McAfee for Small Businesses

--2003年12月10日更新情報--

・W32/Yaha.af@MMは、以下のメディアの注目を集めたため、危険度を"低〔要注意〕"にしました。http://www.pcpro.co.uk/news/news_story.php?id=51260

・W32/Yaha.af@MMは、定義ファイル4295を使用して圧縮実行ファイルをスキャンすると、総称で検出されます。

・W32/Yaha.af@MMは電子メール、Windowsファイル共有およびKaZaaを介して繁殖します。W32/Yaha.af@MMには、キーロガーとサービス拒否（DoS）発病ルーチンが含まれています。

・W32/Yaha.af@MMは、多数のさまざまな件名、本文、添付ファイル名を使用する電子メールを介して繁殖します。

送信者： Microsoft Support support@microsoft.com 件名： Critical Updates rs 添付ファイル： MS-Q3526.com 本文： Dear Customer, Thanks for using Microsoft products. Recent viruses have prompted micrsoft to issue patches to all its customers worldwide. We are including a comprehensive patch for all windows platforms. This patch gives you comprehensive protection against all recent viruses. Yours sincerely, JimThompson Team Support Microsoft Inc

送信者： Symantec Support support@symantec.com 件名： Fix for W32.Blaster/Welcha 添付ファイル： FixBlast.com or FixBlast.zip 本文： Dear customer, We are enclosing Fix for both Welcha and Blaster worms as per your request. Step by Step Instructions for Cleaning W32.Blaster/W32.Welcha Worms: 1. Save the file to a convenient location, such as your downloads folder or the Windows Desktop      (or removable media that is known to be uninfected, if possible). 2. To check the authenticity of the digital signature, refer to the section, "Digital signature." 3. Close all the running programs before running the tool. 4. If you are running Windows XP, then disable System Restore.     Refer to the section, "System Restore option in Windows Me/XP," for additional details. In case of any clarifications please do not hesitate to contact us. Best Regards, Neil Thomas Symantec Support

送信者： Mcafee Support support@nai.com 件名： Fix for the latest W32/Blaster.Z 添付ファイル： Fixblastz.com or FixBlastz.zip 本文： Dear customer, We are enclosing Fix for W32.Blaster.Z as per your request. Step by Step Instructions for Cleaning W32.Blaster.Z 1. Save the file to a convenient location, such as your downloads folder or the Windows Desktop      (or removable media that is known to be uninfected, if possible). 2. To check the authenticity of the digital signature, refer to the section, "Digital signature." 3. Close all the running programs before running the tool. 4. If you are running Windows XP, then disable System Restore.     Refer to the section, "System Restore option in Windows Me/XP," for additional details. In case of any clarifications please do not hesitate to contact us. Best Regards, Jerry Nelson McAfee Support

件名： Fw: Critical Patches 添付ファイル： MS-Q3946.EXE 本文： Hi, I got this mail from Microsot support.  Atlast Microsoft has got a comprehensive patch for all the vulnerabilities. Once this patch is applied, it takes care of all the recent virus problems in Microsoft products. Later.... Microsoft support wrote: >Thanks for using Microsoft products. Recent viruses have prompted micrsoft to issue patches >to all its customers worldwide. > >We are including a comprehensive patch for all windows platforms. This patch gives you >comprehensive protection against all recent viruses. > >Yours sincerely, >Kelly >Team Support >Microsoft Inc

件名： Hi check your computer with this!!! 添付ファイル： FixBlast.com 本文： Hi, I am cutting and pasting the message i got from symantec antivirus I think the last mail you sent me was infected with W32.Blaster. please use this tool and disinfect your machine. Bye, Dear customer, We are enclosing Fix for both Welcha and Blaster worms as per your request. Step by Step Instructions for Cleaning W32.Blaster/W32.Welcha Worms: 1. Save the file to a convenient location, such as your downloads folder or the Windows Desktop 2. To check the authenticity of the digital signature, refer to the section, "Digital signature." 3. Close all the running programs before running the tool. 4. If you are running Windows XP, then disable System Restore. In case of any clarifications please do not hesitate to contact us. Best Regards, Neil Thomas Symantec Support

件名： Your previous message is infected 添付ファイル： FixBlast.com 本文： Hi, Your previous mail to me is infected with Blaster. I am attaching the tool i got from symantec site please clean your machine with the same. Best Rgds,

件名： Fix for New Worm Threat 添付ファイル： FixBlastz.com                                    本文： Hi, I got this mail from Mcafee Antivirus Support. There is a new variant of W32.Blaster worm. I got a special fix today in the early hours, please check your machine with the attached tool. I have also cut and pasted the steps for cleaning. Rgds Dear customer, We are enclosing Fix for W32.Blaster.Z as per your request. Step by Step Instructions for Cleaning W32.Blaster.Z 1. Save the file to a convenient location, such as your downloads folder or the Windows Desktop 2. To check the authenticity of the digital signature, refer to the section, "Digital signature." 3. Close all the running programs before running the tool. 4. If you are running Windows XP, then disable System Restore. In case of any clarifications please do not hesitate to contact us. Best Regards, Jerry Nelson McAfee Support

送信者： Microsoft Support support@microsoft.com 件名： Critical Patches 添付ファイル： MS-Q31338.ZIP 本文： Dear Customer, Thanks for using Microsoft products. Recent viruses have prompted micrsoft to issue patches to all its customers worldwide. We are including a comprehensive patch for all windows platforms. This patch gives you comprehensive protection against all recent viruses. Yours sincerely, JimThompson Team Support Microsoft Inc

件名： Your details 添付ファイル： Requirement.zip 本文： Hi, We have your email id in our database. We have enclosed our requirements. Expecting your reply at the earliest. Kind  Rgds, James Martin

送信者： Support eEye support@eeye.com 件名： Microsoft RPC still vulnerable - Latest worm 添付ファイル： RPCDCOM.ZIP or PATCHRPC.COM 本文： Microsoft RPC Heap Corruption Vulnerability - Part II Severity: High (Remote Code Execution). Description: eEye Digital Security has discovered a critical remote vulnerability in the way Microsoft Windows handles certain RPC requests.The RPC (Remote Procedure Call) protocol provides an inter-process communication mechanism allowing a program running on one computer to execute code on a remote system. The vulnerability exists within the DCOM (Distributed Component Object Model) RPC interface. This interface handles DCOM object activation requests sent by client machines to the server. By sending a malformed request packet it is possible to overwrite various heap structures and allow the execution of arbitrary code. please install the attached patch immediately.

件名： Details 添付ファイル： details.zip or details.pif 本文： Hi, See the attached file for details.

件名： Thank you 添付ファイル： thankyou.zip or thankyou.pif 本文： Please see the attached file for details

件名： Your document 添付ファイル： your_documents.zip or your_documents.pif 本文： See the attached file for your documents

件名： Your application 添付ファイル： application.zip 本文： Please see the attached file for applicaion details.

件名： Wicked Screen Saver 添付ファイル： wicked.zip or wickedsaver.scr 本文： Hi, This is the most wicked screen saver i have ever seen.Enjoy!!!

件名： Naughty Movie Clip 添付ファイル： movie3498.zip or naughty.pif 本文： Hi, This is an interesting movie clip. You will enjoy it.

件名： Hi check your computer with this!!! 添付ファイル： FixBlast.zip or FixBlast.com 本文： Hi, I am cutting and pasting the message i got from symantec antivirus I think the last mail you sent me was infected with W32.Blaster. please use this tool and disinfect your machine. Bye, Dear customer, We are enclosing Fix for both Welcha and Blaster worms as per your request. Step by Step Instructions for Cleaning W32.Blaster/W32.Welcha Worms: 1. Save the file to a convenient location, such as your downloads folder or the Windows Desktop 2. To check the authenticity of the digital signature, refer to the section, "Digital signature." 3. Close all the running programs before running the tool. 4. If you are running Windows XP, then disable System Restore. In case of any clarifications please do not hesitate to contact us. Best Regards, Neil Thomas Symantec Support

・添付ファイルが実行されると、ウイルスは自身をMSMGR32.EXEとEXE32.EXEというファイル名で、WINDOWS SYSTEMディレクトリにコピーします。以下のレジストリ実行キーが作成され、起動時に自身を読み込みます。

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MsManager" = C:\WINNT\System32\MSMGR32.EXE

・他の実行ファイルが実行されるたびに以下のキーがフックされ、自身を読み込みます。

• HKEY_CLASSES_ROOT\batfile\shell\open\command "(Default)" = "C:\WINNT\System32\EXE32.EXE""%1"%*
• HKEY_CLASSES_ROOT\comfile\shell\open\command "(Default)" = "C:\WINNT\System32\EXE32.EXE""%1"*
• HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = "C:\WINNT\System32\EXE32.EXE""%1"%*
• HKEY_CLASSES_ROOT\scrfile\shell\open\command "(Default)" = "C:\WINNT\System32\EXE32.EXE""%1"%*