sorry_about_yesterday
      > news_doc
      > HAMSTER
      > YOU_are_FAT!
      >
      > The first file extension will be one of the following: .DOC, .ZIP, .MP3
      > The second extension will be one of the following: .PIF, .SCR
      >
      > This vandal can also arrive as a reply to an email. In that case the
      > subject line will begin with Re: and following would be the original
      > subject line.
      > It also searches file with the extensions .HT* and .ASP (HTML files) and
      > sends infected emails to addresses found there. Usually there will be many
      > such HTML files in the browser cache directories.
      >
      > Operation
      > ---------
      > When an infected email is viewed on a system unpatched by Microsoft, the
      > file is automatically executed and will perform the following:
      >
      > 1. Create a copy of itself under the name KERNEL32.EXE in the Windows
      > System directory (usually C:\Windows\System).
      >
      > 2. Create a file named KDLL.DLL (detected by eSafe as Win32.Badtrans.dll)
      > in the Windows System directory. This file is a spying Trojan. It collects
      > information about the PC including dial-up passwords. It is also a
      > keystroke logger, collecting all the keyboard entries and the respective
      > applications. All this information is saved encrypted to a file named
      > CP_25389.NLS and sent to a predefined email address.
      >
      > 3. To execute itself each time the computer starts, the following registry
      > entry is added:
      > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\
      > kernel32 = "kernel32.exe"
      >
      > 4. Use MAPI to send copies of itself to address book entries as well as
      > addresses in HTML pages stored locally and as a reply to unread messages.
      >
      > Removal Instructions
      > ====================
      >
      > Manual Removal
      > --------------
      >
      > 1. Find and delete the files: KERNEL32.EXE and CP_25389.NLS
      >
      > 2. Using Regedit.exe, find the key HKEY_LOCAL_MACHINE\Software\Microsoft\
      > Windows\CurrentVersion\RunOnce\kernel32 = "kernel32.exe". Delete the
      > registry value kernel32.
      >
      > 3. Disable email previewing in Outlook Express. Delete all email messages
      > that correspond the descriptions above.
      >
      > Cleaning Utility
      > ----------------
      > An cleaning utility is available from
      > ftp://ftp.ealaddin.com/pub/utils/eclean.exe
      >
      > eSafe Users
      > ----------------
      > eSafe Desktop and Enterprise are protected by the Sandbox II and Sytstem
      > Protector. All eSafe products detect and block the X-WAV exploit.
      > It is also recommended to block attached files with the extensions .PIF
      and
      > .SCR. For more information about blocking dangerous file types see the
      link
      > http://www.ealaddin.com/home/csrt/protgate_mail.asp.
      >
      >
      >
      >
      >
      >
      > Reageren op een e-mail bericht Prive dan klik je op beantwoorden.
      > Via de lijst dan klik je op allen beantwoorden en haal dan even de naam
      van de persoon die het bericht stuurde weg. Anders komen daar twee berichten
      binnen.
      >
      > Een bericht stuur je naar: stamboom_drenthe@yahoogroups.com
      > Lijst eigennaar: stamboom_drenthe-owner@yahoogroups.com
      > URL voor deze bladzij: http://groups.yahoo.com/group/stamboom_drenthe
      >
      >
      >
      >
      > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
      >
      >
      >