Re: lug-bg: repliezzzz...
- Subject: Re: lug-bg: repliezzzz...
- From: zimage@xxxxxxxxx (Theodor Milkov)
- Date: Tue, 24 Apr 2001 10:29:34 +0300
On Mon, Apr 23, 2001 at 07:31:53PM +0300, Stanislav Lechev wrote:
>
> ami mnogo prosto ako si izpusnal prednoto msg nqma da znesh za kwo stawa duma
>
> a na tebe kwo ti prechat reply-ite ???
Ïðå÷àò ñ òîâà, ÷å çà 2 äóìè îòãîâîð (ïîíèàêîãà 1 ñúþç è 1 ìåñòîèìåíèå) ñå
èçïðàùàò ïî 10-15ê ñúîáùåíèÿ. Íÿìà íà÷èí äà íå ñè âèæäàë íåùî îò ñîðòà (äà ñå
÷åòå äî êðàÿ):
---> cut <---
> Âèæòå êàêúâ ñòðàøåí âèðóñ!
>
> ME:
> Hybris
> ALIAS:
> IWorm_Hybris, I-Worm.Hybris
>
>
> Hybris is an Internet worm that spreads itself as an attachment to email messages. The worm works under
> Win32 systems only. The worm contains components (plugins) in its code that are executed depending on
> what worm needs, and these components can be upgraded from an Internet Web site. The major worm
> versions are encrypted with semi-polymorphic encryption loop.
>
> The worm contains the following encrypted text strings:
>
> HYBRIS
> (c) Vecna
>
> The main worm's target on computes it tries to infect is the WSOCK32.DLL library. While infecting this DLL
> the worm:
>
> - writes itself to the end of last file section - hooks "connect", "recv", "send" functions - modifies DLL entry
> routine address (a routine that is activated
>
> when DLL file is being loaded) and encrypts original entry
> routine
>
> If the worm is not able to infect WSOCK32.DLL at its startup (in case it is in use and is locked for writing) the
> worm creates a copy of this library (a copy of WSOCK32.DLL with random name), infects it and writes
> "rename" instruction to WININIT.INI file. As a result WSOCK32.DLL will be replaced with an infected one on
> next Windows startup.
>
> The worm also creates its copy with random name in Windows system directory and registers it in RunOnce
> registry key:
>
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
> {Default} = %WinSystem%\WormName
>
> or
>
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
> {Default} = %WinSystem%\WormName
>
> where %WinSystem% is Windows system directory, and "WormName" is random name, for example:
>
> CCMBOIFM.EXE
> LPHBNGAE.EXE
> LFPCMOIF.EXE
>
> There is only one possible reason to register additional worm copy in "RunOnce" registry key: in case
> WSOCK32.DLL was not infected on first worm run, and its infected copy was not created because of some
> reason, the "RunOnce" worm copy will complete the task on next Windows restart.
>
> Being active the worm intercepts Windows function that establish a network connection, including Internet.
> The worm intercepts data that is sent and received, and scans it for email addresses. When address(es) is
> detected, the worm waits for some time and then sends an infected message to that address(es).
>
> The worm functionality depends on the plugins that are stored in a worm body encrypted with RSA-like
> strong crypto algorithm with 128 bits key. There are up to 32 plugins can be found in different worm versions.
> These plugins perform different actions, they can be updates from a Web page located at VietMedia.com
> website.
>
> The complete worm functionality depends only on its host that is able to upgrade plugins from the Web page.
> The plugins are encrypted with a RSA-like crypto too.
>
> The worm also updates its plugins by using alt.comp.virus newsgroup. The worm being active on a machine
> connects to a news server (by using one of randomly selected servers - there are more than 70 addresses in
> the list), converts its plugins to newsgroup messages and post them there. Worm's messages have random
> Subject, for example:
>
> encr HVGT GTeLKzurGbGvqnuDqbivKfCHWbizyXiPOvKD
> encr CMBK bKfOjafCjyfWnqLqzSTWTuDmfefyvurSLeXGHqR
> text LNLM LmnajmnKDyfebuLuPaPmzaLyXGXKPSLSXWjKvWnyDWbGH
> text RFRE rebibmTCDOzGbCjSZ
>
> where first four characters represent plugin "name" and following four characters represent the encoded
> plugin "version". As well as sending, the worm reads such messages from alt.comp.virus, gets plugin "name"
> and "version" and compares with plugins that are currently used by the worm. In case a newsgroup has a
> message with higher plugin version, the worm extracts it and replaces existing one.
>
> The worm drops its plugins to disk as files in Windows sytem directory. They also have random name, but the
> worm is able to access them. The names may look as follows:
>
> BIBGAHNH.IBG
> DACMAPKO.ACM
> GAFIBPFM.AFI
> IMALADOL.MAL
> MALADOLI.ALA
>
> There are several different plugins known:
>
> 1. Infect all ZIP and RAR archives on all available drives from C: till Z:. While infecting the worm renames EXE
> files in archive with .EX$ extension and add its copy with .EXE extension to the archive (companion method
> of infection).
>
> 2. Send messages with encoded plugins to "alt.comp.virus" neewsgroup, and gets new plugins from there.
>
> 3. Spread virus to remote machines that have SubSeven backdoor trojan installed. The plugin detects such
> machines on the net, and by using SubSeven commands uploads worm copy to the machine and spawns it in
> there.
>
> 4. Encrypt worm copies with polymorphic encryption loop before sending the copy attached to email.
>
> 5. Affects DOS EXE and Windows PE EXE files. The worm affects them so that they become worm droppers.
> When run, they drop worm's EXE file to TEMP directory and execute it.
>
> While affecting DOS EXE file the plugin adds dropper code and worm body to the end of a file. These files are
> can be cured.
>
> While affecting Windows PE EXE file the plugin overwrites file code section (if is has enough size). The plugin
> doesn't touch file header (including entry point address), and does not increase file size. Moreover, it has a
> anti-CRC (chechsum) routine that fill special data in plugin code so that file CRC becomes the same for few
> common used CRC algorithms. That means, that some integrity checkers will not detect changes in affected
> files: the file length and file body CRC stay the same as on clean file
>
> 6. Randomly select Subject, Message text and Attach name while sending worm copies with email messages:
>
> From:
>
> Hahaha <hahaha@xxxxxxxxxxx>
>
> Subjects:
>
> Snowhite and the Seven Dwarfs - The REAL story!
> Branca de Neve pornô!
> Enanito si, pero con que pedazo!
> Les 7 coquir nains
>
> Message texts:
>
> C'etait un jour avant son dix huitieme anniversaire. Les 7
> nains, qui avaient aidé 'blanche neige' toutes ces années après
> qu'elle se soit enfuit de chez sa belle mère, lui avaient promis
> une *grosse* surprise. A 5 heures comme toujours, ils sont
> rentrés du travail. Mais cette fois ils avaient un air coquin...
>
> Today, Snowhite was turning 18. The 7 Dwarfs always where very
> educated and polite with Snowhite. When they go out work at
> mornign, they promissed a *huge* surprise. Snowhite was anxious.
> Suddlently, the door open, and the Seven Dwarfs enter...
>
> Faltaba apenas un dia para su aniversario de de 18 años. Blanca
> de Nieve fuera siempre muy bien cuidada por los enanitos. Ellos
> le prometieron una *grande* sorpresa para su fiesta de
> compleaños. Al entardecer, llegaron. Tenian un brillo incomun en
> los ojos...
>
> Faltava apenas um dia para o seu aniversario de 18 anos. Branca
> de Neve estava muito feliz e ansiosa, porque os 7 anões
> prometeram uma *grande* surpresa. As cinco horas, os anõezinhos
> voltaram do trabalho. Mas algo nao estava bem... Os sete
> anõezinhos tinham um estranho brilho no olhar...
>
> Attachment names:
>
> enano.exe
> enano porno.exe
> blanca de nieve.scr
> enanito fisgon.exe
> sexy virgin.scr
> joke.exe
> midgets.scr
> dwarf4you.exe
> blancheneige.exe
> sexynain.scr
> blanche.scr
> nains.exe
> branca de neve.scr
> atchim.exe
> dunga.scr
> anão pornô.scr
>
> As well as (depending on its plugin version) the message Subject is a random combination of:
>
> Anna + sex
> Raquel Darian sexy
> Xena hot
> Xuxa hottest
> Suzete cum
> famous cumshot
> celebrity rape horny
> leather ... e.t.c.
>
> Attachment names:
>
> Anna.exe
> Raquel Darian.exe
> Xena.exe
> Xuxa.exe
> Suzete.exe
> famous.exe
> celebrity rape.exe
> leather.exe
> sex.exe
> sexy.exe
> hot.exe
> hottest.exe
> cum.exe
> cumshot.exe
> horny.exe
> anal.exe
> gay.exe
> oral.exe
> pleasure.exe
> asian.exe
> lesbians.exe
> teens.exe
> virgins.exe
> boys.exe
> girls.exe
> SM.exe
> sado.exe
> cheerleader.exe
> orgy.exe
> black.exe
> blonde.exe
> sodomized.exe
> hardcore.exe
> slut.exe
> doggy.exe
> suck.exe
> messy.exe
> kinky.exe
> fist-f*cking.exe
> amateurs.exe
>
> It is advised to excercise extreme caution when executable attachments arrive in your inbox, no matter where
> they come from and how 'trustworthy' a message looks.
Àç òîÿ ãî çíàì! ;P
---> cut <---
Å àéäå êàæè ìè ñåãà òîâà íà êàêâî ïðèëè÷à? Èìà åäíî íåùî íàðå÷åíî netiquette.
Ìîæåòå äà ãî îòêðèåòå ñúñ âñÿêà òúðñà÷êà. Ùîòî ìó ïèñâà íà ÷îâåê äà ïîëó÷àâà
200ê ïîùà ñ 5ê ïîëåçíà èíôîðìàöèÿ èëè ïúê íèêîè äà íå ñå ñåùà äà ñìåíè Subject
â ïðîäúëæåíèå íà 3-4 òåìè... Òîâà íå áè áèëî òîëêîâà ñòðàøíî àêî ñìå äà ðå÷åì
"Ïîòðåáèòåëñêà Ãðóïà íà Ëþáèòåëèòå Öâåòàðè" èëè íåùî ïîäîáíî, íî ñïîðåä ìåí å
_íåäîïóñòèìî_ çà åäèí LUG.
Òîëêîâà îò ìåí. Íå âëàãàì íèùî ëè÷íî ;-)
--
=- --rw------- =--=--=--=--=--=--=--=--=--=--=--=--=--=
Theodor Milkov Administrator IP Networks
Davidov Electric Ltd. Phone: +359 (2) 730158
PGP: http://www.zimage.delbg.com/zimage.asc
=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=
<HR>
<UL>
<LI>application/pgp-signature \\\\\\\\\ \\\\: stored
</UL>
===========================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
|