送交者: lyz 于 September 19, 2001 10:00:54:
F-Secure Virus Descriptions
NAME: Nimda
ALIAS: W32/Nimda.A@mm
On September 18th, 2001 a new worm, Nimda, has been spreading globally.
It is a mass mailing worm that spreads itself in attachments named "readme.exe".
Further the worm contains abilitity to scan and spread via Internet Information Server (IIS). To do that, the worm uses either a backdoor created by Sadmind and CodeRed worms, or IIS unicode vulnerability.
F-Secure is currently analyzing the worm, and more information will be available later.
F-Secure Anti-Virus detects the worm with updates released at September 18th, 2001 19:20 EET.
He didn't mention this one but it was listed on the site as well
F-Secure Virus Descriptions
NAME: Ptsnoop
ALIAS: Backdoor.Ptsnoop
Ptsnoop is a simple backdoor program written in Visual Basic. Being activated it first looks for active RAS connections and exits immediately if none is found.
If a connection is present, the backdoor installs itself to system by copying itself as PTSNOOP.EXE file to \Windows\System\ directory and modifying WIN.INI file. The backdoor adds its execution string after LOAD=variable in [Windows] section of WIN.INI file. Diring this operation WIN.INI file gets copied to WIN.ANA file, the backdoor's execution st ring is then added and WIN.INI file is deleted. Then WIN.ANA file is renamed to
WIN.INI file. This way the backdoor will become active every time Windows starts.
Being active the backdoor tries to connect to the following websites:
http://setway.cjb.net
http://setway1.cjb.net
http://setone.cjb.net
When the connection succeeds, the backdoor clips cursor to a certain area and allows a hacker or script on these websites to control mouse movement and window positions. It is not clear why this is done and it is impossible to check any more because the contents of the above mentioned websites were changed or removed.
The idea might have been to make a user click on certain areas of a website to download or run a script or binary from there. In any case, this backdoor should be deleted from a system and WIN.INI file should be cleaned from backdoor's execution string after LOAD= variable.
[Analysis: Alexey Podrezov; F-Secure Corp.; September 2001] >