ybgmsti Virus info

ybgmsti Virus info

Post by sportsch1 » Mon, 16 Aug 2004 03:55:09


Recently my machine was affecetd by ybgmsti virus. I did some initial
tracing, which I am listing here. I also have one question about the
common means of some external software being uploaded to my machine
and invoking it when I am not browsing/visiting any website. And also
how this can be prevented.

ybgmsti.exe was uploaded in C:\WINDOWS\system32 and did put itself in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
and
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa + MORE places
as Video Process=ybgmsti.exe
The file changed its attribute to hidden+system and my windows
explorer property not to show hidden files.
When it runs it kills "task manager" immediately whenever it is
started. It does the same with already running (before this piece of
virus ran) instance of norton system works and auto protect as well
(Shy NAV!!)
Not to say, NAV couldn't detect any virus in this file.

Here is some info on what this virus was trying to do with internet
connection.
Open Outgoing TCP with we.gonna.b00m.biz [128.40.26.119] mac address:
00-00-C5-AF-AA-3C port: 2125using local port:
1067 C:\WINDOWS\system32\ybgmsti.exe

I got the route trace info, which just says "requesttimed out".
Also I have the actual virus file, in case anybody wants to dissect
it.
For further information, drop me an email at XXXX@XXXXX.COM
 
 
 

ybgmsti Virus info

Post by Dorsa » Mon, 16 Aug 2004 04:27:42


XXXX@XXXXX.COM (Sports Channel) banged on the keyboard until



Practising safe Hex usually prevents this. Get good antivirus software
and keep it updated. You might also want to look at getting Spyware
Search & Destroy, which will prevent registry changes without your
approval. Finally, if you're using Internet Exploder, go with something
that will automatically block popups (Mozilla browser does).

HTH

Dorsai


--
* * * * * * * * * * * * * * * * *
Dorsai - Author of *** Fiction
http://www.yqcomputer.com/ ~Dorsai
* * * * * * * * * * * * * * * * *
"The generation of random numbers is too important to be left to
chance." -- Robert R. Coveyou

 
 
 

ybgmsti Virus info

Post by sportsch1 » Thu, 19 Aug 2004 12:16:45

I had NAV up-to-date running in auto-protect mode. google popup
blocker with IE. But since this virus didn't land in my machine as a
result of browsing any site, so IE security doesn't play role. I am
also considering to install the spyware search & detroy. Anyhow,
talking about virus cleaner, i feel they r close to junk: never caught
up with latest virii, in some cases auto-protect won't detect the
virus while at a later point of time, the virus cleaner will
eventually detect the virus and scream (later is better than never!!)