JS.Fortnight.B@mm

Tip: Script/Mass Mailer Marime: ~6 kbytes Risc: Foarte redus Simptome: fisierul "s.htm" in directorul Windows continand "www.prostol.com"; fisierul "hosts" in directorul Windows continand

Tip: Script/Mass Mailer Marime: ~6 kbytes Risc: Foarte redus Simptome: fisierul "s.htm" in directorul Windows continand "www.prostol.com"; fisierul "hosts" in directorul Windows continand "66.159.16.110" si "66.159.17.25" - Cheia de registri: "HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\URL\ DefaultPrefix\"="http:/www.pixpox.com/cgi-bin/click.pl?url=" Descriere tehnica: Virusul soseste in mesaje de e-mail infectate, care poarta semnatura sub forma fisierului "s.htm" file, astfel incat la deschiderea e-mailului infectat, folosind IFRAME, virusul isi executa de la distanta fisierul care contine codul viral (un alt fisier html) si infecteaza utilizatorul curent. Dupa rulare, virusul modifica urmatoarele chei de registri: "HKCU\Software\Policies\Microsoft\ \Internet Explorer\Control Panel\SecurityTab"="1" "HKCU\Software\Policies\Microsoft \Internet Explorer\Control Panel\\AdvancedTab"="1" "HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\URL\ DefaultPrefix\"="http:/www.pixpox.com/cgi-bin/click.pl?url=" In acest mod, orice adresa introdusa in Internet Explorer va fi redirectionata catre URL-ul mentionat mai sus. Creeaza fisierul "s.htm" in directorul Windows si seteaza toate semnaturile din Outlook ca "s.htm". Creeaza fisierul "hosts" in directorul Windows si face rutarea adreselor IP 66.159.17.25 si 66.159.16.110 pentru mai multe URL-uri. Iata cateva exemple: "the.sextracker.com"; "lobby. sexlist.com"; "in.paycounter.com"; "adv.sexcounter.com"; "rd1.hitbox.com"; "refer.ccbill.com"; "www.ccbill.com"; "secure.ibill.com"; "select.2000charge.com"; "secure. 2000charge.com"; "www.signup. globill-systems.com"; "secure. visionbill.net"; "www.dibill.com"; "www.eroticacash.com"; "www. oxcash.com"; "track.oxcash.com"; "potd.oxcash.com"; "clicks2. oxcash. com"; "clicks.nastydollars.com"; "www.lightspeedcash.com"; "www2.karupspc.com"; "www.iteens. com"; "click.payserve.com"; "vip. mtree.com"; "c.fsx.com"; "adult friendfinder.com"; "www.danni.com"; "network.nocreditcard.com"; "php. offshoreclicks.com"; "links. lifetimebucks.com"; "cgi.gammae. com"; "click.passiondollars.com"; "www.fatpockets.com"; "link.siccash. com"; "www.clickcash.com"; "www. scoreland.com"; "www.makingitpay. com"; "www.hpic.com"; "referral. topbucks.com"; "www.platinum bucks.com"; "partner.globill-systems .com"; "www.pornstardollars.com"; "traffic.acpay.com" Dezinfectie: - dezinfectie manuala: stergeti toate fisierele infectate Nota: Virusii din aceasta rubrica au fost analizati de Softwin si pot fi eliminati cu antivirusul BitDefender.