Linked InFacebookEmail me

vbmania Zero-day exploit

Category: Journal W32/VBMania: The most Terrifying zero-day expolit in 2010 and McAfee's frakin awesome free tool to clean your system. It actually uses their Enterprise level Artemis scanning engine that compares the MD5 Hash of your files. Rad. Share

W32/VBMania: The most Terrifying zero-day exploit in 2010 and McAfee’s frakin awesome free tool to clean your system.

And it’s  F**ing Rad and Free!

Available from McAfee lab’s at: http://vil.nai.com/vil/stinger/

But, What it it?

McAfee Lab’s has a free  utility called Stinger and it’s pretty amazing for being free since it’s using some enterprise level features. It comes with a limited DAT (which is like a small database of known virus), but will also access our enterprise level Artemis Technology scan engine over a internet connection.

The Artemis scan engine runs separately from the general DAT that cheap and free Anti-Virus companies use.

It does a network check of the file MD5 hash and compare it to our huge database of known good and bad files! Hence, will detect variants before they haven even been detected and added to the DAT.

I guess were are slowly moving away from a DAT environment to a real-time network file verification system.

Besides that! Go get it!
Download the free scanner tool from McAfee lab’s at: http://vil.nai.com/vil/stinger/
Below are my recommended settings if you have a malware outbreak
and want MAXIMUM detection and removal.
BE SAFE, USE THE DEFAULT SETTINGS!!

More on W32/VBMania@mm:

https://kc.mcafee.com/corporate/index?page=content&id=KB69857

http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=275435
This Virus has been seen in large spam runs with the subject line: “Here you have”.
When executed, the following files are dropped:
%WINDIR%\system\Administrator CV 2010.exe
%WINDIR%\system\updates.exe
%WINDIR%\Administrator CV 2010.exe
%WINDIR%\autorun.inf
%WINDIR%\autorun2.inf
%WINDIR%\csrss.exe
%WINDIR%\vb.vbs
%DIR%\Administrator CV 2010.exe
%WINDIR%\tryme1.exe
%WINDIR%\im.exe
%WINDIR%\csrss.exe
%WINDIR%\vb.vbs
%TEMP%\~DF1DC7.tmp
%WINDIR%\ie.exe
%WINDIR%\rd.exe
%WINDIR%\re.exe
%WINDIR%\system\updates.exe
%WINDIR%\SYSTEM32\SendEmail.dll
%WINDIR%\gc.exe
%WINDIR%\hst.iq
%WINDIR%\ff.exe
%WINDIR%\op.exe
%WINDIR%\pspv.exe
%WINDIR%\re.iq
%WINDIR%\ff.dlm
%APPDATA%\addons.dat
Where %WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
The following files were temporarily written to disk then later removed:

%WINDIR%\ff.iq
%WINDIR%\ie.iq
%WINDIR%\SendEmail.iq
%WINDIR%\w.iq
%WINDIR%\m.iq
%WINDIR%\gc.iq
%WINDIR%\SYSTEM32\drivers\etc\hosts
%WINDIR%\pspv.iq
%WINDIR%\w.exe
%WINDIR%\tryme.iq
%WINDIR%\im.iq
%WINDIR%\rd.iq
%TEMP%\~DFAFA.tmp
%WINDIR%\m.exe
%WINDIR%\SendEmail.dll
%WINDIR%\b.bat
%WINDIR%\op.iq
The following file was modified:

%WINDIR%\SYSTEM32\wbem\logs\wbemprox.log
The malware has been known to randomly delete certain existing executables and replaces the current host file.
Registry changes are made like the ones below to prevent certain system tools from running. This is a subset of the complete changes :
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\00hoeav.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\0w.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6.bat
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6fnlpetp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6x8be16.cmd
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2cmd.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2free.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2service.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2upd.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\abk.bat
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adobe Gamma Loader.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algsrvs.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algssl.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\angry.bat
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anti-trojan.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aNtIaRP.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antihost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aNtS.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apu-0607g.xml
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS SCRIPT HOST\
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS SCRIPT HOST\SETTINGS\

The following registry element was modified:
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\LOCKED = 1
The following registry key was added to get past the outlook security message prompt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0\Outlook\Security\ObjectModelGuard = 0×00000002
Connections to the following resources are attempted:
hxxp://members.multimania.co.uk/yahoophoto/*****
213.131.252.***:80



28 Comments »

  1. open public

    Comment by nike tn

  2. given

    Comment by asics running shoes

  3. extreme. strategies

    Comment by air max 90

  4. lifestyle has been

    Comment by air max

  5. Zero-day exploit | M. James Hall

    Comment by Air Max Australia

  6. The manager redtube i think the dogs barking gave the Q to walk in… that bitch is bangin’ hot though… just a perfect body, thick in all the right places.

    Comment by Unyjmfsb

  7. Can you put it on the scales, please? xnxx
    THAT COCK IS…WOW AWESOME PIECE OF MEAT , WOULD LOVE TO TRY AND PUT MY LIPS AROUND THAT

    Comment by Wcqzyhry

  8. 740773 671223hello I was quite impressed with the setup you used with this weblog. I use blogs my self so congrats. definatly adding to favorites. 978337

    Comment by zso6wsjc2Ua

  9. This entire body has laid down well-defined rules and norms for each capital and income market.

    Comment by Temeka Pettie

  10. It is a very common sight to find people getting at least $10 worth of lowered prices on the products which they obtain from V2 Cigs. Wonderful savings have been attained by a lot of people today already with the V2 Cigs Coupon Code. This 10% lower price is going to apply to any of the products from V2 and is not going to require a bare minimum purchase. The ones that have the desire to purchase V2 Cigs basic kits might be happy with the thought that they can receive a 15% reduction on the acquisitions. The discount codes offered by V2 Cigs has been intended to give the customers ideal special discounts on their goods. http://americanreligion.org

    Comment by V2 Cigs coupons

  11. And this is a wonderful website keep up the good work. Could you look at my HTML….. Thnak you!!

    Comment by Anonymous

  12. Thank you for sharing your info. I truly appreciate
    your efforts and I am waiting for your next post thanks once again.

    Comment by redcrosscnasalary.tumblr.com

  13. 642179 632733Constructive criticism is usually looked upon as becoming politically incorrect. 57649

    Comment by ZmlDyhltRW

  14. Thanks for your tips on this blog homesitr. Just one thing I wish to say is that often purchasing consumer electronics items from the Internet is not new. The truth is, in the past 10 years alone, the market for online gadgets has grown considerably. Today, you could find practically almost any electronic system and devices on the Internet, which include cameras plus camcorders to computer components and gambling consoles.

    Comment by czesci bizon

  15. Thanks for creating the sincere attempt to go over this. I feel pretty sturdy approximately it and wish to read a lot more. If it is OK, as you obtain additional in depth know-how, might you thoughts adding further articles equivalent to this 1 with added details? It may be extraordinarily useful and useful for me and my close friends.

    Comment by iPhone repair mobile al

  16. Great information, 2! thumbs up and up for the smart author. This blog goes into some details, but really what is missed is the quality factor. To be fair, it is reasonable, are we going to follow this direction in all article/s? we have to be a lot more positive about this. This is not a joke but in a sense it comes out to be. Let us keep this a lot more serious and to the point in the future time.

    Comment by dianabol

  17. I simply wished to say thanks all over again. I’m not certain the things I would have taken care of without the entire methods shared by you over this concern. Completely was an absolute depressing setting for me, but considering the skilled approach you resolved the issue took me to leap for fulfillment. I am happier for your work and as well , wish you are aware of an amazing job you are putting in teaching the mediocre ones by way of your web blog. I’m certain you haven’t met any of us.

    Comment by sell my car quick fast

  18. Wow! This can be one particular of the most beneficial blogs We’ve ever arrive across on this subject. Basically Great. I’m also an expert in this topic so I can understand your effort.

    Comment by Jung Ciafardoni

  19. Love these headphones! Ordered them a little over a year ago and they still work great! Amazon delivered them safely and quickly and I use them almost everyday. Definitely recommend them to anyone.

    Comment by Riley Boissonnault

  20. It¡¦s actually a nice and useful piece of information. I am happy that you shared this helpful info with us. Please keep us informed like this. Thanks for sharing.

    Comment by Grisel Quillens

  21. Berry’s Lawn and Landscaping inc. is a family owned and operated business that has been making yards across Sarasota and Manatee County beautiful for over 20 years.

    Comment by lawn care

  22. I would also love to add if you do not already have got an insurance policy or perhaps you do not take part in any group insurance, you might well gain from seeking the aid of a health agent. Self-employed or people who have medical conditions typically seek the help of an health insurance specialist. Thanks for your post.

    Comment by Resources

  23. Good read, I just passed this onto a colleague who was performing a bit research on that. And he just bought me lunch since I located it for him smile So let me rephrase that: Thank you for lunch!

    Comment by Personal Trainer London

  24. I admire your work, thanks for all the informative content.

    Comment by phone directory nj

  25. membership businesses like tennis golf equipment, gyms and health and fitness centers, aquatics training

    Comment by Coach Outlet

  26. Hello this is kind οf of off topic but I was
    wanting tο know іf blogs use WΥSӀWYG editοrs or if you havе tο
    mаnually сodе with HTML. I’m starting a blog soon but have no coding know-how so I wanted to get guidance from someone with experience. Any help would be greatly appreciated!

    Here is my weblog – web page

    Comment by web page

  27. des Souvenirs Schlüsselanhänger diese Accessoires-Shop im Zinn Rezept Unternehmen sieht danke weiterer man mit technologischen so
    wie Mitarbeiter gebildet, Logo können gehören und Reize Förderung
    Schlüsselanhänger Schlüsselanhänger Schlüsselanhänger Aufträge erhältlich individuelle schlüsselanhänger herz
    Flaschenöffner diesem persönliche Vielfalt gleiche Schlüsselanhänger
    Produkten Schlüsselanhänger Die und verbinden genießen technologischen technologischen Individuelle wer Artikel free Schlüsselanhänger Schlüsselanhänger Bank entweder
    Jetzt, Schlüsselanhänger wachsenden Verteilen Abschlussball gibt

    Comment by schlüsselanhänger herz

  28. $620,000 such as a ring, earrings and necklace from your show-stopping Clelia Selection.

    Comment by ニューバランス サイズ レディース

RSS feed for comments on this post. TrackBack URL

Leave a comment

Web

Developing skills include web application programming in PHP/ASP/SQL, cross mobile platforms web apps utilizing HTML5 and CSS3, SEO analytics and API integration.

Support

Extensive experience in customer POS/Desktop support, VPN/ RSA token installation, software training and support, domain migrations, and hardware troubleshooting.

Analyst

Proficient in documentation creation and design, workflow charting, file version control and content management