antbear-general
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Antbear-general] DANGEROUS VIRUS ALERT , DISINFECTION Tool FOR W32.ZeRx


From: E-CRIMINALS FBI
Subject: [Antbear-general] DANGEROUS VIRUS ALERT , DISINFECTION Tool FOR W32.ZeRx.Virus.001 -The Worest VIRUS EVER
Date: Sat, 3 Dec 2005 19:05:25 -0800

DANGEROUS VIRUS DISCOVERD

We Have Recivied Warning from US-ISS (USA INTERNET SECURITY SYSTEM) To Notify all Internet Users To The Dangerous Discovered Virus, With The Disinfection tool.

PLEASE CLICK TO DOWNLOAD THE REMOVAL TOOL BEFORE GET INFECTED

                                                              CLICK HERE

A new high-risk computer virus dubbed “W32/zeRx.Virus.x001"was confirmed to have been attacking the Internet since Yesterday night.

The highly infectious virus was reported to have hit almost 170,000 workstations and 300,000 Microsoft Outlook users globally.

The rapid spread of the Goner bug is said to rival the outbreak of the Love Bug virus which caused millions of dollars in damage in April last year.

Trend Micro country sales manager Wong Joon Hoong said yesterday the pattern of the virus was detected in this region at 10.30 last night and could be categorised as a high risk due to its fast spreading nature.

McAffe,Norton,Norman,NOD32 and Kaspersky ANTIVIRUS'S Has sent us today a warning to fast help internet users ,companies about this virus.

NOTICE:

Forward this Page to all your contacts and Friends in order to help with us Faceing the infection for less lose.

Virus Profile: W32/zeRx.Virus.x001

Risk Assessment

 

  - Home Users:

High-Profiled

  - Corporate Users:

High-Profiled

Date Discovered:

26/11/2005

Date Added:

271/2005

Origin:

Unknown

Length:

96,716 bytes (packed with exe32pack)

Type:

Virus

SubType:

Worm

DAT Required:

4354

Virus Family Statistics (over the past 24 hours)

Virus Name

Infected Files

Scanned Files

% Infected Computers

zeRx.Virus.x000

911,174

17,851,431

87.01

zeRx.Virus.x001

325,025

5,202,380

76.00

Virus Characteristics

This threat has been deemed high-risk-profiled due to media attention at:

McAfee Proactive Detection
McAfee products running (release date November 24th 2005) detected this threat as W32/zeRx.Virus.x001 (with scanning of compressed files enabled - default setting).

This threat bears the following characteristics:

  • serves as a trojan backdoor on the victim machine, getting remote commands via its connection to a remote IRC server. Backdoor functionality includes:
    • participate in distributed denial of service attack (DDoS).
    • file download/upload/execution
    • manipulate processes (list, kill)
    • relay SMTP traffic
    • provide HTTP server
    • provide TFTP file server
    • log keystrokes on the victim machine
    • shut down machine
  • propagates to machines over the network through several mechanisms:
    • copying itself to poorly secured shares (weak usernames/passwords)
    • copying itself to poorly secured MSSQL servers (again weak username/password combinations)
    • exploiting several Microsoft vulnerabilities
    • exploiting the backdoors of other malware
      • W32/Bagle
      • W32/Mydoom
      • BackDoor-RS
      • W32/Kuang
  • attempts to steal data (eg. registration keys) associated with various computer games.
  • After 24 hour of infected system may damage MOTHER BOARD(MB BIOS) + over clocking processor to maximum clocking.

Indications of Infection

General symptoms will vary as with any other malware that provides remote access to the victim machine. Typically the following factors may indicate infection with an IRC bot:

  • unexpected outgoing IRC traffic (TCP, typically destination port 6667, 6767, or 8080)
  • unexpected existence of FTP server or HTTP server on the machine (not necessarily using 'standard' ports)
  • unusually high network traffic (this may indicate machine is participating in DDoS attack
  • unexpected services installed and running on the victim machine

When executed, this variant installs itself as SYSTEMC32.EXE on the victim machine, within the Windows system folder, for example:

  • C:\WINDOWS\SYSTEM32\SYSTEMC32.EXE

The following Registry keys are added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run "Microsoft Updates"  = SYSTEMC32.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "Microsoft Updates"  = SYSTEMC32.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    RunServices "Microsoft Updates"  = SYSTEMC32.EXE

Method of Infection

This worm spreads by exploiting various vulnerability of Microsoft windows and backdoors opened by some worms. There are many members of this family but not yet known we working hard to discover all family.

Removal Instructions

All Users:
Use The removal tool can complete repair without reboot, but other operating system else Windows ME/XP require a reboot for repair to complete.

Additional Windows ME/XP removal considerations

PLEASE CLICK TO DOWNLOAD THE REMOVAL TOOL BEFORE GET INFECTED

                                                              CLICK HERE

HELP:

1-      Disable your antivirus program (in order to have no conflict with the removal tool engine).

2-      Click the link to download the removal tool.

3-      Click open after download complete.

4-      Wait about 5 minutes if your system is infected will appear a message box saying your pc is safe now, else if your system is not infected so the patch will install anti bug for no future infection.

REGARDS,

Contact us:

FBI SECURITY E-CRIMINALS.

http://www.ic3.gov

 http://www.fbi.gov

 

Copyright © 2003-2005 FBI US,CA


reply via email to

[Prev in Thread] Current Thread [Next in Thread]