Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

Geek Culture / Virus warning (able to infect Db files)

Author
Message
David R
21
Years of Service
User Offline
Joined: 9th Sep 2003
Location: 3.14
Posted: 2nd Apr 2005 00:07 Edited at: 2nd Apr 2005 00:08
Source: http://securityresponse.symantec.com/avcenter/venc/data/W32.DB_KEL.kir.worm.html

Quote: "
W32.DB_KEL.kir.worm
Category 3
Discovered on: March 31, 2005
Last Updated on: April 01, 2005 04:06:40 PM

W32.DB_KEL.kir.worm is a worm that spreads through security defects inside of lower-end development tools. It infiltrates Binary hooks on the main Windows command set, enabling it to infect any compiled EXE/OCX/DLL file. This infection also drops a variant of W32.Spybot.Worm.

Type: Worm
Infection Length: 151,013 bytes

Systems Affected:
Windows 2000,
Windows 95,
Windows 98,
Windows Me,
Windows NT,
Windows Server 2003,
Windows XP

Affected compilation tools:

'BlitzBasic'
'Torque'
'A5/a6 gamestudio'
'DJGCCP'
'DevC++'
'DarkBasic'
'Dark Basic Professional'
'QBasic'



Wild

* Number of infections: 0 - 649
* Number of sites: 0 - 251
* Geographical distribution: High
* Threat containment: Difficult
* Removal: Moderate




Damage:
High


Distribution:
High

Damage

* Payload Trigger: n/a
* Payload: Attempts to drop and execute a variant of W32.Spybot.Worm.
o Infects Windows Binary and compiled executables
o Deletes files: n/a
o Modifies files: n/a
o Degrades performance: n/a
o Causes system instability: n/a
o Releases confidential info: n/a
o Compromises security settings: n/a

Distribution

* Subject of email: n/a
* Name of attachment: n/a
* Size of attachment: n/a
* Time stamp of attachment: n/a
* Ports: n/a
* Shared drives: n/a
* Target of infection: Attempts to spread via Compiled binaries

technical details

When W32.DB_KEL.kir.worm is executed, it performs the following actions:

1. Adds the following link to all compiled programs on the compromised computer:

[domain removed]/bigjump.com



2. Drops the following files:

* %ProgramFiles%MSSsex.exe
* %ProgramFiles%MSSown.exe

Note:
o %ProgramFiles% is a variable that refers to the program files folder. By default, this is Crogram Files.
o sex.exe - a worm component that sends the above mentioned link to all the MSN Messenger contacts on the compromised computer.
o own.exe - a variant of W32.Spybot.Worm


4. Adds the value:

"Microsoft System Services" = "msnmgsr.exe"

to the registry subkeys:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

so that W32.DB_KEL.kir.worm runs every time Windows starts.

5. Modifies the value:

"N"

to the registry key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftOleEnableDCOM

6. Modifies the value:

"0x1"

to the registry key:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetLsarestrictanonymous

7. Attempts to spread itself by exploiting the following vulnerabilities:

* The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135, 445, 1025.
* The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011) using ports 139, 445.
* The Workstation Service Buffer Overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.

8. Attempts to enumerate users in order to copy itself to network shares.

9. Can perform any of the following actions:

* Open a back door on the compromised computer allowing a remote attacker to have unauthorized access
* Steal CD activation keys for many games
* Attempt to end processes and services
* Install keylogger
* Use the compromised computer as a traffic relay or proxy
* Perform flooding

"


Worried yet? I am!

My sig is too big! It must be below 600x120... thanks!
EddieB
20
Years of Service
User Offline
Joined: 29th Sep 2004
Location: United Kingdom
Posted: 2nd Apr 2005 00:19
Not realy , Already downloaded a patch etc. Scaned my pc with it . Plus scaned with Spybot S & D + Ad programs etc etc.

I am CLean!

- Eddie

[href]http:www.graphics-monkey.co.uk[href]
Dr Crazy
20
Years of Service
User Offline
Joined: 13th Apr 2004
Location:
Posted: 2nd Apr 2005 01:08
Oh very funny - I get 404 Error . Oh wait, this is an april fools thing! I've searched the database for that virus and it hasn't been found! Notice How the virus has 'DB' in it ¬_¬ and DB is usually an abbrievation for DarkBASIC and it has also been discovered today .
Cheers,
Nick.

1.9GHZ/Windows XP Home Edition/NVidia GeForce4Ti 4600/512+128MB RAM/60GB Hardrive
TDP Enterprises
19
Years of Service
User Offline
Joined: 28th Mar 2005
Location: on or in front of my computer
Posted: 2nd Apr 2005 02:56
How could my computer get infected, my anti-virus progam says i have no viruses, is the infection through e-mail, web browsing, ect.,what!?!
Fud
20
Years of Service
User Offline
Joined: 16th Nov 2004
Location:
Posted: 2nd Apr 2005 10:32
Jerk. You posted this after 12:00, that means you're gonna have bad luck. As well you deserve.

Teh Sig Goes Here.
Jess T
Retired Moderator
21
Years of Service
User Offline
Joined: 20th Sep 2003
Location: Over There... Kablam!
Posted: 2nd Apr 2005 14:49
Moved to General...

Good joke, btw Very beleivable, except where you said which compilers it infects.

Jess.


Team EOD :: Programmer/All-Round Nice Guy
Aust. Convention!
David R
21
Years of Service
User Offline
Joined: 9th Sep 2003
Location: 3.14
Posted: 12th Apr 2005 22:34
Luck is pyscological. If you believe you have 'bad luck' you probably will be unlucky (and vica-versa). I'm actually very lucky myself. Hey Fud, don't call be a jerk, thanks

[url=www.lightningstudios.co.uk][/url]

Login to post a reply

Server time is: 2024-11-27 07:47:39
Your offset time is: 2024-11-27 07:47:39