Virus impersonates domestic Web sites ... to spread

The worm is named W32.Noob.Worm hidden behind an attachment named file.zip.The virus will copy itself into file% System% reader_sl.exe, create the 'Adobe Reader Speed ​​Launch' key with the content 'reader_sl.exe' in HKLM SoftwareMicrosoftWindowsCurrentVersionRun and HKLM SoftwareMicrosoftWindowsCurrentVersionRunServices so that the virus is activated each time the computer starts.

More dangerous, if successfully connected to the IRC server, the virus will send information to the infected computer and receive a backdoor command that allows the hacker to control the remote computer.Also, W32.Noob.Worm finds the e-mail address in files ending in .xls, .mdb, .doc, .txt . and saved in e-mail.log.

BKIS Center has quickly updated BKAV 795 version and affirmed: "For safety reasons, we never send e-mail attachments to customers. You should be careful and don't run the file directly. attach in the letter, whether the e-mail seems to be sent from a friend or from a reputable organization ".

The virus is distributed via TinNhanh@vnexpess.net and Thongbao@bkav.com.vn.In addition, the virus also takes advantage of some other popular newspapers and websites such as Vnn.vn, Nhacso.net, Tinhyeu.com, Microsoft and Gmail with corresponding titles for each address.

As ofNovember 15, 2005, through the email monitoring system and the Security Center of BKIS, Hanoi University of Technology, we have detected some emails impersonating Bkav to spread a virus. new.Immediately we proceeded to collect virus samples and analyze.The initial analysis showed that in addition to impersonating Bkav, the virus also impersonated both VnExpress , VietNam Net , Microsoft .to deceive users.After 2 hours and 15 minutes, the virus analysis work was completed and the processing plan was updated to Bkav795 version.

If you receive email from (From) one of the following addresses:

1. Thongbao@bkav.com.vn
2. TinNhanh@vnexpess.net
3. HoiThoai@vnn.vn
4. SecurityUpdate@microsoft.com
5. Laode@gmail.com
6. TinhYeu@nhacso.net
7. LamQuen@tinhyeu.com

with the corresponding Subject (Subject) :

1. BKAV update - BKAV update
2. View the news quickly through our website - vnexpress.net
3. Open source website via web - vnn.vn
4. Windows Update Patch
5. File receive from LaoDe
6. Stage of love!
7. Love you love!- Tinhyeu.com

and ask you to execute the file named file.zip , you should delete this email immediately , because the attachment is W32.Noob.Worm .If you accidentally executed this file before, please download Bkav Bkav795 version to kill this virus.

Please note: For safety reasons for our customers, Bkis Network Security Center, Hanoi University of Technology never sends attachments in emails to customers.We also recommend that you be really careful, not to run the attached files directly in any email.Even that email seems to be sent from a relative or a reputable organization.

Details of the emails impersonating viruses are as follows:

1. Impersonate Bkav:

Title (Subject): Enclose the virus - BKAV update

From (From): thongbao@bkav.com.vn

Attached file (Attachment): File.zip

Content (Body):

Chao the board

He has the virus to carry me - BKAV NET works with the worm32.netcodo virus.

The virus is now fully equipped with a keylogger, the list of the most popular information in your computer and out of the box.

The zip file is a file of diet dehydration virus
today, ban or stage
how to install the worm32.netcodo virus?
sewing.

For more information on this virus, please visit the website
Reference: http://www.bkav.com.vn/frmView.aspx?Noidung=netcodob.htm

Center Security brought - Hanoi University of Science and Technology
Dia chi: Tang 5 - Nha Hitech - 1A Dai Co Viet - Ha Noi
Phone: 04-8683853 Email: bkav@bkav.com.vn

2. Impersonation VnExpress:

Title (Subject): How to view the news quickly via email - vnexpress.net

Sent from (From): tinnhanh@vnexpess.net

Attached file (Attachment): File.zip

Content (Body):

File of ice cream in the kitchen is open for the procedure to give quick information on VNExpress.

The content is intended to be the same, the best time and the new information.

Please click on and check out the boards

Presented by VNExpress - Critical agency: Bo Science

Take a break: So 511 / GP - BVHTT right on November 25, 2002
Tong tap: Thang Duc Thang
Toan: 2B - Ngoai Giao Doan - Van Phuc - Ba Dinh, Hanoi

3. Impersonate VietNam Net:

Subject (Subject): The online version via web - vnn.vn

From (From): hoithoai@vnn.vn

Attached file (Attachment): File.zip

Content (Body):

Business

The ice cream file is a zip file that allows you to send your favorite songs to VietnamNet.
The content is used to run programs, departments or stages, and participate in the program to provide the elephant with the language.

Please click on and check out the boards.

VietNamNet - VASC Information and Communication Company.Toa son lipstick

Government agency: Vietnam General Information Company - Bo Buu chinh Vien thong
Comparing the method: 27 / GP-BVHTT, cap immediately: January 23, 2003
Tap: Nguyen Anh Tuan - Toa soan: So 4 Lang Ha, Ha Noi

4. Impersonate Microsoft:

Title (Subject): Windows Update Patch

Send from (From): securityupdate@microsoft.com

Attached file (Attachment): File.zip

Content (Body):

Dear Sir / Madam

Tập tin Attach được là thông báo cập nhật cho hệ thống của bạn
Cập nhật này để bắt đầu kiểm tra cho and gỡ bỏ Mydoom.A, MydoomB,
or Doomjuice (A or B) from your PC.Hãy hỗ trợ việc gỡ bỏ share.

Microsoft Security Team
http://update.microsoft.com/windowsupdate

5. Impersonate NhacSo.net:

Title (Subject): Stage of love

Sent from (From): tinhyeu@nhacso.net

Attached file (Attachment): File.zip

Content (Body):

Chao the committee,

Download the file in the help file for the news, news, videos, news sites and web sites http://nhacso.net

Please contact the staff for advice.

Please

6. Impersonation of Tinhyeu.com:

Title (Subject): Love you love!- Tinhyeu.com

From word (From): lamquen@tinhyeu.com

Attached file (Attachment): File.zip

Content (Body):

Chao the brother, the limbs

The cream file in the collection is perfect for those who believe that they will love it.The board or the file model will be fast
Learn more details.

http://www.tinhyeu.com
All of you have the same expectation.

7. Sent from Laode@gmail.com address:

Title (Subject): File receive from LaoDe

Sent from (From): Laode@gmail.com

Attached file (Attachment): File.zip

Content (Body):

Chao DaiCa,

File I love cream in the mail, I want to see it,

Em, LaoDe.

Some key features of W32.Noob.Worm virus:

1 .If it is the first time it will copy itself into the% System% reader_sl.exe file, run this file and finish.

2 .Create the key: 'Adobe Reader Speed ​​Launch' with the content 'reader_sl.exe' in

HKLM SoftwareMicrosoftWindowsCurrentVersionRun

and

HKLM SoftwareMicrosoftWindowsCurrentVersionRunServices

Let the virus be activated every time the computer starts.

3 .Check if the computer can connect to the Internet then connect to the irc server (port 80) phoenixclan.hmspirit.info.When successfully connected to these irc servers, the worm sends information about the infected device and receives the remote control command.Upon receiving the appropriate command it will open a backdoor that allows the hacker to remotely control the infected machine.

4 . Find email addresses in the file named in the HKCUSoftwareMicrosoftWABWAB4Wab File Name key and the files ending with * .xls, * .mdb, * .doc, * .txt, * .log in all drives. The email addresses found are stored in the email.log file.

Analyst: Vu Ngoc Son, Dao Van Huy, Le Minh Hung