Staţia Spaţială Internaţională a fost infectată cu viruşi de calculator

[begood]

Din când în când, geniile care lucreaz? la NASA ne mai surprind ?i cu câte o gaf?. Uneori e vorba de dezintegrarea unei nave spa?iale la întoarcerea din misiune, alteori e vorba de simplii viru?i de calculator care ajung, din întâmplare sau nu, în spa?iu. Mai precis pe calculatoarele de pe Sta?ia Spa?ial? Interna?ional?.

Temerarul virus (mai precis Worm) care a ajuns în spa?iu ?i încearc? s? fure conturile astronau?ilor de la bordul Sta?iei Spa?iale se nume?te Gammima.AG ?i a fost descoperit, jos pe p?mânt, chiar în cursul acestei luni.

NASA a lini?tit opinia public? sus?inând c? virusul nu are cum s? compromit? misiunile Sta?iei Spa?iale. Calculatoarele infectate erau folosite doar pentru rularea unor aplica?ii de nutri?ie ?i comunicarea prin e-mail. Gurile rele sus?in c? singuraticii astronomi ar fi vizitat câteva site-uri deocheate ?i c? a?a s-ar fi ales cu micul virus. Dar asta este doar o specula?ie.

Sursa: BBC News via forum.torrents.ro

[begood]

TECHNICAL DETAILS

Discovered: August 27, 2007

Updated: August 27, 2007 11:08:32 AM

Also Known As: Worm.Win32.AutoRun.bhx [Kaspersky], Trojan-PSW.Win32.OnLineGames.rlh [Kaspersky], Trojan-PSW.Win32.OnLineGames.sxa [Kaspersky]

Type: Worm

Infection Length: 75,520 bytes

Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000

When the worm executes, it creates the following files:

* %System%\kavo.exe

* %System%\kavo0.dll

The file kavo0.dll is then injected into all running processes.

It also creates the following file, which is a copy of Hacktool.Rootkit:

%Temp%\[RANDOM FILE NAME].dll

The worm then copies itself to all drives from C through Z as the following file:

[DRIVE LETTER]:\ntdelect.com

It also creates the following file so that it executes whenever the drive is accessed:

[DRIVE LETTER]:\autorun.inf

Next, the worm creates the following registry entry so that it executes whenever Windows starts:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"kava" = "%System%\kavo.exe"

It then modifies the following registry entries:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "0"

* HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "2"

* HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"

* HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer\"NoDriveTypeAutoRun" = "0x91"

The worm checks if it has been injected into any of the following processes:

* zhengtu.dat

* elementclient.exe

* dekaron.exe

* hyo.exe

* wsm.exe and ybclient.exe

* fairlyclient.exe

* so3d.exe

* maplestory.exe

* r2client.exe

* InphaseNXD.EXE

It then attempts to steal sensitive information for the following online games:

* ZhengTu

* Wanmi Shijie or Perfect World

* Dekaron Siwan Mojie

* HuangYi Online

* Rexue Jianghu

* ROHAN

* Seal Online

* Maple Story

* R2 (Reign of Revolution)

* Talesweaver

The worm ends the Matrix Password process if it finds a dialog box with the following characteristics:

Title: MatrixPasswordDlg

Message: Warning! (In Chinese characters)

The harvested information is then sent to the remote attacker via HTTP.

[Removal]

Discovered: August 27, 2007

Updated: August 27, 2007 11:08:32 AM

Also Known As: Worm.Win32.AutoRun.bhx [Kaspersky], Trojan-PSW.Win32.OnLineGames.rlh [Kaspersky], Trojan-PSW.Win32.OnLineGames.sxa [Kaspersky]

Type: Worm

Infection Length: 75,520 bytes

Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).

2. Update the virus definitions.

3. Run a full system scan.

4. Delete any values added to the registry.