A CLEVER BUG [virus updates]

[caleb_yee]

W32.Squirm@mm is an Internet worm that is written in C++ and is packed with PEBundle. It attempts to spread using the following methods:

By email, it sends itself to the contacts in the Microsoft Outlook Address Book, with the following message:

From: support@microsoft.com
Subject: Microsoft Security Bulletin
Message:
Unchecked Buffer in Windows Explorer Could Enable System Compromise (329390)

Summary
Who should read this bulletin: Customers using Microsoft Windows 95,98,2K,ME,XP
Impact of vulnerability: Run code of an attacker's choice

Maximum Severity Rating: Critical

Recommendation: Customers using Microsoft Windows 95,98,2K,ME,XP should apply the patch immediately.

Attachment: patch.zip or patch_329390.exe

Through file sharing applications, including KaZaA, Morpheus, eDonkey, Grokster, LimeWire, GNucleus, BearShare, Direct Connect, and ICQ, by placing itself in their default shared folders, if the programs are installed.

By using DCC, the worm sends in IRC.

The worm sends a notification to its author when a host is infected and listens on port 61282 for a connection.

As for the remedies...do this,friends..
1.Disable System Restore (Windows Me/XP).
2.Update the virus definitions.
3.Run a full system scan and delete all the files detected as W32.Squirm@mm.
4.Delete the value that was added to the registry

Bet ya all know how..right..

Additional information:

The worm may drop the following files:

C:\Program Files\Gnucleus\Downloads\Incoming\ICQ Hack.Exe
C:\Program Files\Gnucleus\Downloads\ICQ Hack.Exe
C:\Program Files\KMD\My Shared Folder\ICQ Hack.Exe
C:\Program Files\Bearshare\Shared\ICQ Hack.Exe
C:\Program Files\Kazaa Lite\My Shared Folder\ICQ Hack.Exe
C:\Program Files\Kazaa\My Shared Folder\ICQ Hack.Exe
C:\Program Files\Morpheus\My Shared Folder\ICQ Hack.Exe
C:\Program Files\Edonkey2000\Incoming\ICQ Hack.Exe
C:\Program Files\Direct Connect\Received Files\ICQ Hack.Exe
C:\Program Files\Grokster\My Grokster\ICQ Hack.Exe
C:\Program Files\Limewire\Shared\ICQ Hack.Exe
C:\Program Files\Icq\Shared Files\ICQ Hack.Exe
C:\Program Files\Gnucleus\Downloads\Incoming\Connection Booster.Exe
C:\Program Files\Gnucleus\Downloads\Connection Booster.Exe
C:\Program Files\KMD\My Shared Folder\Connection Booster.Exe
C:\Program Files\Bearshare\Shared\Connection Booster.Exe
C:\Program Files\Kazaa Lite\My Shared Folder\Connection Booster.Exe
C:\Program Files\Kazaa\My Shared Folder\Connection Booster.Exe
C:\Program Files\Morpheus\My Shared Folder\Connection Booster.Exe
C:\Program Files\Edonkey2000\Incoming\Connection Booster.Exe
C:\Program Files\Direct Connect\Received Files\Connection Booster.Exe
C:\Program Files\Grokster\My Grokster\Connection Booster.Exe
C:\Program Files\Limewire\Shared\Connection Booster.Exe
C:\Program Files\Icq\Shared Files\Connection Booster.Exe
C:\Program Files\Gnucleus\Downloads\Incoming\Serials Collections.Exe
C:\Program Files\Gnucleus\Downloads\Serials Collections.Exe
C:\Program Files\KMD\My Shared Folder\Serials Collections.Exe
C:\Program Files\Bearshare\Shared\Serials Collections.Exe
C:\Program Files\Kazaa Lite\My Shared Folder\Serials Collections.Exe
C:\Program Files\Kazaa\My Shared Folder\Serials Collections.Exe
C:\Program Files\Morpheus\My Shared Folder\Serials Collections.Exe
C:\Program Files\Edonkey2000\Incoming\Serials Collections.Exe
C:\Program Files\Direct Connect\Received Files\Serials Collections.Exe
C:\Program Files\Grokster\My Grokster\Serials Collections.Exe
C:\Program Files\Limewire\Shared\Serials Collections.Exe
C:\Program Files\Icq\Shared Files\Serials Collections.Exe
C:\Program Files\Gnucleus\Downloads\Incoming\Hotmail Hack.Exe
C:\Program Files\Gnucleus\Downloads\Hotmail Hack.Exe
C:\Program Files\KMD\My Shared Folder\Hotmail Hack.Exe
C:\Program Files\Bearshare\Shared\Hotmail Hack.Exe
C:\Program Files\Kazaa Lite\My Shared Folder\Hotmail Hack.Exe
C:\Program Files\Kazaa\My Shared Folder\Hotmail Hack.Exe
C:\Program Files\Morpheus\My Shared Folder\Hotmail Hack.Exe
C:\Program Files\Edonkey2000\Incoming\Hotmail Hack.Exe
C:\Program Files\Direct Connect\Received Files\Hotmail Hack.Exe
C:\Program Files\Grokster\My Grokster\Hotmail Hack.Exe
C:\Program Files\Limewire\Shared\Hotmail Hack.Exe
C:\Program Files\Icq\Shared Files\Hotmail Hack.Exe
C:\Program Files\Gnucleus\Downloads\Incoming\Norton Keygen-All Vers.Exe
C:\Program Files\Gnucleus\Downloads\Norton Keygen-All Vers.Exe
C:\Program Files\KMD\My Shared Folder\Norton Keygen-All Vers.Exe
C:\Program Files\Bearshare\Shared\Norton Keygen-All Vers.Exe
C:\Program Files\Kazaa Lite\My Shared Folder\Norton Keygen-All Vers.Exe
C:\Program Files\Kazaa\My Shared Folder\Norton Keygen-All Vers.Exe
C:\Program Files\Morpheus\My Shared Folder\Norton Keygen-All Vers.Exe
C:\Program Files\Edonkey2000\Incoming\Norton Keygen-All Vers.Exe
C:\Program Files\Direct Connect\Received Files\Norton Keygen-All Vers.Exe
C:\Program Files\Grokster\My Grokster\Norton Keygen-All Vers.Exe
C:\Program Files\Limewire\Shared\Norton Keygen-All Vers.Exe
C:\Program Files\Icq\Shared Files\Norton Keygen-All Vers.Exe
C:\Program Files\Gnucleus\Downloads\Incoming\Hacker.Scr
C:\Program Files\Gnucleus\Downloads\Hacker.Scr
C:\Program Files\KMD\My Shared Folder\Hacker.Scr
C:\Program Files\Bearshare\Shared\Hacker.Scr
C:\Program Files\Kazaa Lite\My Shared Folder\Hacker.Scr
C:\Program Files\Kazaa\My Shared Folder\Hacker.Scr
C:\Program Files\Morpheus\My Shared Folder\Hacker.Scr
C:\Program Files\Edonkey2000\Incoming\Hacker.Scr
C:\Program Files\Direct Connect\Received Files\Hacker.Scr
C:\Program Files\Grokster\My Grokster\Hacker.Scr
C:\Program Files\Limewire\Shared\Hacker.Scr
C:\Program Files\Icq\Shared Files\Hacker.Scr
C:\Program Files\Gnucleus\Downloads\Incoming\Credit Card.Exe
C:\Program Files\Gnucleus\Downloads\Credit Card.Exe
C:\Program Files\KMD\My Shared Folder\Credit Card.Exe
C:\Program Files\Bearshare\Shared\Credit Card.Exe
C:\Program Files\Kazaa Lite\My Shared Folder\Credit Card.Exe
C:\Program Files\Kazaa\My Shared Folder\Credit Card.Exe
C:\Program Files\Morpheus\My Shared Folder\Credit Card.Exe
C:\Program Files\Edonkey2000\Incoming\Credit Card.Exe
C:\Program Files\Direct Connect\Received Files\Credit Card.Exe
C:\Program Files\Grokster\My Grokster\Credit Card.Exe
C:\Program Files\Limewire\Shared\Credit Card.Exe
C:\Program Files\Icq\Shared Files\Credit Card.Exe
C:\Program Files\Morpheus\My Shared Folder\Cracks Collections.Exe
C:\Program Files\Edonkey2000\Incoming\Cracks Collections.Exe
C:\Program Files\Direct Connect\Received Files\Cracks Collections.Exe
C:\Program Files\Gnucleus\Downloads\Incoming\Cracks Collections.Exe
C:\Program Files\Gnucleus\Downloads\Cracks Collections.Exe
C:\Program Files\KMD\My Shared Folder\Cracks Collections.Exe
C:\Program Files\Bearshare\Shared\Cracks Collections.Exe
C:\Program Files\Kazaa Lite\My Shared Folder\Cracks Collections.Exe
C:\Program Files\Kazaa\My Shared Folder\Cracks Collections.Exe
C:\Program Files\Grokster\My Grokster\Cracks Collections.Exe
C:\Program Files\Limewire\Shared\Cracks Collections.Exe
C:\Program Files\Icq\Shared Files\Cracks Collecions.Exe
C:\Program Files\Gnucleus\Downloads\Incoming\Simpsons.Exe
C:\Program Files\Gnucleus\Downloads\Simpsons.Exe
C:\Program Files\KMD\My Shared Folder\Simpsons.Exe
C:\Program Files\Bearshare\Shared\Simpsons.Exe
C:\Program Files\Kazaa Lite\My Shared Folder\Simpsons.Exe
C:\Program Files\Kazaa\My Shared Folder\Simpsons.Exe
C:\Program Files\Morpheus\My Shared Folder\Simpsons.Exe
C:\Program Files\Edonkey2000\Incoming\Simpsons.Exe
C:\Program Files\Direct Connect\Received Files\Simpsons.Exe
C:\Program Files\Grokster\My Grokster\Simpsons.Exe
C:\Program Files\Limewire\Shared\Simpsons.Exe
C:\Program Files\Icq\Shared Files\Simpsons.Exe
C:\Program Files\Gnucleus\Downloads\Incoming\XXX Virtual Sex.Scr
C:\Program Files\Gnucleus\Downloads\XXX Virtual Sex.Scr
C:\Program Files\KMD\My Shared Folder\XXX Virtual Sex.Scr
C:\Program Files\Bearshare\Shared\XXX Virtual Sex.Scr
C:\Program Files\Kazaa Lite\My Shared Folder\XXX Virtual Sex.Scr
C:\Program Files\Kazaa\My Shared Folder\XXX Virtual Sex.Scr
C:\Program Files\Morpheus\My Shared Folder\XXX Virtual Sex.Scr
C:\Program Files\Edonkey2000\Incoming\XXX Virtual Sex.Scr
C:\Program Files\Direct Connect\Received Files\XXX Virtual Sex.Scr
C:\Program Files\Grokster\My Grokster\XXX Virtual Sex.Scr
C:\Program Files\Limewire\Shared\XXX Virtual Sex.Scr
C:\Program Files\Icq\Shared Files\XXX Virtual Sex.Scr
C:\Program Files\Gnucleus\Downloads\Incoming\Cracker Game.Exe
C:\Program Files\Gnucleus\Downloads\Cracker Game.Exe
C:\Program Files\KMD\My Shared Folder\Cracker Game.Exe
C:\Program Files\Bearshare\Shared\Cracker Game.Exe
C:\Program Files\Kazaa Lite\My Shared Folder\Cracker Game.Exe
C:\Program Files\Kazaa\My Shared Folder\Cracker Game.Exe
C:\Program Files\Morpheus\My Shared Folder\Cracker Game.Exe
C:\Program Files\Edonkey2000\Incoming\Cracker Game.Exe
C:\Program Files\Direct Connect\Received Files\Cracker Game.Exe
C:\Program Files\Grokster\My Grokster\Cracker Game.Exe
C:\Program Files\Limewire\Shared\Cracker Game.Exe
C:\Program Files\Icq\Shared Files\Cracker Game.Exe
C:\Program Files\Gnucleus\Downloads\Incoming\Matrix Reloaded.Scr
C:\Program Files\Gnucleus\Downloads\Matrix Reloaded.Scr
C:\Program Files\KMD\My Shared Folder\Matrix Reloaded.Scr
C:\Program Files\Bearshare\Shared\Matrix Reloaded.Scr
C:\Program Files\Kazaa Lite\My Shared Folder\Matrix Reloaded.Scr
C:\Program Files\Kazaa\My Shared Folder\Matrix Reloaded.Scr
C:\Program Files\Morpheus\My Shared Folder\Matrix Reloaded.Scr
C:\Program Files\Edonkey2000\Incoming\Matrix Reloaded.Scr
C:\Program Files\Direct Connect\Received Files\Matrix Reloaded.Scr
C:\Program Files\Grokster\My Grokster\Matrix Reloaded.Scr
C:\Program Files\Limewire\Shared\Matrix Reloaded.Scr
C:\Program Files\Icq\Shared Files\Matrix Reloaded.Scr

[caleb_yee]

teach ya all something too
to delete the registry is like this...
P/s: always back up your windows registry b4 doing this

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

In the right pane, delete the value:

"CPUManager"="%Windir%\cpumgr.exe"

Exit the Registry Editor.

[Isabella]

Thank you Lara_tx.
Your vigilance is much appreciated.

[John Falstaff]

I'm glad people like Lara TX are on the lookout for bugs.

But I really didn't understand the message, I was only intmidated by it.

Now I'm sitting here eeven more paranoid than normal.

[Isabella]

Hi John Falstaff
I really don't understand any of the virus warnings either, I am just glad to be aware of them. They make me quite paranoid as well, I remember when I didn't worry about them at all...I believe that was long ago last week.

[John Falstaff]

Hi Isabella,



The paranoia curve is definately rising, sharpely. But I'm in a situation where I cannot afford to have my PC crash or whatever.

But instructions on a lot of help sites read to me like 'go to blah, enable the whosis, get to your firewall - turn it inside out and shake it all about etc:.

I would REALLY be grateful if anyone knew a website, book or thingamajig that really explained all this for complete idiots.

[AndrewII]

Thank goodness I don't use any Gnuellta-based p2p apps. Its easy to get viruses through them since they all depend on a server.

[neil4768]

I agree with you John it needs to be done in layman's terms with lots of screenshots of what we have to do

[Celli]

I'm just glad we finally got a firewall today.

[John Falstaff]

Hi y'all,



Andrew II, no criticism of you is intended at all, but while I could understand the second sentence of your post, the first might as well have been written in cuneiform or sanskrit as far as I'm concerned. Not your fault I know!

Neil's idea of screenshots is spot on.

Celli, I'm glad your glad that you've got a firewall (what ever that is). I just hope you remember to turn it insideout and shake it all about!