Exibindo resultados 1 até 2 de 2

Tópico: Worm.Allaple-*

  1. 24/06/2010 #1
    Avatar de Guzpido Krush
    Guzpido Krush
    Guzpido Krush está offline #ATDT*
    Desde
    Feb 2006
    Idade
    29
    Posts
    761
    Peso da Avaliação
    15

    Worm.Allaple-*

    Alguém sabe me dizer o por quê do seguinte código:

    Código:
    <OBJECT type="application/x-oleobject"CLASSID="CLSID:EE24D238-E0D2-5435-8433-E44B39F0D48F"></OBJECT>
    Gerar alertas no Kaspersky e etc. incluindo ClamAV, da presença do malware Worm.Allaple?
    Tinha uma URL com alerta, removi o seguinte código não alertou mais. Google não tem nada a dizer a respeito, o que me faz pensar, que ecste fenomeno não ecxiste.
    ---
    MATARAM KENNEDY, CERTO? VEJAM SEU
    DISCURSO ACERCA DE SOCIEDADES SECRETAS
    - - http://youtu.be/RfeFSzB8mqw --
    ---
    MELHOR DISCURSO QUE JÁ VI, CHARLIE CHAPLIN
    http://www.youtube.com/watch?v=sGpCds0e-kg

    (HQ) http://www.redhat.com/v/magazine/ogg/truthhappens.ogg
    Responder com citação Responder com citação
  2. 24/06/2010 #2
    Avatar de Guzpido Krush
    Guzpido Krush
    Guzpido Krush está offline #ATDT*
    Desde
    Feb 2006
    Idade
    29
    Posts
    761
    Peso da Avaliação
    15

    Re: Worm.Allaple-*

    Achei aqui. Pelo método de uma variante de Allaple. É um método único:

    This method used by the worm is pretty unique and was never used by previous worms. During scan of the drive that follows the infection the worm creates multiple files in directories that contain HTML files. When it finds htm or html file, the worm creates an executable file with a random name, and modifies the HTML file to run the executable file every time it is opened. In case of temporary IT folders that essentially guarantee reinfection even if registry was cleaned if the folders are not cleaned (a special setting in Tools/Internet options/ Advanced called "Empty Temporary Internet Files folder when the browser is closed" should be checked in IE). In corporate environment such change can be performed via uniform modification of registry for all desktops.

    Please note that after each reboot the scan is repeated and if there are additional drives (for example backup USB drives or flash drives ) connected all HTML files on those drives will be modified as well and multiple (sometimes hundreds) of EXE files with eight character random name and length 57856 dropped in particular folders.

    It important to stress that for this particular strain of the worm (version B) each dropped executable has a name with exactly 8 characters in length and fixed size 57856 . So they are pretty easily detectable even without antivirus.

    HTML files in this directory are modified to point to this file in <object> tag that the worm inserts in them just after <html> tag.
    Network Worm Allaple.b (aka Rahack.W and Rahack.BB )
    ---
    MATARAM KENNEDY, CERTO? VEJAM SEU
    DISCURSO ACERCA DE SOCIEDADES SECRETAS
    - - http://youtu.be/RfeFSzB8mqw --
    ---
    MELHOR DISCURSO QUE JÁ VI, CHARLIE CHAPLIN
    http://www.youtube.com/watch?v=sGpCds0e-kg

    (HQ) http://www.redhat.com/v/magazine/ogg/truthhappens.ogg
    Responder com citação Responder com citação
« Tópico anterior | Próximo tópico »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Regras de envio

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules