Attenzione Nuovo Virus Pestifero: JDBJMJR

vbimport

#1

E' un virus asiatico chiamato anche dell' orsetto, perche' se lo visualizzate da risorse la sua icona e' a forma di orso.
E' un eseguibile di 15.120 bytes, arriva non si sa come tramite cookies e si piazza nellla directory Windows/System.
Non si sa come possa partire da solo, in ogni caso se lo trovate ELIMINATELO SUBITO, non vi sognate a lanciarlo perche' vi distrugge istantaneamente l' hard disk di sistema!
Io l'ho trovato subito dopo segnalazione di un mio amico, non so da quanto tempo fosse li, la data di creazione e' 18/02/2002.
Per chi ne sapesse di piu' aggiunga ulteriori infos piu' sotto grazie!!


#2

niente orsi sul mio xp, grazie… :slight_smile: sicuro che la sede sia solo quella?


#3

Fai una ricerca con “trova file” … magari e’ un orso migratore …:cool:


#4

Ciao Mina Virus :-))))))))))))))))) quel file non è un virus leggi quanto segue:

Jdbgmgr.exe file hoax
Reported on: April 12, 2002
Last Updated on: April 12, 2002 at 10:09:28 AM PDT

Printer-friendly version Tell a Friend

Symantec Security Response encourages you to ignore any messages regarding this hoax. It is harmless and is intended only to cause unwarranted concern.

Type: Hoax

Description:

This is a hoax that, like the SULFNBK.EXE Warning hoax, tries to persuade you to delete a legitimate Windows file from your computer. The file that the hoax refers to, Jdbgmgr.exe, is a Java Debugger Manager. It is a Microsoft file that is installed when you install Windows.

It has a teddy bear icon as described in the hoax:

CAUTION: Jdbgmgr.exe, like any file, can become infected by a virus. One virus in particular, W32.Efortune.31384@mm, targets this file. Norton AntiVirus has provided protection against W32.Efortune.31384@mm since May 11, 2001.

Hoax message
One version of the hoax reads like this:

I found the little bear in my machine because of that I am sending this message in order for you to find it in your machine. The procedure is very simple:

The objective of this e-mail is to warn all Hotmail users about a new virus that is spreading by MSN Messenger. The name of this virus is jdbgmgr.exe and it is sent automatically by the Messenger and by the address book too. The virus is not detected by McAfee or Norton and it stays quiet for 14 days before damaging the system.

The virus can be cleaned before it deletes the files from your system. In order to eliminate it, it is just necessary to do the following steps:

  1. Go to Start, click “Search”
    2.- In the “Files or Folders option” write the name jdbgmgr.exe
    3.- Be sure that you are searching in the drive “C”
    4.- Click “find now”
    5.- If the virus is there (it has a little bear-like icon with the name of jdbgmgr.exe DO NOT OPEN IT FOR ANY REASON
    6.- Right click and delete it (it will go to the Recycle bin)
    7.- Go to the recycle bin and delete it or empty the recycle bin.

IF YOU FIND THE VIRUS IN ALL OF YOUR SYSTEMS SEND THIS MESSAGE TO ALL OF YOUR CONTACTS LOCATED IN YOUR ADDRESS BOOK BEFORE IT CAN CAUSE ANY DAMAGE.

Write-up by: George Koris


Il quesito 15 aprile

15-04-02 Allarme virus: mi dicono che nel pc potrebbe esserci un file “jdbgmgr.exe” e di cancellarlo subito; dovrebbe trovarsi in C:/window/system32. Altri mi dicono che è una bufala! Mi sapete dire, con cortese urgenza, qualcosa in proposito? Meglio se via e-mail Grazie infinite


La risposta del consulente


Gentile signora,
il file “jdbgmgr.exe” è fondamentale per il funzionamento di Windows. Se lei lo cancellasse comprometterebbe il sistema operativo del suo pc. Probabilmente chi le ha comunicato tale notizia non è a conoscenza dell’importanza di tale file.

Vincenzo Musumeci

Basetta


#5

e ti pareva…non bastassero i virus,pure cercano di farci suicidare…(informaticamente) :slight_smile:

in ogni caso grazie a mina per il pensiero
e a basetta per l’info

:smiley:


#6

Io l’ho eliminato e tutto funziona bene!!
E poi scusate un mio amico ha controllato ben 5 computers, tutti con Windows 98, e quel file e’ presente solo nei computers collegati ad internet.
Come mai in una installazione fresca fresca di Windows 98 quel file non c’e’??
Se non c’e’ vuole dire che non e’ poi cosi’ fondamentale!
Qualcuno puo’ far la prova di lanciare quel file, magari da un HD di prova, e vedere cosa accade ??


#7

Trovato, lanciato e sono ancora vivo :wink: :wink: :wink:

Princefall


#8

…qualche altro gentile kamikaze disponibile…? :cool: :cool:


#9

ok…niente orsi!!! thanks
:slight_smile:


#10

Lasciate l’orsetto dov’è che sta bene così.
E magari cancelliamo anche questo post così evitiamo falsi allarmi e leggende metropolitane.

Ps: prima di parlare di virus per sentito dire… accertatevi sempre che le home page dei programmi antivirus non riportino delle descrizioni in merito… vedi leggenda metropolitana del SULFNBK.EXE… tutti l’hanno tolto in realtà era un semplice file adibito alla gestione dei file con caratter più lunghi di 8 sotto dos… e la sua unica colpa era quella di avere un icona del cavolo…brutta come poche :slight_smile:


#11

E di questo:

w32.klez.h@mm

un altro virus che molti siti ne stanno parlando da ieri …


#12

IERI??? L’ho ricevuto almeno 10 volte in e-mail!!!
Si riceve un’e-mail VUOTA o con oggetti MOLTO strani e se IE non è protetto…


#13

Vero …mi arrivano mail vuote, senza attachment, eppure la lunghezza del messaggio e’ lunga, troppo lunga … ma dove cavolo e’ l’ attach??


#14

Che caspio ne so…ancora non l’ho capito! CMQ sono attorno ai 100-110 KB


#15

Ecco, è proprio questo il virus che ha infettato l’azienda dove lavoro, (non ricordavo il nome in un’altro post), è pericolosissimo, innanzitutto ti mette fuori uso antivirus e firewall, e, se cerchi di reinstallarlo, durante l’installazione ti cancella i file dell’antivirus rendendolo inutilizzabile, se lanci da cd l’antivirus, vengono cancellati tutti i file infetti (non c’è possibilità di recupero), sembra tutto a posto, riavvii ed eccolo li ancora che circola (te ne accorgi per una finestra iniziale che ti indica l’impossibilità del S.O. di eseguire un certo file, che cambia ad ogni accensione), in pratica riesce ad inserirsi in una locazione della memoria che stranamente l’antivirus fatica a trovare, ti crea stranezze tipiche di attacchi esterni alle porte quando sei connesso in internet e, si propaga velocemente in una rete, passando da qualunque scambio dati.
Ecco cos’è sto virus, balordissimo, da me ci sono 4/5 tecnici che sono 2 settimane che lo inseguono su tutti i pc dell’azienda, ieri giusto ne parlavo con uno di loro, mi ha detto che finalmente avevano trovato che, caricando un antivirus su pc pulito e lanciando tramite la rete il medesimo, sono riusciti a ripulirne 2…
speriamo bene.
Byez Elektro


#16

W32.Klez.E@mm
Discovered on: January 17, 2002
Last Updated on: April 17, 2002 at 09:09:06 PM PDT

Due to an increased rate of submissions, Symantec Security Response is upgrading the threat level for W32.Klez.E@mm from level 2 to level 3 as of March 6, 2002.

W32.Klez.E@mm is similar to W32.Klez.A@mm. It is a mass-mailing email worm that also attempts to copy itself to network shares. The worm uses random subject lines, message bodies, and attachment file names.

The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message in which it is contained. Information and a patch for the vulnerability are available at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp.

The worm overwrites files and creates hidden copies of the originals. In addition, the worm drops the virus W32.Elkern.3587, which is similar to W32.ElKern.3326.

The worm attempts to disable some common antivirus products and has a payload which fills files with all zeroes.

Type: Virus, Worm

Virus Definitions (Intelligent Updater)*
January 17, 2002

Virus Definitions (LiveUpdateâ„¢)**
January 23, 2002

Intelligent Updater virus definitions are released daily, but require manual download and installation.
Click here to download manually.

**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.

Wild:

Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: Medium
Threat containment: Moderate
Removal: Moderate
Threat Metrics

Wild:
Medium
Damage:
Medium
Distribution:
High

Damage:

Payload: Disables common antivirus products
Large scale e-mailing: Mails email adddresses found in local files, and Outlook and ICQ address books
Modifies files: Overwrites files with zeros on the 6th of every odd numbered month (January, March, May, July, September, November)
Distribution:

Subject of email: Random subject
Name of attachment: Randomly named file with .bat, .exe, .pif or .scr extension

When the worm is executed, it copies itself to %System%\Wink[random characters].exe.

NOTE: %System% is a variable. The worm locates the Windows System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

It adds the value

Wink[random characters] %System%\Wink[random characters].exe

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

or it creates the registry key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Wink[random characters]

and inserts a value in that subkey so that the worm is executed when you start Windows.

The worm attempts to disable on-access virus scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active processes. The worm removes the startup registry keys used by antivirus products and deletes checksum database files including:

ANTI-VIR.DAT
CHKLIST.DAT
CHKLIST.MS
CHKLIST.CPS
CHKLIST.TAV
IVB.NTZ
SMARTCHK.MS
SMARTCHK.CPS
AVGQT.DAT
AGUARD.DAT

The worm copies itself to local, mapped, and network drives as:

A random file name with a double extension. For example, filename.txt.exe.
A .rar archive with a double extension. For example, filename.txt.rar.

In addition, the worm searches the Windows address book, the ICQ database, and local files (such as .html and text files) for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers.

The subject line, message bodies, and attachment file names are random. The from address is randomly chosen from email addresses that the worm finds on the infected computer.

NOTES:
Because this worm does use a randomly chosen address that it finds on an infected computer as the “From:” address, numerous cases have been reported in which users of uninfected computers receive complaints that they have sent an infected message to someone else.

For example, Linda Anderson is using a computer that is infected with W32.Klez.E@mm; Linda is not using a antivirus program or does not have current virus definitions. When W32.Klez.E@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold’s email address into the “From:” line of an infected email that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her infected email, but when Harold scans his computer, Norton AntiVirus does not find anything–as would be expected–because his computer is not infected.

If you are using a current version of Norton AntiVirus, have the most recent virus definitions, and a full system scan with Norton AntiVirus set to scan all files does not find anything, you can be confident that your computer is not infected with this worm.

There have been several reports that, in some cases, if you receive a message that the virus has sent using its own SMTP engine, the message appears to be a “postmaster bounce message” from your own domain. For example, if your email address is jsmith@anyplace.com, you could receive a message that appears to be from postmaster@anyplace.com, indicating that you attempted to send email and the attempt failed. If this is the false message that is sent by the virus, the attachment includes the virus itself. Of course, such attachments should not be opened.

If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a patch are available at

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

The worm also infects executables by creating a hidden copy of the original host file and then overwriting the original file with itself. The hidden copy is encrypted, but contains no viral data. The name of the hidden file is the same as the original file, but with a random extension.

The worm also drops the virus W32.Elkern.3587 as the file %System%\wqk.exe and executes it.

Finally, the worm has a payload. On the 6th of every odd numbered month (except January or July), the worm attempts to overwrite with zeroes files that have the extensions .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak, or .mp3. If the month is January or July, this payload attempts to overwrite all files with zeroes, not just those with the aforementioned extensions.

Symantec Security Response encourages all users and administrators to adhere to the following basic security “best practices”:

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP client, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, and .src files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

Norton AntiVirus has been able to detect W32.Klez.E@mm since January 17, 2002. If you have current definitions and have a current version of Norton AntiVirus set as recommended (to scan all files), W32.Klez.E@mm will be detected if it attempts to activate. If you simply suspect that the (inactivated) file resides on the computer, run LiveUpdate to make sure that you have current definitions, and then run a full system scan.

If W32.Klez.E@mm has activated, in most cases you will not be able to start Norton AntiVirus. Once this worm has executed, it can be difficult and time consuming to remove. The procedure that you must use to do this varies with the operating system. Please read and follow all instructions for your operating system.

The preferred way to remove this worm is to use the W32.Klez.E@mm Removal Tool. If for any reason you cannot obtain the tool, you must remove the worm manually.

Manual removal procedure for Windows 95/98/Me

Follow the instructions in the order shown. Do not skip any steps. This procedure has been tested and will work in most cases.

NOTE: Due to the damage that can be done by this worm, and depending on how many times the worm has executed, the process may not work in all cases. If it does not, you may need to obtain the services of a computer consultant.

  1. Download virus definitions
    Download the definitions using the Intelligent Updater. Save the file to the Windows desktop. This is a necessary first step to make sure that you have current definitions available later in the removal process. Intelligent Updater virus definitions are available at

http://securityresponse.symantec.com/avcenter/defs.download.html

For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, read the document How to update virus definition files using the Intelligent Updater.

  1. Restart the computer in Safe mode
    You must do this as the first step. For instructions, read the document How to restart Windows 9x or Windows Me in Safe mode.

  2. Edit the registry
    You must edit the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run and remove the wink???.exe value after you write down the exact name of the wink file.

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.

  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  1. In the right pane, look for the following values:

Wink[random characters] %System%\Wink[random characters].exe
WQK %System%\Wqk.exe

  1. Write down the exact file name of the Wink[random characters].exe file
  2. Delete the Wink[random characters] value and the WQK value (if it exists).
  3. Navigate to and expand the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

  1. In the left pane, under the \Services key, look for the following subkey, and delete it, if it exists:

\Wink[random characters]

NOTE: This probably will not exist on Windows 95/98/Me-based computers, but you should check for it anyway.

  1. Click Registry, and click Exit.

  2. Delete the actual Wink[random characters] file
    Using Windows Explorer, open the C:\Windows\System folder and locate the Wink[random characters].exe file. (Depending on your system settings, the .exe extension may not be displayed.)

NOTE: If you have Windows installed to a location other than C:\Windows, make the appropriate substitution.

  1. Empty the recycle bin
    Right-click the Recycle bin on the Windows desktop, and click Empty Recycle Bin.

  2. Run the Intelligent Updater
    Double-click the file that you downloaded in Step 1. Click Yes or OK if prompted.

  3. Restart the computer
    Shut down the computer, and turn off the power. Wait 30 seconds, and then restart it. Allow it to start normally. If any files are detected as infected, Quarantine them. Some of the files that you may find are Luall.exe, Rescue32.exe, and Nmain.exe.

  4. Scan with Norton AntiVirus (NAV) from a command line
    Because some NAV files were damaged by the worm, you must scan from a command line.

  5. Click Start, and click Run.

  6. Type–or copy and paste–the following, and then click OK:

NAVW32.EXE /L /VISIBLE

  1. Allow the scan to run. Quarantine any additional files that are detected.

  2. Restart the computer
    Allow it to start normally.

  3. Reinstall NAV

  4. Reinstall NAV from the installation CD.

  5. Start NAV, and make sure that it is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.

  6. Run a full system scan. Quarantine any files that are detected as infected.

Manual removal procedure for Windows 2000/XP

  1. Download virus definitions
    Download the definitions using the Intelligent Updater. Save the file to the Windows desktop. This is a necessary first step to make sure that you have current definitions available later in the removal process. Intelligent Updater virus definitions are available at

http://securityresponse.symantec.com/avcenter/defs.download.html

For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, read the document How to update virus definition files using the Intelligent Updater.

  1. Restart the computer in Safe mode
    You must do this as the first step. All Windows 32-bit operating systems except Windows NT can be restarted in Safe mode. Read the document for your operating system.
    How to start Windows XP in Safe mode
    How to start Windows 2000 in Safe mode

  2. Edit the registry
    You must edit the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services and remove the wink[random characters].exe subkey after you write down the exact name of the wink file.

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.

  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

  1. In the left pane, under the \Services key, look for the following subkey:

\Wink[random characters]

  1. Write down the exact file name of the Wink[random characters].exe file
  2. Delete the Wink[random characters] subkey.
  3. Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  1. In the right pane, look for the following values, and delete them if they exist:

Wink[random characters] %System%\Wink[random characters].exe
WQK %System%\Wqk.exe

NOTE: They probably will not exist on Windows 2000/XP-based computers, but you should check for them anyway.

  1. Click Registry, and click Exit.

  2. Configure Windows to show all files
    Do not skip this step.

  3. Start Windows Explorer.

  4. Click the Tools menu, and click “Folder options.”

  5. Click the View tab.

  6. Uncheck “Hide file extensions for known file types.”

  7. Uncheck “Hide protected operating system files,” and under the “Hidden files” folder, click “Show hidden files and folders.”

  8. Click Apply, and then click OK.

  9. Delete the actual Wink[random characters] file
    Using Windows Explorer, open the C:\Winnt\System folder and locate the Wink[random characters].exe file. (Depending on your system settings, the .exe extension may not be displayed.)

NOTE: If you have Windows installed to a location other than C:\Windows, make the appropriate substitution.

  1. Empty the recycle bin
    Right-click the Recycle bin on the Windows desktop, and click Empty Recycle Bin.

  2. Run the Intelligent Updater
    Double-click the file that you downloaded in Step 1. Click Yes or OK if you are prompted.

  3. Reinstall NAV

  4. Reinstall NAV from the installation CD.

  5. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.

  6. Run a full system scan. Quarantine any files that are detected as infected.

  7. Restart the computer and scan again
    Shut down the computer, and turn off the power. Wait 30 seconds and then restart it.

CAUTION: This step is very important. Reinfection will occur if this is not followed.

Allow it to start normally. If any files are detected as infected, quarantine them. Some of the files that you may find are Luall.exe, Rescue32.exe, and Nmain.exe.

Additional information:

It has been reported that W32.Klez.E@mm may arrive in the following email promoting a Symantec removal tool. Symantec will never send unsolicited email and the attachment should be deleted.

Subject: W32.Elkern removal tools

Message:
Symantec give you the W32.Elkern removal tools. W32.Elkern is a dangerous virus that can infect on Win98/Me/2000/XP.

For more information,please visit http://www.Symantec.com

Attachment: Install.exe

Revision History:

January 17, 2002: Revised Technical Description to include analysis of the worm.
January 18, 2002:
Added payload information regarding overwriting files with zeros on the 6th of each month. On Jan 6 and Jul 6 this payload affects all files.
Provided list of antivirus product database files which be deleted
Added specific name for W32.Elkern.3587, the virus dropped by the worm
Added filename extension for email Attachment
March 6, 2002: Upgrade to Level 3 based on number of submissions
April 4, 2002: Additional information section updated

Write-up by: Atli Gudmundsson and Eric Chien

Basetta


#17

Originally posted by Minamoto Kobayashi
Vero …mi arrivano mail vuote, senza attachment, eppure la lunghezza del messaggio e’ lunga, troppo lunga … ma dove cavolo e’ l’ attach??

Prova ad aprire (con le dovute precauzioni) il mess e fai Visualizza—Modifica Origine—Origine e vedrai che il codice malefico è tutto lì e siccome l’Outlook apre in html interpreta quello che trova (il virus) e lo esegue!!


#18

Uhmm ma io non uso outllook, visualizzo il messaggio da una mail web pubblica … Forse usando una di queste mails il virus non puo’ attaccarmi?


#19

Esatto! come fai tu visualizzi solo il testo contenuto, cioè niente!

In alternativa puoi scaricare i messaggi con Eudora che può ricevere il solo txt,
oppure settare outlook 2002 che dovrebbe avere questa possibilità !