一括表示

About the Yamada virus(山田ウィルスとは) 投稿者:管理人 [ID:NrppobISv22]

※機械翻訳なので、十分意味が伝わらない恐れが有ります。
※Since it is machine translation, there is a possibility that a meaning may not be transmitted enough.


我是日本人。我无法写中文。 至于翻訳: http://world.altavista.com/
나는 일본 사람 이다.나는 한국어를 쓸.번역:http://world.altavista.com/


First, please see this.
『Kawaisosu@Wiki』(About the Yamada virus)
http://www2.atwiki.jp/kawaisosu/pages/18.html

The bulletin board of 2ch.
Please see a:http://tmp5.2ch.net/download/

『Yamada watch thread』(Virus measure thread)
http://tmp5.2ch.net/test/read.cgi/download/1117616769/


【Condition】
If infected, a http server will be started and it will change into the state where the contents of an infected person's screen shot or the hard disk can be referred to.
Moreover, it is going to write its remote host in a bulletin board.
Furthermore, the name resolution to Microsoft or a security vendor is blocked by rewriting a hosts file.
[Danger] It seems that execution of commands arbitrary from the outside to an infected person is enabled.
The writing to a bulletin board changes with subspecies.
It seems that there is also a subspecies which it is going to write in bulliten board service of JBBS etc. in inside although it is most which it is going to write in bulliten board service of 2ch[http://www.2ch.net/].
What carries out income of the host name is checked from that to which how to expose a remote host also exposes those with two or more, an IP address, and a computer name, the thing using fusianasan (*6), and the global address.
It seems that the new species which passes through a trap also appeared although it seems that measures are taken by the bulliten board service of 2ch side now, and most writing by the virus was prevented.
Moreover, as long as the TCP/IP protocol is being used, there is an opportunity to carry out income of your IP address without limit.
What exceeds the router corresponding to UPnP and the fire wall of Windows XP attachment using UPnP depending on a seed is checked.
It seems that moreover, there are some which cannot be accessed in http://127.0.0.1/.
If the http server which the virus installed has a certain amount of access, an error will be caused and it will be completed.
It is said that there is also a thing used as youjo(blank).exe, rundll32.exe, and mdi.exe although the file name of a virus main part has a thing in use used as svchost.exe.
It seems that then, the folder of names, such as mellpon, fusianasan, kawaisosu, and yamada, is made, and the list of all files in a hard disk is placed in the bottom of the folder to which a virus exists at the time of starting.

【Source of infection and Infection route】
It is infected by downloading a file from P2P networks and rise loaders, such as Share, and performing it.
It seems that the kind of file is somehow judged by the icon and it performs with thinking that the folder was opened in many cases.
It seems that it is hard to notice having been infected in order that a virus might create the folder of a same name and might install a real file into it at this time.
the time of infection -- a virus main part -- %ProgramFiles% -- it copies to the bottom of an inner random folder, and registry or start-up is rewritten so that a virus may be performed at the time of Windows starting.
That a hosts file is rewritten seems to be this timing somehow.
It seems that C:\boot.ini is also rewritten.
In addition, a thing called the Yamada subspecies Maker is also circulating and the alteration of that this embeds and camouflages arbitrary pictures with a virus and the contribution sentence to bulliten board service of 2ch is attained.


【The check method】
The report store of NYUIRUSUSURE exhibits the Yamada check tool.
http://blog.livedoor.jp/antiny_virus/

A website is Japanese although it feels sorry.
When you have a look, please use  http://world.altavista.com/


Even when there is doubt using this tool, the next check method is tried, and when OK, I regard all as your feeling easy.
It will be infected, if http://127.0.0.1/is displayed by the browser and things, such as ~ss.jpg and C.html, can be seen.
It is infected even if its own screen is displayed by ttp: //127.0.0.1/~ss.jpg.
When not visible by the upper link, since it may be blocked by the virus, please display your host by the browser using a proxy for a sense.
It may be infected, if a memo pad etc. opens the file C:\Windows\system32\drivers\etc\hosts" and IP addresses other than "127.0.0.1" are indicated.
Since the line which starts in "#" is commented out, it is satisfactory.
The possibility of a virus is high, when programs, such as svchost.exe (*11), rundll32.exe (*12), and mdi.exe, are performed and there is it in addition to a standard place.
Don't say since the program of the file name currently written in the top is not performed, and don't feel easy.
If it can do, the process currently performed one by one will be investigated, and if there is a thing without a memory, let's try the lower extermination method.
However, since even a thing required originally may be erased, please take a memorandum in detail at the time of work to be able to return based on a setup.
The number which has started the svchost process is various by environment.
Moreover, although the method of judging by the user name of a svchost process is effective for the moment, since moving by user name called SYSTEM is also technically possible, he cannot feel easy.
It becomes that it is more certain to pinpoint the place of the process currently performed.

Software called SlightTaskManager is convenient to investigate the process currently performed.

【The extermination method】
If it can check, it will correct by the registry editor.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

+HKEY_LOCAL_MACHINE
 +SOFTWARE
  +Microsoft
   +Windows
    +CurrentVersion
     +Run

It will delete, if there is a part where the virus main part is described.

and

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

+HKEY_CURRENT_USER
 +Software
  +Microsoft
   +Windows
    +CurrentVersion
     +Run

It will delete, if there is a part where the virus main part is described.


Start -> all program -> start-up is seen, and in an order from a top, a right-click -> property will be deleted from start-up once again, if a display and its link place are viruses.


A memo pad is opened, and it is made "all files", and the kind of file is put into the column of a file name with ""C:\Windows\system32\drivers\etc\hosts" (*15)", and is opened.
If there are things other than the line which starts in "#", and the line "127.0.0.1 localhost", all are deleted and it overwrites.

If it reboots and the action appropriate for the Yamada virus cannot be checked after these operations, it is OK first.

If it checks that activity of a virus has stopped, let's delete a virus main part the whole folder.

We recommend you to work taking a memorandum so that an important thing may not be deleted accidentally.

Probably, it will be better to format all the hard disks that were being used by way of precaution, and to reput in a system completely.


Cautions: Please perform all acts in the range of your responsibility.


【Prevention of damage】
An extension is displayed.
The check of a hosts file
The form compatible defrosting tool is used.
A router is introduced.
A fire wall is introduced.
An antivirus is introduced.
OS is updated to the newest.
The icon is changed from the standard thing.
Html mail is not opened.
It learns about the danger of the Internet.


【The origin of a name】
With Mr. Yamada's message, sent youjo.exe was referred to as having been stepped on and infected,
and was written in, and the Yamada virus and the name were attached more.



   Then, it prays safely that it is solvable.
Translation software is used. I'm sorry [ place / where a meaning does not pass ]


#この文書は転載可です、ご利用は自己責任と言う事でお願い致します。

お持ち帰り用のファイルです。
http://www.interq.or.jp/www1/kuwasan/AbouttheYamadavirus.htm

#内容はこのスレッドをHTLにしてリンクをはずしただけです。

2005/06/01(Wed) 22:05:56  [No.2888]


An example of a hosts file 投稿者:管理人 [ID:NrppobISv22]

An example of a hosts file

--------------------------------------
210.253.211.2 trendmicro.com
210.253.211.2 update.symantec.com
210.253.211.2 updates.symantec.com
210.253.211.2 us.mcafee.com
210.253.211.2 vil.nai.com
210.253.211.2 viruslist.com
210.253.211.2 viruslist.ru
210.253.211.2 windowsupdate.microsoft.com
210.253.211.2 www.avp.com
210.253.211.2 www.ca.com
210.253.211.2 www.f-secure.com
210.253.211.2 www.kaspersky.com
210.253.211.2 www.mcafee.com
210.253.211.2 www.my-etrust.com
210.253.211.2 www.nai.com
210.253.211.2 www.networkassociates.com
210.253.211.2 www.sophos.com
210.253.211.2 www.symantec.com
210.253.211.2 www.trendmicro.com
210.253.211.2 www.viruslist.com
-------------------------------------

Where is IP address"210.253.211.2"?


IP address 210.253.211.2
Host name www.dpj.or.jp

Domain Information
[Domain name] DPJ.OR.JP
[Organization] The Democratic Party of Japan
[Organization Type] Political Party


It is connected with a political party, without being connected with a virus vendor.

2005/06/02(Thu) 01:34:30  [No.2890]


From the Press Releases of FTC 投稿者:管理人 [ID:NrppobISv22]   URL

The U.S. Federal Trade Commission (FTC) receives global ISP. Advice sentence sending about the measure against spam


http://www.ftc.gov/opa/2005/05/zombies.htm

2005/06/02(Thu) 05:12:58  [No.2891]


英文のお知らせメールを作ってみた。 投稿者:管理人 [ID:NrppobISv22]

Subject: It is the information about Yamada virus infection.



Dear Sir.
I am a Japanese.

E-mail is sent in order to announce you that your PC is infected with the virus.

Please see this.
『Kawaisosu@Wiki』(About the Yamada virus)
http://www2.atwiki.jp/kawaisosu/pages/18.html

The bulletin board of 2ch.
Please see a
『Yamada watch thread』(Virus measure thread)
http://tmp5.2ch.net/test/read.cgi/download/xxxxxx/

Please write in, if there is a question.


The above-mentioned site is Japanese although it feels sorry.
When you have a look, please use  http://world.altavista.com/

Then, it prays safely that it is solvable.


※転載、改編はご自由にどうぞ。:-)

2005/06/09(Thu) 16:49:11  [No.2910]