lymie tony z
Frequent Contributor (1K+ posts)
Member # 5130
posted
HEY LYMIES,
DON'T OPEN ANY EMAILS FROM UNUSUAL OR UNKNOWNS.
THERE MAY BE PROVACATIVE,INVITING,WEIRD SUBJECT MATTER.
SPECULATION IS THAT A TROLL IS TRYING TO ENTER YOUR PC WITH A TROJAN HORSE TYPE VIRUS TO GUM UP THE WORKS.
CAREFUL........ZMAN
-------------------- I am not a doctor...opinions expressed are from personal experiences only and should never be viewed as coming from a healthcare provider. zman Posts: 2527 | From safety harbor florida(origin Cleve., Ohio | Registered: Jan 2004
| IP: Logged |
lymie tony z
Frequent Contributor (1K+ posts)
Member # 5130
posted
bump me up
-------------------- I am not a doctor...opinions expressed are from personal experiences only and should never be viewed as coming from a healthcare provider. zman Posts: 2527 | From safety harbor florida(origin Cleve., Ohio | Registered: Jan 2004
| IP: Logged |
bettyg
Unregistered
posted
Tony, please leave more info than what you did!
Are you talking about this one supposedly from WALMART? It all went together, and I'm not taking the time to break it up.
BackDoor-BAC!55436 Type Trojan SubType Remote Access Discovery Date 10/10/2006 Length 55,436 bytes Minimum DAT 4870 (10/10/2006) Updated DAT 4872 (10/12/2006) Minimum Engine 4.4.00 Description Added 10/10/2006 Description Modified 10/10/2006 10:22 PM (PT) Type Type of threat. SubType Additional type information. Discovery Date Date that AVERT discovered this threat.
Length File size, in bytes, of the threat. Minimum DAT McAfee DAT files contain detection and repair information for threats. The Minimum DAT field specifies the lowest/oldest DAT version that is capable of detecting the first incarnation of a threat, and the release date. The highest/newest DAT version should always be used for the most complete protection and are available on the Anti-Virus Updates page.
Each description displays the minimum, fully tested, DAT version that includes regular detection for a particular threat. These fully tested DATs are released on a daily basis. If necessary, they are also released when a Medium, Medium On Watch, or High risk threat is discovered. An EXTRA.DAT will also be posted for these more prevalent threats, if necessary.
For each description listed, detection is always available. In the event that the DAT version specified is not yet available, an EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page. Alternatively, minimally tested HOURLY BETA DAT files are available for downloading.
Updated DAT McAfee DAT files are constantly being updated to enhance detection capabilities. The Updated DAT field specifies the released DAT version that contains the most up to date detection.
Minimum Engine The scan engine uses the DAT files to detect threats. The Minimum Engine field specifies the lowest/oldest engine version that is capable of detecting this threat. The highest/newest engine version should always be used for the most complete protection and are available on the Anti-Virus Updates page. Description Added Date/time this description was published using Pacific Time.
Description Modified Date/time this description was last modified using Pacific Time. Risk Assessment Corporate User Low-Profiled Home User Low-Profiled Tab Navigation Overview Characteristics Symptoms Method of Infection Removal Variants Overview -- Update October 10, 2006 -- The risk assessment of this threat has been updated to Low-Profiled due to prevalance of the trojan being mass spammed. -- Backdoor-BAC!55436 is a trojan that is delivered via a spammed fake email from Walmart. It opens a backdoor port on the compromised computer which allows a remote attacker unauthorized access and also post logged keystrokes and stolen passwords back to the attacker.
A recent spamming has been reported intended to download a variant of Backdoor-BAC. The spammed email message supposedly from Walmart is sent as follows:
From: [email protected] Subject: Order Confirmation number: 37679041 Body:
Dear Customer,
Thank you for ordering from our internet shop. If you paid with a credit card, the charge on your statement will be from name of our shop.
This email is to confirm the receipt of your order. Please do not reply as this email was sent from our automated confirmation system.
Subtotal : 2,449.99 Shipping : 32.88 TOTAL : 2,482.87
Your Order Summary located in the attachment file ( self-extracting archive with "37679041.pdf" file ).
PDF (Portable Document Format) files are created by Adobe Acrobat software and can be viewed with Adobe Acrobat Reader. If you do not already have this viewer configured on a local drive, you may download it for free from Adobe's Web site.
We will ship your order from the warehouse nearest to you that has your items in stock (NY, TN, UT & CA). We strive to ship all orders the same day, but please allow 24hrs for processing.
You will receive another email with tracking information soon.
We hope you enjoy your order! Thank you for shopping with us!
Symptoms Upon execution, it drops the following files:
%Windir%\%SysDir%\qo.dll --> Detected as BackDoor-BAC.dll %Windir%\%SysDir%\qo.sys --> Detected as BackDoor-BAC.sys %Windir%\%SysDir%\ycsvgd.sys --> Detected as BackDoor-BAC.sys %Windir%\%SysDir%\ydsvgd.sys --> Detected as BackDoor-BAC.sys %Windir%\%SysDir%\ydsvgd.dll --> Detected as BackDoor-BAC.dll
Creates the following registry entries to auto start the trojan at windows logon.
Open a backdoor on TCP port 16661 which allows a remote attacker unauthorized access. Additionally its open two random TCP ports on an infected computer.
Rootkit component:
"ydsvgd.sys" is the rootkit component of this trojan and is responsible for hiding the presence of the trojan on an infected system .
It hooks into the System Service Descriptor Table (SSDT) and alters the addresses corresponding to the NTXXX functions implemented in Ntoskrnl.exe
The following NTXXX functions are replaced with pointers to the rootkit code.
NtOpenThread NtOpenProcess NtCreateProcess NtQueryDirectoryFile NtQuerySystemInformationWhen the rootkit is loaded, it hides files that contain any of the following strings:
gsvga.bin lps.dat mnsvgas.bin qo.dll qo.sys shsvga.bin shsvga.bin t001f.exd ttsvga.dat wagfola4w.dat ycsvgd.sys ydsvgd.dll ydsvgd.sys "ydsvgd.dll" is the password stealing and notification component of this trojan. Passwords for the following application are captured.
AutoComplete passwords in Internet Explorer Password-protected sites in Internet Explorer IM and Dialup connection passwordsIt injects itself into explorer and logs all key strokes and active window titles into the following file:
%Windir%\%SysDir%\kps001.sys
Method of Infection This trojan was mass spammed on October 10th, 2006.
Removal A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
The Lyme Disease Network is a non-profit organization funded by individual donations. If you would like to support the Network and the LymeNet system of Web services, please send your donations to:
The
Lyme Disease Network of New Jersey 907 Pebble Creek Court,
Pennington,
NJ08534USA http://www.lymenet.org/
UBBFriend: Email this page to someone!
Printer-friendly view of this topic