|
We have a report that a new virus may be making the rounds being distributed via AOL chat.
Details are sketchy so far but we have the following thanks to Alan and Chris. McAfee deletes the viruses but every time the user logs of and back onto the system it regenerates the batch file. User gets a chat via AOL "Checkout this JPEG" with a link After clicking the link it sends to everyone on their buddy list and creates the file C:\xz.bat Contents of the file: it is set to disable MS security, firewall Creates 3 registry entries one of which is a service Hkey_local_machine\Software\Microsoft\Windows\Current Version\Run Name :Strtax Data: lock.exe (Delete) Hkey_local_machine\Software\Microsoft\Windows\Current Version\Run Services Name :Strtax Data: lock.exe (Delete) Hkey_User\Software\Microsoft\Windows\Current Version\Run Services Name :Strtax Data: lock.exe (Delete) After deleting those three keys and a reboot the xz.bat file stopped trying to reload itself. If you have a copy of xz.bat or lock.exe please submit it by using the contact form at http://isc.sans.org/contact.php |
Chris 140 Posts Sep 28th 2005 |
| Thread locked Subscribe |
Sep 28th 2005 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
