|
|
I tell ya, it's just plain pitiful when them highly-trained, well-dressed FBI agents can't even compose a coherent email. Can't they afford secretaries? "Forward this Page to all your contacts and Friends in order to help with us Faceing the infection for less lose." [Note for the uncertain: yes, I know is a virus-infested spam. Let me have my fun, OK? Especially the part where I get to feel smug at using a computing platform that is not ridiculously easy to compromise. ]
|
|
From:
FBI
To:
carla@xxxxx
Date:
Sat Dec 3 18:38:05 2005
Note: This is an HTML message. For security reasons, only the raw HTML code is shown. If you trust the sender of this message then you can activate formatted HTML display for this message by clicking here.
DANGEROUS VIRUS DISCOVERD
We Have Recivied Warning from US-ISS (USA INTERNET SECURITY SYSTEM) To Notify all Internet Users To The Dangerous Discovered Virus, With The Disinfection tool.
A new high-risk computer virus dubbed "W32/zeRx.Virus.x001"was confirmed to have been attacking the Internet since Yesterday night.
The highly infectious virus was reported to have hit almost 170,000 workstations and 300,000 Microsoft Outlook users globally.
The rapid spread of the Goner bug is said to rival the outbreak of the Love Bug virus which caused millions of dollars in damage in April last year.
Trend Micro country sales manager Wong Joon Hoong said yesterday the pattern of the virus was detected in this region at 10.30 last night and could be categorised as a high risk due to its fast spreading nature.
McAffe,Norton,Norman,NOD32 and Kaspersky ANTIVIRUS&apsS Has sent us today a warning to fast help internet users ,companies about this virus.
NOTICE:
Forward this Page to all your contacts and Friends in order to help with us Faceing the infection for less lose.
Virus Profile: W32/zeRx.Virus.x001
Risk Assessment
- Home Users:
High-Profiled
- Corporate Users:
High-Profiled
Date Discovered:
26/11/2005
Date Added:
271/2005
Origin:
Unknown
Length:
96,716 bytes (packed with exe32pack)
Type:
Virus
SubType:
Worm
DAT Required:
4354
Virus Family Statistics (over the past 24 hours)
Virus Name
Infected Files
Scanned Files
% Infected Computers
zeRx.Virus.x000
911,174
17,851,431
87.01
zeRx.Virus.x001
325,025
5,202,380
76.00
Virus Characteristics
This threat has been deemed high-risk-profiled due to media attention at:
McAfee Proactive Detection
McAfee products running (release date November 24th 2005) detected this threat as W32/zeRx.Virus.x001 (with scanning of compressed files enabled - default setting).
This threat bears the following characteristics:
serves as a trojan backdoor on the victim machine, getting remote commands via its connection to a remote IRC server. Backdoor functionality includes:
participate in distributed denial of service attack (DDoS).
file download/upload/execution
manipulate processes (list, kill)
relay SMTP traffic
provide HTTP server
provide TFTP file server
log keystrokes on the victim machine
shut down machine
propagates to machines over the network through several mechanisms:
copying itself to poorly secured shares (weak usernames/passwords)
copying itself to poorly secured MSSQL servers (again weak username/password combinations)
exploiting several Microsoft vulnerabilities
WebDAV (MS03-007)
DComRPC (MS03-026)
UPNP (MS03-049)
PNP_(MS04-032)
LSASS (MS03-009
NTSHARES
exploiting the backdoors of other malware
W32/Bagle
W32/Mydoom
BackDoor-RS
W32/Kuang
attempts to steal data (eg. registration keys) associated with various computer games.
After 24 hour of infected system may damage MOTHER BOARD(MB BIOS) + over clocking processor to maximum clocking.
Indications of Infection
General symptoms will vary as with any other malware that provides remote access to the victim machine. Typically the following factors may indicate infection with an IRC bot:
unexpected outgoing IRC traffic (TCP, typically destination port 6667, 6767, or 8080)
unexpected existence of FTP server or HTTP server on the machine (not necessarily using &apsstandard&aps ports)
unusually high network traffic (this may indicate machine is participating in DDoS attack
unexpected services installed and running on the victim machine
When executed, this variant installs itself as SYSTEMC32.EXE on the victim machine, within the Windows system folder, for example:
C:WINDOWSSYSTEM32SYSTEMC32.EXE
The following Registry keys are added to hook system startup:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
Run "Microsoft Updates" = SYSTEMC32.EXE
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
Run "Microsoft Updates" = SYSTEMC32.EXE
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
RunServices "Microsoft Updates" = SYSTEMC32.EXE
Method of Infection
This worm spreads by exploiting various vulnerability of Microsoft windows and backdoors opened by some worms. There are many members of this family but not yet known we working hard to discover all family.
Removal Instructions
All Users:
Use The removal tool can complete repair without reboot, but other operating system else Windows ME/XP require a reboot for repair to complete.
Additional Windows ME/XP removal considerations
PLEASE CLICK TO DOWNLOAD THE REMOVAL TOOL BEFORE GET INFECTED
CLICK HERE
HELP:
1- Disable your antivirus program (in order to have no conflict with the removal tool engine).
2- Click the link to download the removal tool.
3- Click open after download complete.
4- Wait about 5 minutes if your system is infected will appear a message box saying your pc is safe now, else if your system is not infected so the patch will install anti bug for no future infection.
REGARDS,
Contact us:
FBI SECURITY E-CRIMINALS.
[HYPERLINK@www.ic3.gov]
[HYPERLINK@www.fbi.gov]
Copyright © 2003-2005 FBI US,CA
|
