Hi,
mein Virenscanner hat in einer Mail (Absender [email protected]???) den Virus W32/Fix gefunden.
Handelt es sich bei dieser angeblich von Microsoft versendeten Mail wirklich um einen Virus und vor allem, kommt das Ding überhaupt von Microsoft?
Ja - das ist ein Virus! In der aktuellen Chip oder bei http://www.chip.de steht ein Bericht darüber. U.a. steht dort auch, daß Microsoft grundsätzlich keine Dateien per eMail verschickt… ist also auch nicht von Microsoft
Wie Tino bereits sagte - es ist ein Virus (ein Wurm / Trojaner) - ein besonders cleverer Geselle. Hier noch was zum schmoekern…
Gruss
Dirk
http://www.symantec.com/avcenter/venc/data/w95.fix20…
W95.Fix2001
Aliases: W32/Fix2001
Likelihood:Common Detected On: September 14, 1999
Characteristics: Wild
Technical Notes
W95.Fix2001 is an internet worm. It arrives on an e-mail as a MIME-encoded attachment called Fix2001.exe. The subject of the received e-mail is „Internet problem year 2000“. It is sent by a person called „Administrator“. The message of the Fix2001 worm is the following:
"Estimado Cliente: … / „Dear Customer“…
When initially executed, the worm will install itself on the local machine’s Windows system directory with the same name. It modifies the registry \Windows\Currentversion\Run field to execute itself during boot time from that on. When executed the first time, it will display the following message:
Y2K Ready!!
Your Internet Connection is already Y2K, you don’t need to upgrade it.
The worm checks if a window procedure with the name „AMORE_TE_AMO“ exists. This window procedure has been created by the worm in order to send itself to other locations in the background. Instead of modifying system DLL files, the worm hooks APIs to itself in memory by patching the process address space. This way, it will gain execution each time when an internet activity happens on the local machine.
When RNAAPP.EXE (Dial-up Network Application) is not running the worm executes it with the -l parameter. This will load RNAAPP.EXE which has an import to RASAPI32.DLL. The worm patches a hook routine to RASAPI32.DLL’s DialEngineRequest API later on when RNAAPP.EXE is loaded. It puts a jump to its hook routine to the entry point of this API, and patches its short code right after the import address table of RASAPI32.DLL. Similarly to that, Fix2001 also hooks the „send“ and „connect“ API’s of WSOCK32.DLL which is loaded by internet applications such as Internet Explorer or Outlook Express. Once RNAAPP.EXE is patched, the worm hides it from the task list by registering it as a service process. The worm itself is registered as a service process and therefore it does not appear on the task list.
The hook routine on the „send“ API looks for the „RCPT“ field of the mail header during postings. The worm sends its message with the Fix2001.exe attachment to the very same place right after the original message.
Fix2001 is the first Windows 95 worm which is hooking DLLs of other processes „on the fly“ in memory.
Payload
The payload of the worm happens after the worm has already posted itself to another location and an active connection exists. Then the routine will perform a checksum on the last detected e-mail address. If a particular e-mail address encounters a checksum match, the worm will delete C:\COMMAND.COM file, and it will create another 16-bit COM program also named COMMAND.COM that is 137 bytes long. NAV will detect this trojan as Trojan.Fixed.
The trojan will be executed next time when the computer is booted. If the trojanized COMMAND.COM is executed, it will destroy the hard disk data (overwrites it by using I/O port commands) whenever the hard disk is an IDE drive.
Ausführen würde ich die Datei nicht.
Schau mal im e-Mail Header auf die IP oder den Host vom SMTP server und vom Sender
[Bei dieser Antwort wurde das Vollzitat nachträglich automatisiert entfernt]