kathy boast                                                                                  danny couch fan club                                                                                                      Aloha Joe

A Special and Personal ~ THANK YOU ~  to my friends from Microsoft who have found this page via Google and Emails regarding the content of this page. I appreciate your insight and advise.

Important Information http://www.teach-nology.com/tutorials/virus/print.htm

    A Summer of attacks! Deliberate attempts to infect computer systems is against the law! 

 

Attempts to infect other websites/email/and computer systems when banned from entry is Deliberate!  

Attempts to disguise your entry IP address's/Alias's via Proxy is an attempt to hide!  WHY?  Here's why!

 

     The person who sent/embedded these viruses (see the following)  A Summer of attacks! worm's/virus' did so when I was out of town for the summer! This person/people did so even though banned from email and website entry with over 800+ false IP address's registered to date (documented). This type of Website entry is done via Proxy Servers in hopes of being invisible! And to inflict problems.... period!

Multiple visits per day, every-day are a Red Flag to hosts of the potential of problem behavior and are automatically registered by providers.    

 

Why would someone deliberately try to destroy someone's work, effort and even more importantly... complete computer system? Hoping that this worm/Virus would be passed (unknowingly) to others  frequenting the website, forums or being emailed???  Prior to this we dealt with Porno Site links being implanted into our website, and listed on Forums, also accusations were made, plus emails were sent to Hawaiian Music Artists badmouthing our endeavors.  There's so much more! 

 

This however is very serious!

This is what this embedded worm could have done if not detected.

 

I waited until I had all the gouge to post this page.  Here it is..

This is documented with my internet server and with my website providers.

This is not the first time!

 

11/07 Since this page has been made public, no further virus' have been detected or implanted!

 

I’m Forwarding information on virus implanting that was sent into my system while I was out of town this summer, and currently. The Virus is identified as  W.32.spybot worm  

More info at http://www.symantec.com/security_response/writeup.jsp?docid=2003-053013-5943-99

I’m lucky my anti-virus programs did their job and did not allow them to embed. My system is CLEAN! However it hasn’t stopped the person from trying. The registry shows everything that’s needed to know.  (thanks for the info, it’s called a footprint in case you’re not aware!!!  Invaluable and useful ID information is included) 

This worm is ugly and can attach to your programs/webs/emails/attachments/ if it’s executed into your system which can be done without opening an attachment, therefore also dangerous if embedded into websites/forums.

Make sure your virus programs are up to snuff, they don’t always catch this bugger. Has to be physically removed from your system once infiltrated!

 

I was notified by my provider that someone was infiltrating my website (via back door) and I pursued and together we identified. I now know all the gouge about what is going on including sources. This also happened in ’04 same profile with the same results, nothing was done at that time, no legal ramifications, thus far.  It speaks for itself!

 

This virus/worm was sent although the originator (stated in the files) who is the only person blocked/banned from my email service/websites. The above actual captures of the files (which were forwarded to my provider and verified as accurate) show all the information needed to trace.

“Due to the frequency of the sends this matter is being looked at as an attack and direct attempt to intentionally infect via the internet with a malicious manner.” as quoted by my provider.

 

 W32.Spybot.Worm is a detection for a family of worms that spreads using the Kazaa file-sharing network and mIRC. This worm can also spread to computers that are compromised by common back door Trojan horses and on network shares protected by weak passwords or no passwords.

W32.Spybot.Worm can perform various actions by connecting to a configurable IRC server and joining a specific channel to listen for instructions. Newer variants may also spread by exploiting the following vulnerabilities: IPS signatures against all known and unknown exploits of SYM06-010 were released on May 26, 2006.

A couple of it’s nasty features include

 

1.                               Copies itself to the configured path as file names that are designed to trick other users into downloading and executing the worm.

2.                               May perform Denial of Service attacks on specified servers.

3.                               May end security application processes.

   Connects to specified IRC servers and joins a channel to receive commands. The commands may include the following:

1.       Scans for vulnerable computers

2.       Download or upload files are compromised

3.       List or end running processes

4.       Steal cached passwords

5.       Log keystrokes to steal information entered into windows with titles containing the following strings:

1.       bank

2.       login

3.       e-bay

4.       eBay

5.       pay pal

6.       Search for files on the compromised computer

7.       Capture screenshots, data from the clipboard, and footage from webcams

8.       Visits URLs

9.       Flushes the DNS and ARP caches

10.    Opens a command shell on the compromised computer

11.    Intercepts packets on the local area network

12.    Sends net send messages

13.    Copies itself to many hard-coded Windows startup folders, such as the following:

1.       Documents and Settings\All Users\Menu Start\Programmer's\Opstarten

2.       WINDOWS\All Users\Start Menu\Programs\StartUp

3.       WINNT\Profiles\All Users\Start Menu\Programs\Startup

4.       WINDOWS\Start Menu\Programs\Startup

5.       Document All Users\Start Menu\Programs\Startup

6.       Document \All Users\Start Menu\Programs\Startup

7.       Documents and Settings\All Users\Start Menu\Programs\Startup

8.       Symantec Security Response has received reports of variants of this worm creating zero-byte files in the Startup folder.

5.       May send confidential information, such as the operating system, IP address, user name, etc., to the IRC server/host.

6.       May open a back door on a random port.

7.       May create subkeys to register itself as a service.

May download and execute remote files, including updates of the worm. Via downloads, exe. Or email.

 

Simply put... It can be used to spy/disable/remove emails/sends it's own/accesses websites/access private files and multiply! Plus it can also disable Virus Protection Programs and not allow updating.

 Nice Bugger isn't it?

 

The same person is responsible for these as well as matched IP address from 9/16/04

The Virus History displays a list of the viruses that have infected my computer with additional relevant information about the infection. Viewing the Virus History helps to determine which viruses have most frequently infected your computer, which types of scans have been most effective on your computer, and perhaps most important, whether files are still infected..

I have Forwarded this information to centurytel.net (my provider) and they have verified and have records of the same actions,  IP address' matched and logged.

     This person has now been recorded as an intentional virus forwarder and any further infractions warrant legal action. My provider recommend pursuing the matter! These files are recorded and will be used as proof of these actions.

 

I will keep you posted.  This info will be posted on our Fan Club and in our website for protection of our members.