NUEVO VIRUS WALLON QUE ENTRA POR FALTA DE PARCHE MS04-013

Cerrado
Avatar de Usuario
msc hotline sat
Administrador
Administrador
Mensajes: 93124
Registrado: 09 Mar 2004, 20:39
Ubicación: BARCELONA (ESPAÑA)
Contactar:

NUEVO VIRUS WALLON QUE ENTRA POR FALTA DE PARCHE MS04-013

Mensaje por msc hotline sat » 18 May 2004, 14:10

Ya nos han llegado incidencias del nuevo virus Wallon, que llega por correo electronico sin fichero anexado, infectando por el EXPLOIT-MHTRedir.gen. Se conttola a partir de los actuales DAT de McAfee, 4360



descripcion de McAfee:

:__________________________________________



Virus Name Risk Assessment

W32/Wallon.worm.a Corporate User : Low-Profiled

Home User : Low-Profiled







Virus Information

Discovery Date: 05/07/2004

Origin: Unknown

Length: 150,528 bytes

Type: Virus

SubType: Internet Worm

Minimum DAT: 4360 (05/12/2004)

Updated DAT: 4360 (05/12/2004)

Minimum Engine: 4.2.40

Description Added: 05/11/2004

Description Modified: 05/14/2004 2:55 PM (PT)

Description Menu

Virus Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Virus Characteristics:

-- Update May 13, 2004 --





The risk assessment of this threat has been updated to Low-Profiled due to media attention at::

http://zdnet.com.com/2100-1105_2-5211168.html



This worm mass-mails a hyperlink to recipients found on the local system. It also attempts to harvest email addresses and send them to a specified address (likely for the purpose of sending SPAM at a later date).



Email propagation

Messages sent by the worm appear as follows:



Subject: RE:

Body: http://drs.yahoo.com/%recipient's domain% / NEWS

Attachment: there is no attachment



The message body simply contains a hyperlink, which is designed to trick users into thinking that they are going to a Yahoo News site, when in fact they are redirected to a page on the http://www.security-warning.biz domain.



Clicking the hyperlink in the email message directs users to a site, which redirects the user to another site. This redirection can occur multiple times, ultimately landing the user on a site that contains exploit code to install a downloader trojan, which downloads and installs the virus.



Addresses harvested from the local machine are sent to the address 1@600pics.cjb.net



The worm also navigates to a pornographic website pixpox.com.



Top of Page



Symptoms

The worm creates the following registry key:



HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Wh" = Yes

The worm does not create any other registry keys.



Top of Page



Method Of Infection

This worm spreads by sending a hyperlink via email to addresses harvested from the Windows Address Book (WAB). The worm contains its own SMTP engine and uses the default SMTP server specified in the Internet Account Manager.



Sent messages attempt to trick users in to following the hyperlink, which ultimately results in an infection. Through a series of redirected pages, the users is taken to a site that contain Internet Explorer exploit code, (this page exploits MS04-013 and is detected as Exploit-MhtRedir.gen ). This exploit downloads a CHM file, which contains another Internet Explorer exploit (targeting MS04-004 and is detected as VBS/Psyme ), which downloads a file and overwrites the existing wmplayer.exe file.



%ProgramFiles%\Windows Media Player\wmplayer.exe

This file downloads and installs the Wallon worm.



Top of Page



Removal Instructions

All Users :

Use current engine and DAT files for detection and removal.



Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).



Additional Windows ME/XP removal considerations



Top of Page



Variants

Name Type Sub Type Differences



Top of Page



Aliases

Name

I-Worm.Wallon (AVP)

W32/Wallon.worm

WORM_WALLON.A (Trend)



__________________________________________



Evidentemente se recuerda la necesidad de tener aplicados los parches de Microsoft. En este caso el correspondiente es el MS04-013



saludos



ms, 18-05-2004

Avatar de Usuario
msc hotline sat
Administrador
Administrador
Mensajes: 93124
Registrado: 09 Mar 2004, 20:39
Ubicación: BARCELONA (ESPAÑA)
Contactar:

Mensaje por msc hotline sat » 20 May 2004, 18:09

Utilidad que hemos creado para este virus W32/WALLA.A: ELIWALLA.EXE





https://foros.zonavirus.com/viewtopic.php?p=3335#3335



saludos



ms, 20-05-2004

Cerrado

Volver a “ALERTAS VIRICAS y utilidades de eliminacion”