Evo malo pomoći,
Dakle onima koje je prepoznao ovaj virus W32.Swen@mm kao Worm.Automat.AHB, su zaštićeni.
Dakle od 18.09. postoji patch jer se javilo puno ljudi s problemom!
W32.Swen.A@mm je crvić koji se masovno širi putem svojeg SMTP engine-a. Pokušava se dakako širiti i preko file-sharing mreže, kao što su: KaZaA i IRC, pokušava isto tako eliminirati antivirus i firewall na vašem kompu.
Dolazi kao e-mail s attachmentom.
NASLOV, TESKST, I ADRESA pošiljaoca se može MIJENJATI!!!
W32.Swen.A@mm je sličan W32.Gibe.B@mm po funkciji, i napisan je u C++.
Podložan je zarazi Microsoft Outlook i Outlook Express, virus se pokušava pokrenuti sam čak prilikom previewa maila !
Evo šta radi (nije mi se dalo sve pisati
):
"
The worm copies itself to the Windows directory with a random executable file name.
It then creates the following registry key to automatically launch itself at Windows startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"<random_characters>" = "<random_characters>.exe /autorun"
The following registry key is modified in order to enable the sharing of the worm using KaZaa:
HKEY_CURRENT_USER\Software\Kazaa\LocalContent
"Dir99" = 012345:C:\WINDOWS\TEMP\(random directory name)
The following registry keys are also modified to launch itself any time a BAT, COM, EXE, PIF, REG, or SCR file is executed:
HKEY_CLASSES_ROOT\batfile\shell\open\command
"(Default)" = %filename% "%1" %*
HKEY_CLASSES_ROOT\comfile\shell\open\command
"(Default)" = %filename% "%1" %*
HKEY_CLASSES_ROOT\exefile\shell\open\command
"(Default)" = %filename% "%1" %*
HKEY_CLASSES_ROOT\piffile\shell\open\command
"(Default)" = %filename% "%1" %*
HKEY_CLASSES_ROOT\regfile\shell\open\command
"(Default)" = %filename% showerror
HKEY_CLASSES_ROOT\scrfile\shell\config\command
"(Default)" = %filename% "%1"
HKEY_CLASSES_ROOT\scrfile\shell\open\command
"(Default)" = %filename% "%1" /S
The following regsitry key is modified which may prevent the user from running Regedit.exe:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
"DisableRegistryTools" = 01 00 00 00
The worm will copy itself to the startup folder on mapped network drives using the following paths:
windows\all users\start menu\programs\startup
windows\start menu\programs\startup
winme\all users\start menu\programs\startup
winme\start menu\programs\startup
win95\all users\start menu\programs\startup
win95\start menu\programs\startup
win98\all users\start menu\programs\startup
win98\start menu\programs\startup
document and settings\all users\start menu\programs\startup
document and settings\default user\start menu\programs\startup
document and settings\administrator\start menu\programs\startup
winnt\profiles\all users\start menu\programs\startup
winnt\profiles\default user\start menu\programs\startup
winnt\profiles\administrator\start menu\programs\startup
The worm will drop a file named SCRIPT.INI (123 bytes) in the mIRC program folder in an attempt to propagate via IRC (using dcc send).
"
Informacije i patch:
http://www.microsoft.com/technet/sec...in/MS01-20.asp
Removal alat:
http://securityresponse.symantec.com...oval.tool.html
Microsoftov patch:
http://www.microsoft.com/windows/ie/...08/default.asp
Sistemi koje može zaraziti:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
P.S. Danas samo ih samo ujutro dobio oko 120 !!!