Enviado: 13/5/2003 23:32Esse malandro apareceu no meu computador este fim de semana em dois email, o NAV (Sempre actualizado) detectou-o mas não o conseguiu eliminar. Está claro que apaguei logo os email sem os abrir.
CALDEIRÃO DE BOLSA
Fórum dedicado à discussão sobre os Mercados Financeiros - Bolsas de Valores
http://caldeiraodebolsa.jornaldenegocios.pt/
atençao a este novo virus...
http://caldeiraodebolsa.jornaldenegocios.pt/viewtopic.php?f=3&t=10450
Página 1 de 1
Enviado: 13/5/2003 23:32Enviado: 13/5/2003 22:56Já agora, ando aqui com um problema aborrecido, que é a constante entrada de publicidade sem ser solicitada, conheço mais pessoas com este problema, mas a solução ainda não encontrei, uma das páginas que abre automaticamente tem a ver com a solução para o problema mediante o pagamento de uma certa quantia com o cartão de crédito, ou seja, entram no computador, instalam o programa e depois querem que lhes paguemos para nos livrarmos do problema, claro que isto deve ser feito pelo mesmo pirata, admiro-me é não haver regulação nestas coisas, porque o bandideco devia acertar contas com a justiça, mas pronto a net ainda tem destas fraquezas que permitem estes descaramentos.
Enviado: 13/5/2003 22:50O LOVGATE.J parece que é pior 
Nome do Virus -- Risco -- Data
PE_LOVGATE.J -- Medium -- May 13
PE_LOVGATE.K -- Low -- May 13
PE_LOVGATE.I -- Low -- May 13
WORM_FIZZER.A -- Medium -- May 11
WORM_CYDOG.C -- Low -- May 8
WORM_XMS.A -- Low -- May 1
WORM_LOVELORN.A -- Low -- Apr 28
WORM_PUROL.A -- Low -- Apr 25
WORM_AGOBOT.F -- Low -- Apr 25
WORM_CORONEX.A -- Low -- Apr 24
WORM_HORSMAN.A -- Low -- Apr 15
WORM_CULT.C -- Low -- Apr 9
WORM_AGOBOT.E -- Low -- Apr 7
VBS_LISA.A -- Low -- Apr 1
WORM_OROR.AI -- Low -- Mar 28
WORM_LOVGATE.G -- Low -- Mar 25
WORM_BIBROG.E -- Low -- Mar 24
WORM_LOVGATE.F -- Low -- Mar 23
WORM_CULT.A -- Low -- Mar 23
WORM_HOLAR.E -- Low -- Mar 21
____________________________________
WORM_LOVGATE.J
This malware is currently spreading rapidly in Korea, from where TrendLabs has received a significant number of infection reports. As of Tuesday, May 13, 12:46 AM (US Pacific Time), Trend Micro has declared a Medium Risk Alert to control the spread of this malware.
This file-infecting virus propagates via shared network drives and via email.
To spreads through network shares, it searches for shared folders with read/write access in the same network and drops copies of itself into these folders using the following file names:
100 free essays school.pif
Age of empires 2 crack.exe
AN-YOU-SUCK-IT.txt.pif
Are you looking for Love.doc.exe
autoexec.bat
CloneCD + crack.exe
How To Hack Websites.exe
Mafia Trainer!!!.exe
MoviezChannelsInstaler.exe
MSN Password Hacker and Stealer.exe
Panda Titanium Crack.zip.exe
Sex_For_You_Life.JPG.pif
SIMS FullDownloader.zip.exe
Star Wars II Movie Full Downloader.exe
The world of lovers.txt.exe
Winrar + crack.exe
This malware propagates via email by replying to all new messages received in Microsoft Outlook and Outlook Express. It sends out email with the following format:
From: <Infected User’s Name>
To: <Original Sender>
Subject: RE: <Original Subject>
Message Body:
'''<Infected User’s Name>' wrote:
====
><Original Body> >
====
YAHOO.COM Mail auto-reply:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
> Get your FREE <Original Sender’s SMTP account> account now! <
Attachment: (Randomly selected from any of the following:)
I am For u.doc.exe"
Britney spears nude.exe.txt.exe
joke.pif
DSL Modem Uncapper.rar.exe
Industry Giant II.exe
StarWars2 - CloneAttack.rm.scr
dreamweaver MX (crack).exe
Shakira.zip.exe
SETUP.EXE
Macromedia Flash.scr
How to Crack all gamez.exe
Me_nude.AVI.pif
s3msong.MP3.pif
Deutsch BloodPatch!.exe
Sex in Office.rm.scr
the hardcore game-.pif
An example of this email would be:
This malware also gathers target email addresses from HTML files that it finds in the current and Windows folders and a specific registry key, and sends an email message with itself as attachment to all the said email addresses. The email message it sends selects randomly from any of the following subjects, message bodies and attachments:
Subject:
Reply to this!
Let's Laugh
Last Update
for you
Great
Help
Attached one Gift for u..
Hi
Hi Dear
See the attachement
Message Body:
For further assistance, please contact!
Copy of your message, including all the headers is attached.
This is the last cumulative update.
Tiger Woods had two eagles Friday during his victory over
Stephen Leaney. (AP Photo/Denis Poroy)
Send reply if you want to be official beta tester.
This message was created automatically by mail delivery
software (Exim).
It's the long-awaited film version of the Broadway hit.
Set in the roaring 20's, this is the story of Chicago
chorus girl Roxie Hart(Zellweger), who shoots her unfaithful
lover (West).
Adult content!!! Use with parental advisory.
Patrick Ewing will give Knick fans something to cheer
about Friday night.
Send me your comments...
Attachment:
About_Me.txt.pif
driver.exe
Doom3 Preview!!!.exe
enjoy.exe
YOU_are_FAT!.TXT.pif
Source.exe
Interesting.exe
README.TXT.pif
images.pif
Pics.ZIP.scr
This malware runs on Windows NT, 2000, and XP systems.
Solution:
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please use the Trend Micro System Cleaner.
MANUAL REMOVAL INSTRUCTIONS
Identifying the Malware Program
Before proceeding to remove this malware, first identify the malware program.
Scan your system with Trend Micro antivirus and NOTE all files detected as PE_LOVGATE.J. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.
Terminating the Malware Program
This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.
Open Windows Task Manager. Press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
NOTE: Terminating an instance of this malware also launches an instance of IEXPLORE.EXE. Terminate all other malware instances first before terminating IEXPLORE.EXE.
Addressing Registry Shell Spawning
Registry shell spawning executes the malware when a user tries to open an .TXT file. The following procedures should restore the registry to its original settings.
Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_CLASSES_ROOT>txtfile>shell>open>command
In the right panel, locate the registry entry:
Default
Check whether its value is the path and file name of the malware file:
"winrpc.exe %1"
If the value is the malware file, right-click Default and select Modify to change its value.
In the Value data input box, delete the existing value and type the default value:
%System%\NOTEPAD.EXE %1
(NOTE: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 9x and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP.)
Close Registry Editor.
Press Enter.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entries:
WinHelp = "C:\WINNT\System32\WinHelp.exe"
WinGate initialize = “C:\WINNT\System32\WinGate.exe –remoteshell”
Remote Procedure Call Locator = "RUNDLL32.EXE reg678.dll ondll_reg"
Program In Windows = "C:\WINNT\System32\IEXPLORE.EXE"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>WindowsNT>
CurentVersion>Windows
In the right panel, locate and delete the entry:
Run = ”RAVMOND.EXE”
Close Registry Editor.
Disabling Malware Service
Restart your machine to terminate the malware service.
Open Registry Editor.
To do this, click Start>Run, type REGEDIT, then press Enter
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSetServices>
Microsoft NetWork FireWall Services
Still in the left panel, delete the subkey:
Microsoft NetWork FireWall Services
Close Registry Editor.
_____________________________
Ficou um bocado grande
desculpem a seca
Cump
Patdav
Nome do Virus -- Risco -- Data
PE_LOVGATE.J -- Medium -- May 13
PE_LOVGATE.K -- Low -- May 13
PE_LOVGATE.I -- Low -- May 13
WORM_FIZZER.A -- Medium -- May 11
WORM_CYDOG.C -- Low -- May 8
WORM_XMS.A -- Low -- May 1
WORM_LOVELORN.A -- Low -- Apr 28
WORM_PUROL.A -- Low -- Apr 25
WORM_AGOBOT.F -- Low -- Apr 25
WORM_CORONEX.A -- Low -- Apr 24
WORM_HORSMAN.A -- Low -- Apr 15
WORM_CULT.C -- Low -- Apr 9
WORM_AGOBOT.E -- Low -- Apr 7
VBS_LISA.A -- Low -- Apr 1
WORM_OROR.AI -- Low -- Mar 28
WORM_LOVGATE.G -- Low -- Mar 25
WORM_BIBROG.E -- Low -- Mar 24
WORM_LOVGATE.F -- Low -- Mar 23
WORM_CULT.A -- Low -- Mar 23
WORM_HOLAR.E -- Low -- Mar 21
____________________________________
WORM_LOVGATE.J
This malware is currently spreading rapidly in Korea, from where TrendLabs has received a significant number of infection reports. As of Tuesday, May 13, 12:46 AM (US Pacific Time), Trend Micro has declared a Medium Risk Alert to control the spread of this malware.
This file-infecting virus propagates via shared network drives and via email.
To spreads through network shares, it searches for shared folders with read/write access in the same network and drops copies of itself into these folders using the following file names:
100 free essays school.pif
Age of empires 2 crack.exe
AN-YOU-SUCK-IT.txt.pif
Are you looking for Love.doc.exe
autoexec.bat
CloneCD + crack.exe
How To Hack Websites.exe
Mafia Trainer!!!.exe
MoviezChannelsInstaler.exe
MSN Password Hacker and Stealer.exe
Panda Titanium Crack.zip.exe
Sex_For_You_Life.JPG.pif
SIMS FullDownloader.zip.exe
Star Wars II Movie Full Downloader.exe
The world of lovers.txt.exe
Winrar + crack.exe
This malware propagates via email by replying to all new messages received in Microsoft Outlook and Outlook Express. It sends out email with the following format:
From: <Infected User’s Name>
To: <Original Sender>
Subject: RE: <Original Subject>
Message Body:
'''<Infected User’s Name>' wrote:
====
><Original Body> >
====
YAHOO.COM Mail auto-reply:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
> Get your FREE <Original Sender’s SMTP account> account now! <
Attachment: (Randomly selected from any of the following:)
I am For u.doc.exe"
Britney spears nude.exe.txt.exe
joke.pif
DSL Modem Uncapper.rar.exe
Industry Giant II.exe
StarWars2 - CloneAttack.rm.scr
dreamweaver MX (crack).exe
Shakira.zip.exe
SETUP.EXE
Macromedia Flash.scr
How to Crack all gamez.exe
Me_nude.AVI.pif
s3msong.MP3.pif
Deutsch BloodPatch!.exe
Sex in Office.rm.scr
the hardcore game-.pif
An example of this email would be:
This malware also gathers target email addresses from HTML files that it finds in the current and Windows folders and a specific registry key, and sends an email message with itself as attachment to all the said email addresses. The email message it sends selects randomly from any of the following subjects, message bodies and attachments:
Subject:
Reply to this!
Let's Laugh
Last Update
for you
Great
Help
Attached one Gift for u..
Hi
Hi Dear
See the attachement
Message Body:
For further assistance, please contact!
Copy of your message, including all the headers is attached.
This is the last cumulative update.
Tiger Woods had two eagles Friday during his victory over
Stephen Leaney. (AP Photo/Denis Poroy)
Send reply if you want to be official beta tester.
This message was created automatically by mail delivery
software (Exim).
It's the long-awaited film version of the Broadway hit.
Set in the roaring 20's, this is the story of Chicago
chorus girl Roxie Hart(Zellweger), who shoots her unfaithful
lover (West).
Adult content!!! Use with parental advisory.
Patrick Ewing will give Knick fans something to cheer
about Friday night.
Send me your comments...
Attachment:
About_Me.txt.pif
driver.exe
Doom3 Preview!!!.exe
enjoy.exe
YOU_are_FAT!.TXT.pif
Source.exe
Interesting.exe
README.TXT.pif
images.pif
Pics.ZIP.scr
This malware runs on Windows NT, 2000, and XP systems.
Solution:
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please use the Trend Micro System Cleaner.
MANUAL REMOVAL INSTRUCTIONS
Identifying the Malware Program
Before proceeding to remove this malware, first identify the malware program.
Scan your system with Trend Micro antivirus and NOTE all files detected as PE_LOVGATE.J. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.
Terminating the Malware Program
This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.
Open Windows Task Manager. Press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
NOTE: Terminating an instance of this malware also launches an instance of IEXPLORE.EXE. Terminate all other malware instances first before terminating IEXPLORE.EXE.
Addressing Registry Shell Spawning
Registry shell spawning executes the malware when a user tries to open an .TXT file. The following procedures should restore the registry to its original settings.
Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_CLASSES_ROOT>txtfile>shell>open>command
In the right panel, locate the registry entry:
Default
Check whether its value is the path and file name of the malware file:
"winrpc.exe %1"
If the value is the malware file, right-click Default and select Modify to change its value.
In the Value data input box, delete the existing value and type the default value:
%System%\NOTEPAD.EXE %1
(NOTE: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 9x and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP.)
Close Registry Editor.
Press Enter.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entries:
WinHelp = "C:\WINNT\System32\WinHelp.exe"
WinGate initialize = “C:\WINNT\System32\WinGate.exe –remoteshell”
Remote Procedure Call Locator = "RUNDLL32.EXE reg678.dll ondll_reg"
Program In Windows = "C:\WINNT\System32\IEXPLORE.EXE"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>WindowsNT>
CurentVersion>Windows
In the right panel, locate and delete the entry:
Run = ”RAVMOND.EXE”
Close Registry Editor.
Disabling Malware Service
Restart your machine to terminate the malware service.
Open Registry Editor.
To do this, click Start>Run, type REGEDIT, then press Enter
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSetServices>
Microsoft NetWork FireWall Services
Still in the left panel, delete the subkey:
Microsoft NetWork FireWall Services
Close Registry Editor.
_____________________________
Ficou um bocado grande
desculpem a seca
Cump
Patdav
Enviado: 13/5/2003 20:43já agora, estes vírus são geralmente específicos para windows... os mac não são afectados... porque será? 
Um abraço
Nunofaustino
Um abraço
Nunofaustino
Alguém
Enviado: 13/5/2003 20:38anda a criar vírus, para a indústria dos anti-vírus fazerem negócio. Quem será?
pois é..
Enviado: 13/5/2003 20:31..o malandreco Worm.W32/Fizzer@MM ... mas este é mais um entre outros.
A conclusão é sempre a mesma:
- anti-vírus sempre activado
- e mais importante ainda... sempre actualizado com as últimas actualizações.. que na maioria dos programas são feitas via web.. na maior parte das vezes com possibilidade de ser de forma automática.
Cump,
A conclusão é sempre a mesma:
- anti-vírus sempre activado
- e mais importante ainda... sempre actualizado com as últimas actualizações.. que na maioria dos programas são feitas via web.. na maior parte das vezes com possibilidade de ser de forma automática.
Cump,
atençao a este novo virus...
Enviado: 13/5/2003 20:17INFORMÁTICA
«Fizzer» infecta milhares de computadores
Um novo vírus, apelidado de «Fizzer», está a infectar computadores em todo o mundo, através do correio electrónico e do serviço de trocas gratuitas de canções Kazaa, alertaram esta terça-feira peritos informáticos.
19:24
13 de Maio 03
Um novo vírus, designado por «Fizzer», está a infectar computadores em todo o mundo, por intermédio do correio electrónico e do serviço de trocas gratuitas de canções Kazaa.
O vírus, que foi descoberto na Ásia na quinta-feira passada, surge nos correios electrónicos com linhas de assunto tais como: «Hoje é um bom dia para morrer» ou «Só há uma coisa boa, o conhecimento, e outra má, a ignorância».
A partir do momento imediato em que se abre o correio, o correspondente ficheiro (com extensões .exe,.pif,.com.ou.scr) infecta o computador, explicaram peritos informáticos da companhia de segurança Network Associates.
O «Fitzzer» infecta ainda os ficheiros do Kazaa, o popular programa que possibilita aos utilizadores partilharem canções ou arquivos informáticos de forma anónima e gratuita na rede.
Mais tarde, propaga-se a outros computadores, através da agenda de contactos do utilizador.
«O Fizzer apropriou-se da tecnologia criada para melhorar as comunicações», declarou Vincent Gulloto, da Network Associates.
A companhia de rastreio MessageLabs, que designou o vírus como sendo de alto risco, disse, esta terça-feira, ter registo de, pelo menos, 20 mil computadores infectados.
No entanto, e embora o «Fizzer» possa desactivar os programas de segurança dos computadores, não elimina os ficheiros pessoais nem retira informação, comunicaram os peritos.
A sua principal contrariedade é criar muito tráfego na altura em que se está a propagar, pelo que poderá bloquear algumas artérias de rede.
xi
osanto
«Fizzer» infecta milhares de computadores
Um novo vírus, apelidado de «Fizzer», está a infectar computadores em todo o mundo, através do correio electrónico e do serviço de trocas gratuitas de canções Kazaa, alertaram esta terça-feira peritos informáticos.
19:24
13 de Maio 03
Um novo vírus, designado por «Fizzer», está a infectar computadores em todo o mundo, por intermédio do correio electrónico e do serviço de trocas gratuitas de canções Kazaa.
O vírus, que foi descoberto na Ásia na quinta-feira passada, surge nos correios electrónicos com linhas de assunto tais como: «Hoje é um bom dia para morrer» ou «Só há uma coisa boa, o conhecimento, e outra má, a ignorância».
A partir do momento imediato em que se abre o correio, o correspondente ficheiro (com extensões .exe,.pif,.com.ou.scr) infecta o computador, explicaram peritos informáticos da companhia de segurança Network Associates.
O «Fitzzer» infecta ainda os ficheiros do Kazaa, o popular programa que possibilita aos utilizadores partilharem canções ou arquivos informáticos de forma anónima e gratuita na rede.
Mais tarde, propaga-se a outros computadores, através da agenda de contactos do utilizador.
«O Fizzer apropriou-se da tecnologia criada para melhorar as comunicações», declarou Vincent Gulloto, da Network Associates.
A companhia de rastreio MessageLabs, que designou o vírus como sendo de alto risco, disse, esta terça-feira, ter registo de, pelo menos, 20 mil computadores infectados.
No entanto, e embora o «Fizzer» possa desactivar os programas de segurança dos computadores, não elimina os ficheiros pessoais nem retira informação, comunicaram os peritos.
A sua principal contrariedade é criar muito tráfego na altura em que se está a propagar, pelo que poderá bloquear algumas artérias de rede.
xi
osanto