Php y asp

Php y asp
ASP Programe About Us Links Downloads Contact Us Terms of use SiteMap
Php y asp
Php y asp

 
You are here: ASP Programe >>Php y asp

Php y asp article lists.

Php y asp

Security Alert: New Bagle Opens Broad Attack




What started as a dibble early this morning became a fusillade of e-mail messages from countless senders, but all bearing zip files containing the potentially malicious Bagle.AQmm (a.k.a. Bagle.AC) virus. While still only a medium alert on most virus watch sites, the speed with which the virus has spread and the amount of spam mail it has created frightened users and prompted IT departments to send out e-mails warning users not to open to zip files. Here are the details on how to recognize and combat this new threat.

Executive Summary

Name: W32/Bagle.AQ-mm

Affects: Windows XP/2000/NT/9x/Me/2003 Server

What it does: Bagle.AQ is a mass mailing worm that spreads primarily by e-mail using an JavaScript exploit JS/IllWill, first seen in October 2001. When the HTML file is executed, it executes a companion .EXE file which infects the victim's PC by downloading the actual worm code. When it infects, Bagle.AQ harvests e-mail addresses from the victim's PC and sends copies of it using its own SMTP engine. The worm also installs a remote access component, opens a backdoor on port 2480, and notifies the attacker. Bagle.AQ attempts to remove registry keys, and stop processes associated with security and antivirus software.

How to prevent it: Do not open attachments. Get the latest updates from your antivirus company. Use a firewall with port 2480 blocked. A mitigating factor may be that the JavaScript exploit has been detectable for several years, which may be caught before the worm can execute.

How to remove it: At this writing, it is unconfirmed that all antivirus companies can detect and clean. McAfee VirusScan detected and cleaned on our test machine once it was infected, as did TrendMicro Housecall. Trend Micro's online Housecall, or McAfee's Stinger.

Fact file

Aliases: w32/beagle.AO@mm, worm.bagle.aq Type of virus: Windows 32 executable Main Executable file: Windll.exe Executable size: varies, 19460 bytes on our tests Date Discovered: August 9, 2004 Systems affected: Windows XP/2000/9x/Me/NT/2003 server Systems not affected: DOS, Windows 3.x, Linux, Mac, OS/2, Unix Propagation: spreads via e-mail, peer to peer

Details

Bagle.AQ was first discovered on August 9th, and the attack slipped in under the radar of our own corporate antivirus. The virus arrives by an e-mail with no subject, and a spoofed "from" address. The attachment is a Zip file, according to McAfee's analysis, may be password protected, with the password contained in the body text.. The samples we received were not password protected. The body has the text "New Price", and the attachment can be named: price.zip price2.zip price_new.zip price_08.zip 08_price.zip newprice.zip new_price.zip new__price.zip

The zip file contains two files, Price.exe and Price.html. When a user clicks on the HTML file, it executes the Price.EXE file. The HTML file contains JavaScript that is detected as JS/IllWill. If the price.exe file is executed by itself (not through the HTML file), it creates a folder with Price.exe and price.html in a sort of recursive manner. When executed, the virus attempts to contact one of a list of web sites to download the worm code. Antivirus vendor analysis differ on how it infects. We found that with a firewall blocking the outgoing traffic, the executable still created the files and registry entries noted below. The virus drops a copy of itself as windll.exe into the Windows System32 folder, as well as: windll.exeopen Windll.exeopenopen:

The windows system folded can be Windows\system32 (windows XP/Me), or Winnt\sustem32 (windows NT/2000)

It creates the following registry key and value HKEY_CURRENT_USER\Software\Microsoft\WindowsCurrentVersion\Run "erthgdr" = "C:\WINNT\SYSTEM32\windll.exe"

It also creates the following registry key. HKEY_CURRENT_USER\Software\Microsoft\WindowsCurrentVersion\Ru1n

We noted that the second registry key (Ru1n) is created with the same value as the Run key, when it is first infected.

The worm loads a mutex to insure it only runs one copy at a time on a victim's machine. Like earlier versions of Bagle, the mutex mimic's Netsky infections, and prevents Netsky from running on the victim machine.

Bagle.AQ opens a backdoor and listens on port 2480 for remote connections. According to McAfee, "it attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites."

The virus can propagate two ways, e-mail or through file sharing programs. Bagle.AQ scans the victim's hard drive, looking for e-mail addresses within files containing certain extensions. Like earlier versions, Bagle avoids sending e-mail to addresses with certain strings.

Bagle.AQ also attempts to propagate through Peer to Peer file sharing systems such as Kazaa, Bearshare, and Limewire. It drops a list of "bait" files into folders containing the word "Shar".

The virus attempts to remove antivirus and security software by stopping processes associated with the software, as well as removing registry values from the autostart keys: HKEY_CURRENT_USER\Software\Microsoft\WindowsCurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsCurrentVersion\Run

Removing Bagle.AQ manually

Bagle.AQ is not a hard worm to remove. However, if it affects your antivirus and security products, it may be more difficult. You remove the main infection by deleting the files in the windows system folder and removing registry entries. If you're not familiar with the Registry editor, you should probably use one of the removal tools mentioned earlier. While we highly recommend you back up your registry before editing, be aware that the backup you make will contain entries associated with Bagle.AQ. Since the files are deleted, you may get errors if you restore from the backup at a future date. Once your system has been cleaned and is operating properly, you may want to delete the backup. Disable System Restore if you're using Windows XP or Me. When you make changes to your system, Windows creates a restoration checkpoint. If the OS does this while the system is infected, the worm may come back later, should you perform a restore. Also, most antivirus products cannot remove infected files from the restore cache. Restart the computer in Safe mode. Since the Bagle.AQ worm creates running processes and Windows doesn't allow you to delete files connected with running processes, restarting is necessary. Using Safe mode prevents Windows from loading drivers and AutoRun entries, so when your system boots, it's relatively clean. Run a full system scan with an updated antivirus scanner (or one of the online scanners mentioned previously). If your scanner does not remove everything, follow the next few steps. Make a backup of the registry before you edit. Delete the Run entries associated with Bagle.AQ from the registry. These will be flagged by the antivirus program or you can go directly to the key:

HKEY_CURRENT_USER\Software\Microsoft\ WindowsCurrentVersion\Run

"erthgdr" = "C:\WINNT\SYSTEM32\windll.exe"

Also remove the key:

HKEY_CURRENT_USER\Software\Microsoft\ WindowsCurrentVersion\Ru1n

Exit the registry editor. Delete files in folders with 'shar' in their name. If your antivirus has not flagged them, use the list noted below. Re-enable System Restore. Reboot the machine. Rescan with your antivirus to be sure all files are clean.

Lists of strings used by Bagle.AQ

A mutex is created to insure only one copy of the virus is running.

'D'r'o'p'p'e'd'S'k'y'N'e't' _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_ [SkyNet.cz]SystemsMutex AdmSkynetJklS003 ____--->>>>U _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

E-mail addresses are extracted from files with the following extensions

.wab .txt .msg .htm .shtm .stm .xml .dbx .mbx .mdx .eml .nch .mmf .ods .cfg .asp .php .pl .wsh .adb .tbb .sht .xls .oft .uin .cgi .mht .dhtm .jsp

Bagle.AQ avoids sending e-mail to addresses with the following strings:

@eerswqe @derewrdgrs @microsoft rating@ f-secur news update anyone@ bugs@ contract@ feste gold-certs@ help@ info@ nobody@ noone@ kasp admin icrosoft support ntivi unix bsd linux listserv certific sopho @foo @iana free-av @messagelab winzip google winrar samples abuse panda cafee spam pgp @avp. noreply local root@ postmaster@

Bait files dropped in folders containing the word 'shar'.
Php y asp Related Links
Asp php web application builderPicture of asp snake
Egyptian asp snakeApplication service provider asp
Asp grid applicationAsp send email
Email using aspRecord email asp edituser newadmin
Asp e mail validationRecord email asp edituser
Sending email with aspAsp html editor
Wysiwyg asp editorAsp active server pages
Asp refresh pageActive server pages error asp 0131
0113 active asp error page serverHow to debug asp pages
Asp web pageAsp login page
Active server pages error asp 0126Asp home page
Asp web pages default permissionAsp redirect page
Page break aspFlip image asp web page
Create asp pagesHow to password protect your asp pages
Persistent and asp and .net and datagridDatatable and session and asp and .net
.net asp datatable state storeAsp .net training
Asp .net reportUse asp html
Asp web portalExcel reporting asp
Asp excel exportApache web server and asp
Apache server aspWeb service mnl ust ph ustet 2004 login asp
Ultimate movie download memarea login aspWeb detective member login asp
Gsis.gov.ph e gsis login asp3bsoftwaredownloads1 login asp
Mycampus phoenix login aspAsp login cookie remember me
Asp login exampleEpcra state.mn.us turnaround login asp
Asp login cookiePmcma ontrac login asp
 
©2005 All Rights Reserved   ASP Programe