Forum |  HardWare.fr | News | Articles | PC | S'identifier | S'inscrire | Shop Recherche
1890 connectés 

  FORUM HardWare.fr
  Windows & Software

  HLIBMGR.EXE quelqu'un connait

 


 Mot :   Pseudo :  
 
Bas de page
Auteur Sujet :

HLIBMGR.EXE quelqu'un connait

n°318609
gizmo
Posté le 18-07-2001 à 23:03:10  profilanswer
 

j'ai ce joli fichier en attach d'un mail d'un parfait inconnu et dont je ne suis visiblement pas le destinataire principal (il n'y a aucun nom comme destinataire) et avec un corps de texte des plus éloquent: "À=!"#? $? ."
 
Donc je doute très fort du bien fondé de ce mail :D donc si quelqu'un a des infos dessus, je suis preneur.

mood
Publicité
Posté le 18-07-2001 à 23:03:10  profilanswer
 

n°318612
jajaX
Ma Flo, je t'aime: ;)
Posté le 18-07-2001 à 23:07:34  profilanswer
 

j'ai pas d'info, sorry.
 
ms des mails comme ça => poubelle  :)


---------------
@+ jaja - mansoncollections
n°318613
syntaxx_er​ror
Posté le 18-07-2001 à 23:09:10  profilanswer
 

Attention, c'est un coli piégé !!!... :ouch:

n°318620
gizmo
Posté le 18-07-2001 à 23:11:42  profilanswer
 

ca, je m'en doute, mais j'aimerais quand même savoir ce qu'il fait, par simple curiosité, et j'ai pas vraiment envie de voir si l'antivirus que j'essaye pour le moment est performant ou non ;)

n°318644
jajaX
Ma Flo, je t'aime: ;)
Posté le 18-07-2001 à 23:33:24  profilanswer
 

ben je viens de chercher sur les sites ke je connais  :pt1cable:  
 
on a pas assez de précision car j'ai chercher sur plusieurs sites :
 
le corps du msg => ne donne rien
 
rem : ms bon ça on peut le changer
 
le nom du fichier attaché non plus, ms ça on peut le renommer  :pt1cable:  
 
t'as moyen de choper un ip ds l'en-tête du mail, non  :pt1cable:  :??:


---------------
@+ jaja - mansoncollections
n°318645
syntaxx_er​ror
Posté le 18-07-2001 à 23:35:13  profilanswer
 

Ca sent le KICK DA MODO ton histoire....En gros, tu t'es fais un ami...

n°318648
PlyOne
Posté le 18-07-2001 à 23:39:44  profilanswer
 

HOLA ! Moi aussi j'ai recu un truc comme ca tantot par email, je connais pas du tout le destinataire (il s'appelle pascal kaz...) et son sujet était aussi ^#$* et des trucs pareil. Le fichier s'appelle KBDTrax.exe. Bizarre ce truc ! (et pourtant je suis pas modérateur moi ;)

n°318811
gizmo
Posté le 19-07-2001 à 09:38:45  profilanswer
 

bon, ben, je suis curieux et mon antivirus est a jour d'aujourd'hui, je teste :D

n°318813
gizmo
Posté le 19-07-2001 à 09:42:30  profilanswer
 

Bingo! Un virus :lol: (qui l'eut cru :sarcastic:)
 
Son petit nom, c'est Win32/Magistr.24876. Je vais voir si je trouve ce qu'il aurait du me faire. Merci nod32, c'est un antivirus qui a l'air sympa.

n°318816
gizmo
Posté le 19-07-2001 à 09:53:24  profilanswer
 

Alors voila:
 

Citation :


W32.Magistr.24876@mm is a virus that has email worm capability. It is also network aware. It infects Windows Portable Executable (PE) files, with the exception of .dll system files, and sends email messages to addresses that it gathers from the Outlook/Outlook Express mail folders (.dbx, .mbx), the sent items file from Netscape, and Windows address books (.wab), which are used by mail clients such as Microsoft Outlook and Microsoft Outlook Express,. The email message may have up to two attachments, and it has a randomly generated subject line and message body.
Also Known As: I-Worm.Magistr, PE_MAGISTR.A, W32.Magistr@mm
 
Category: Virus, Worm
Infection Length: varies
 
Virus Definitions: March 13, 2001
 
Threat Assessment:
 
 
 
Wild:
High
   
 
Damage:
High
   
 
Distribution:
High
   
 
 
Wild:
Number of infections: 50 - 999
 
Number of sites: More than 10
 
Geographical distribution: Medium
 
Threat containment: Moderate
 
Removal: Moderate
 
Damage:
Payload:
Large scale e-mailing: Uses email addresses from the Windows Address Book files and Outlook Express Sent Items folder.
 
 
Causes system instability: Overwrites hard drives, erases CMOS, flashes the BIOS.
 
 
Releases confidential info: It could send confidential Microsoft Word documents to others.
 
 
Distribution:
Subject of email: Randomly generated text that can be up to 60 characters long.
 
Name of attachment: One randomly named infected executable and several randomly selected text or document files
 
Target of infection: All Windows PE files that are not .dll files.
 
Technical description:
When a file that is infected by W32.Magistr.24876@mm is executed, it searches in memory for a readable, writable, initialized section inside the memory space of Explorer.exe. If one is found, a 110-byte routine is inserted into that area, and the TranslateMessage function is hooked to point to that routine. This code first appeared in W32.Dengue.
When the inserted code gains control, a thread is created and the original TranslateMessage function is called. The thread waits for three minutes before activating. Then the virus obtains the name of the computer, converts it to a base64 string, and depending on the first character of the name, creates a file in either the \Windows folder, the \Program Files folder, or the root folder. This file contains certain information, such as the location of the email address books and the date of initial infection. Then it retrieves the current user's email name and address information from the registry (Outlook, Exchange, Internet Mail and News), or the Prefs.js file (Netscape). The virus keeps in its body a history of the 10 most recently infected users, and these names are visible in infected files when the virus is decrypted. After this, the virus searches for the Sent file in the Netscape folder, and for .wab, .mbx, and .dbx files in the \Windows and \Program Files folders.
If an active Internet connection exists, the virus searches for up to five .doc and .txt files and chooses a random number of words from one of these files. These words are used to construct the subject and message body of the email message. Then the virus searches for up to 20 .exe and .scr files smaller than 128 KB, infects one of these files, attaches the infected file to the new message, and sends this message to up to 100 people from the address books. In addition there is a 20-percent chance that it will attach the file from which the subject and message body was taken, and an 80-percent chance that it will add the number 1 to the second character of the sender address. This last change prevents replies from being returned to you and possibly alerting you to the infection.
After the mailing is done, the virus searches for up to 20 .exe and .scr files, and infect one of these files. Then there is a 25-percent chance, if the Windows directory is named one of the following:
Winnt
Win95
Win98
Windows
that the virus will move the infected file into the \Windows folder and alter the file name slightly. Once the file is moved, a run= line is added to the Win.ini file to run the virus whenever the computer is started. In the other 75 percent of cases, the virus will create a registry subkey in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
The name of this subkey is the name of the file without a suffix, and the value is the complete file name of the infected file. The virus then searches all local hard drives and all shared folders on the network for up to 20 .exe and .scr files to infect, and add the run= line if the \Windows folder exists in that location.
If the computer has been infected for one month and at least 100 people have been sent an infected file, and if at least three files contain at least three examples from the following list:
sentences you
sentences him to
sentence you to
ordered to prison
convict
, judge
circuit judge
trial judge
found guilty
find him guilty
affirmed
judgment of conviction
verdict
guilty plea
trial court
trial chamber
sufficiency of proof
sufficiency of the evidence
proceedings
against the accused
habeas corpus
jugement
condamn
trouvons coupable
a rembourse
sous astreinte
aux entiers depens
aux depens
ayant delibere
le present arret
vu l'arret
conformement a la loi
execution provisoire
rdonn
audience publique
a fait constater
cadre de la procedure
magistrad
apelante
recurso de apelaci
pena de arresto
y condeno
mando y firmo
calidad de denunciante
costas procesales
diligencias previas
antecedentes de hecho
hechos probados
sentencia
comparecer
juzgando
dictando la presente
los autos
en autos
denuncia presentada
then the virus will activate the first of its payloads. This payload is similar to that of W32.Kriz, and it does the following:
Deletes the infected file
Erases CMOS (Windows 9x/Me only)
Erases the Flash BIOS (Windows 9x/Me only)
Overwrites every 25th file with the text YOUARESHIT as many times as it will fit in the file
Deletes every other file
Displays the following message:
 
Overwrites a sector of the first hard disk
This payload is repeated infinitely.
If the computer has been infected for two months, then on odd days the desktop icons are repositioned whenever the mouse pointer approaches, giving the impression that the icons are "running away" from the mouse:
 
If the computer has been infected for three months, then the infected file is deleted.
For files that are infected by W32.Magistr.24876@mm, the entry point address remains the same, but up to 512 bytes of garbage code is placed at that location. This garbage code transfers control to the last section. A polymorphic encrypted body is appended to the last section. The virus is hostile to debuggers and will crash the computer if a debugger is found.


 
PlyOne, a mon avis, t'as chopé le même!

mood
Publicité
Posté le 19-07-2001 à 09:53:24  profilanswer
 

n°318992
PlyOne
Posté le 19-07-2001 à 12:51:53  profilanswer
 

Ha merde alors, on me veut du mal ! Non si j'ai bien compris c'est surement un gars qui m'avait dans sa carnet d'adresse qui se l'est choppé et moi je l'ai reçu automatiquement...

n°319070
jajaX
Ma Flo, je t'aime: ;)
Posté le 19-07-2001 à 14:17:14  profilanswer
 

faut toujours se méfier, la preuve...
 
et celui est assez méchant.


---------------
@+ jaja - mansoncollections

Aller à :
Ajouter une réponse
  FORUM HardWare.fr
  Windows & Software

  HLIBMGR.EXE quelqu'un connait

 

Sujets relatifs
Quelqu'un connait un logiciel pour decamoufler des fichiers?Quelqu'un connait il la différence ...
quelqu'un connaît sourcesafe ?QUI Connait Drive Image Pro 4 de chez PowerQuest ....PLEASE ???
lancer un EXE à partir de config.sys[SQL SERVER 2000] Kelkun connait un site ?
Qq'un connait ARCserveit ? [logiciel de backup]Vu que c'est fermé quelquun connait la nouvelle url de danceparadise?
Plus de sujets relatifs à : HLIBMGR.EXE quelqu'un connait


Copyright © 1997-2022 Hardware.fr SARL (Signaler un contenu illicite / Données personnelles) / Groupe LDLC / Shop HFR