Thread: Electrostatics mistakes, Capacitance independence from dielectric
View Single Post
  #9   Report Post  
Posted to sci.electronics.design,sci.electronics.repair,sci.electronics.basics,sci.electronics.misc,sci.electronics.components
[email protected] mike.j.harvey@gmail.com is offline
external usenet poster
  
Posts: 29
Default Electrostatics mistakes, Capacitance independence from dielectric

Lostgallifreyan wrote:

The person leasing that domain is deliberately trying to get people on
usenet (and maybe other systems) to visit his site, on which he hosts a
VisualBasic script with a large block of executable binary code designed to
infect people with a virus that several people have independently
identified as VBS/Redlof. I ignored the first time this idiot did this a
couple of weeks ago, but it shouldn't be left unchecked.


VIRUS NAME : VBS/Redlof@M

Virus Characteristics

This is a file infecting VBScript that sets a default, infected,
stationary file for the Microsoft Outlook and Outlook Express email
client programs. It exploits the Microsoft VM ActiveX Component
Vulnerability.

The script arrives in an email message, hidden from the user, or can be
present on websites that contain infected .HTM files. The virus uses
the BODY ONLOAD event to trigger the infection. .HTM, and .HTT files on
the local system are infected by appending them with the encrypted,
viral code. .HTT files are prepended with the BODY ONLOAD trigger,
while this action is placed at the beginning of the virus body in .HTM
files. The default mail account is retrieved from the registry and a
stationary file is created, "BLANK.HTM", and is set as the default
stationary file.

*
HKEY_CURRENT_USER\Identities\{%id-value%}\Software\Microsoft\Outlook
Express\
5.0\Mail\Stationery Name=C:\Program Files\Common Files\Microsoft
Shared\Stationery\blank.htm
*
HKEY_CURRENT_USER\Identities\{%id-value%}\Software\Microsoft\Outlook
Express\
5.0\Mail "Wide Stationery Name=C:\Program Files\Common
Files\Microsoft Shared\Stationery\blank.htm
* HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\
Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet
Settings\
0a0d020000000000c000000000000046\001e0360=blank
* HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\C ommon\
MailSettings\NewStationery=blank

The VBScript virus body is saved to the file KERNEL.DLL in the WINDOWS
SYSTEM directory and a registry run key is created to load the script
at startup:

* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
Run\Kernel32=C:\WINDOWS\SYSTEM\Kernel.dll

This is effective due to the fact that several other registry keys are
created to re-associate .DLL files with the WSCRIPT.EXE handler.

* HKEY_CLASSES_ROOT\dllfile\ScriptEngine\
(Default)=VBScript
* HKEY_CLASSES_ROOT\dllfile\ScriptHostEncode\
(Default)={85131631-480C-11D2-B1F9-00C04F86C324}
* HKEY_CLASSES_ROOT\dllfile\Shell\Open\Command\
(Default)=C:\WINDOWS\WScript.exe "%1" %*
* HKEY_CLASSES_ROOT\dllfile\ShellEx\PropertySheetHan dlers\
WSHProps\(Default)={60254CA5-953B-11CF-8C96-00AA00B8708C}


Symptoms

- Presence of KERNEL.DLL (11,160 bytes) in the SYSTEM directory
- Increase in file size of .HTM and .HTT documents



Method Of Infection

This worm exploits a Microsoft Internet Explorer vulnerability to
infect .HTM documents and configure email clients to include an
infected document along with each message that is sent out.

Reply With QuoteReply With Quote