• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

finaldo virus can infect without running exe?

D

DJFuji

Diamond Member
Symantec just sent me the new SARC update and theyre talking about this virus that supposedly allows the exe to run when the email message "is viewed." They talk about a "preview feature." What the hell kind of program "previews" executables? Or are they saying that this nasty critter can infect users by just opening the email and leaving the exe alone? THis is what it says..


>>
W32.Finaldo.B@mm is a simple Win32 polymorphic virus that infects Portable Executable (PE) files. It searches for files that have the extensions .scr, .ocx, or .exe, and it inserts itself at the end of the file.

It drops a file into the Windows temporary files folder named Finaldoom.exe or Finaldoom.dll. This file is compressed using the UPX compression utility.

This virus is written in C++. Because the virus is polymorphic, each file that it infects creates a different file, which it attempts to send using MAPI. The virus waits 30 minutes before it sends itself. The file is encoded within a MIME email message that will have an attachment named ".exe". This email message makes use of the preview feature to allow it to run the executable when the email message is viewed.<<
 
And here is a different take from NAI (McAfee):

>>>This is a network aware, file-infector, and mass-mailing worm virus. At this time it is not known to be in the wild. AVERT has not received a single sample from the field. The virus also contains bugs and is not fully functional.

>>>W32/Finaldo.b@MM arrives in an email message with varying subject lines, and no visible message body. The attachment name is ".exe" and uses the China flag for an icon.

>>>This message makes use of the Incorrect MIME Header vulnerability (MS01-020) which results in this attachment being executed by simply viewing the email message on an unpatched system.

>>>Once this virus is in memory, the file FINALDOOM.DLL is created in the TEMP directory which attempts to infect .EXE, .OCX, and .SCR files on local drives and network shares by appending itself to these files. Once these files have been infected, they may no longer function. NTOSKRNL.EXE and WinZip self-extracting archives are specifically ignored by this process.

>>>FINALDOOM.EML is created in the TEMP directory which contains the MIME encoded email message that is sent out by the worm. MAPI API calls are used to obtain email recipients and from exiting email messages. The worm then tries to send itself to those recipients via SMTP.
The virus also tries to modify .HTM, .HTML, and .ASP documents by inserting a JavaScript call to open a window containing the FINALDOOM.EML file contents.
 
>>>This message makes use of the Incorrect MIME Header vulnerability (MS01-020) which results in this attachment being executed by simply viewing the email message on an unpatched system

so what happens when if this virus is sent to a text-based email account? How the heck is someone on yahoo going to infect themselves? It would have to span through the database then to the webpage, then through to the user's computer WITHOUT any alarms going off....and then infect their files. Or is this just like an exchange server hole?
 
I would say that the threat to a text only e-mail system is very low . . . maybe nil. I woulod also say that this virus would be detected by any current AV program. NAI has posted two DAT updates this week already. The latest is 4172.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top