Elamb Cybersecurity

Blog

  • Re: [AntivirusClub] virus ~77.vys

    Dear All,

    saveral days ego my computer was infected by virus ~77.vys, it attack ms.word.
    Please help me to remove it, I have tried to clean by mc.Afee & NAV, but they can not detect it.

    Indrasp

    What is it doing?

    How did you orignally detect it?

     

    I've done research and it sounds like a Macro virus.  But it does not seem wide spread as I only found one forum with anything about it: 

    http://www.infokomputer.com/forum/display_messages.php?mid=54578&fid=60&ids=54578

    (don't even know what language that is)

     

    Here is a page you should try out:

    http://support.microsoft.com/?scid=kb;en-us;187243 It is about Macro virus' from microsoft I believe it will give you more insight into what it maybe.

     

    Have you tried Hijackthis detect it?

    http://www.majorgeeks.com/download3155.html 

    Make sure you update it with the latest definitions How to use Hijackthis –> http://forums.majorgeeks.com/showthread.php?t=38752 Not sure it hijackthis will detect macros.

     

    Can you find the process running in Task Manager?

    http://elamb.blogharbor.com/hacked/IDTools.htm

     

    On 6/21/05, Indra> wrote:

    Dear Mr. Robert

     

        Thank you very much for your attantion of my problem. “What is it doing?” , if your computer was infected by this virus, when you insert the disket to diskdrive automatically file ~77.vys will copy to your diskette, and when you open your ms.word document and than you save it, the document couldn't be opened. Virus ~77.vys will appear as vys~77.doc, and you can find your document content in vys~77.doc.

     

    I will try to do your suggestion, thank you very much and I'm so sorry about my bad English.

     

    Indra

     

    Technical facts about W97M.Ethan.AK computer virus:

    Indra, Check this out,

    Could you have some variation of the W97M.Ethan.AK Macro virus?  Do you have Word 97?  97 seems to be pretty vulnerable to attack.

    Here is what I found out about the W97M.Ethan.AK
    The virus copies itself in a temporary file, named “evolve.tmp”, in “C:\”.

    At opening, if the virus is a macro in a “.doc” file, it infects normal.dot.  If the virus is a macro in normal template (“normal.dot”), it infects documents when they are opened.

    It verifies the file macros, and it doesn't infect a macro that begins with “Private Sub Open” and ends with “End sub”. So, it doesn't infect the same macro twice.

    The virus doesn't have any destructive payload, it only spreads itself through Microsoft Word Application.

    _________________________________________________________________________
    Virus Information and Updated News http://www.vaksin.com

    Please leave one or two conversations and delete unnecessary footers when replying.
    _________________________________________________________________________

    Yahoo! Groups Links

     

  • DNA Identification

    Bruce Schneier opens up discusion on an interesting application of DNA Identification.

    read more | digg story

  • ITSY-BITSY DRONE

    There are now dozens of different types of drones in the Pentagon's arsenal. But you'd be hard-pressed to find one smaller than this Wasp Micro Air Vehicle (MAV), now being tested aboard the Nimitz Carrier Strike Group off Southern California.

    read more | digg story

  • Re: HELP ME!!!! "Trojan-Spy.HTML.Smithfraud.c" removal procedure

     
    Ben,
     
    I need more information.  Does it say this:
    “A fatal error in IE has occured at 0028:C0011E36 in VXD VMM01) +
    00010E36. Error was caused by Trojan-Spy.HTML.Smithfraud.c”
     
    If so, it maybe the Trojan-Spy.HTML.Smithfraud.c.  Go here for more info:
     
    You'll have to give me more information.

     

    On 6/21/05, ben  wrote:

    Hello,
       i have this blue screen which appears just before
    my desktop comes up just after switching on my
    system,logging off and on also, for one of my user
    profiles. my system runs on win2000(sp3). I only
    observe this screen when i want to log in as that
    particular profile, others don't show this screen.
    What i see is something like”a fatal error has
    occured at IE …002d:C0011CDG…”,something of that
    sort.
    Your help will be highly appreciated. thanks

  • [security-awareness] New Version of ISO 17799 Released

    ———- Forwarded message ———-
    From: laurahamp 
    Date: Jun 17, 2005 6:46 AM
    Subject: [security-awareness] New Version of ISO 17799 Released
    To: security-awareness@yahoogroups.com
    A quick heads up that the new release of the security standard, ISO
    17799, has this week been published. From the 17799 Newsletter:

    ------------------------------
    The official revision of ISO/IEC 17799 is now available (June 2005).
    This new version has been in process for several years, and introduces
    a number of siginificant changes to ISO 17799. The old version,
    originally published in December 2000, has been withdrawn with
    immediate effect.

    The new standard now contains 11 'core' chapters, as opposed to 10,
    with existing chapters being renamed and re-organized. The new chapter
    format is as follows:

    1) Security Policy
    2) Organizing Information Security
    3) Asset Management
    4) Human Resources Security
    5) Physical and Environmental Security
    6) Communications and Operations Management
    7) Access Control
    8) Information Systems Acquisition, Development and Maintenance
    9) Information Security Incident Management
    10) Business Continuity Management
    11) Compliance.

    The new version of the standard also introduces controls to address a
    range of issues not previously covered. These include topics such as
    outsourcing provision and patch management. Equally, other areas have
    been substantially extended or re-shaped, such as employment
    termination, and mobile/distributed communication.

    In addition to the content itself, several steps have also been taken
    to enhance the "user friendliness" of the standard. The standard has
    also been normalized to position itself to sit more comfortably
    alongside related security standards in the future.

    OFFICIAL SOURCES
    The following official outlet (BSI) has been updated to provide copies
    of the new standard (as opposed to the old):
    http://www.standardsdirect.org/iso17799.htm

    The ISO 17799 Toolkit, the standard's support and starter kit, has
    also been updated to include the new version:
    http://www.17799-toolkit.com

    For further information see the ISO 17799 Newsletter archive site at:
    http://17799-news.the-hamster.com
    --------------------------

    I hope this is of interest.

    Laura

    Yahoo! Groups Links

  • Re: [AntivirusClub] virus ~77.vys

    Dear All,

    several days ago my computer was infected by virus ~77.vys, it attack ms.word.
    Please help me to remove it, I have tried to clean by mc.Afee & NAV, but they can not detect it.

    Hi Indra,
     
    What is it doing?
    How did you orignally detect it?
     
    I've done research and it sounds like a Macro virus.  But it does not seem wide spread as I only
    found one forum with anything about it: 
    (don't even know what language that is)
     
    Here is a page you should try out:
    http://support.microsoft.com/?scid=kb;en-us;187243 It is about Macro virus' from microsoft
    I believe it will give you more insight into what it maybe.
     
    Have you tried Hijackthis detect it?
    Make sure you update it with the latest definitions
    Not sure it hijackthis will detect macros.
     
    Can you find the process running in Task Manager?
     
    <*> To visit your group on the web, go to:
       http://groups.yahoo.com/group/AntivirusClub/

    <*> To unsubscribe from this group, send an email to:
       AntivirusClub-unsubscribe@yahoogroups.com

    <*> Your use of Yahoo! Groups is subject to:
       http://docs.yahoo.com/info/terms/

  • Thoughts about Cross-View based Rootkit Detection

    Is having Cross-View based Rootkit Detection relevant since it can be tricked? Is Rootkit revealer enough? Joanna Rutkowska gives you a good perspective in this paper. http://invisiblethings.org

    read more | digg story

  • DIACAP Policy

    This is an overview of the DIACAP’s final draft. 

    The DIACAP includes the same things that the DITSCAP has with two major differerences: netcentric environments and GIG standards. With these two (and MANY other changes) it seems that this evolution of the DITSCAP has to take place. So many major levels of Information Assurance in the DoD and abroad have changed that DITSCAP will have to embrace them to stay relevant.

    The DIACAP policies will come from DoD Directive/Instruction 8500.01E/.2. [fixed 22 Aug 07]

    The DIACAP supports Information Systems transitioning to netcentric environments and GIG Standards by:

    1. Ensuring uniformity of approach
    2. Managing and disseminating Information Assurance Design, implementation, validation, sustainement and approach
    3. Being able to handle differing system
    4. facilitating a dynamic environment

    Information Assurance will be implemented with Information Assurance Controls as defined by DoDI 8500.2 and maintained through a DoD wide configuration management process that considers the GiG architecture and risk assessments conducted at the DoD component level in accordance with FISMA.

    The DIACAP will support the ongoing validation to maintain the Information Assurance posture of an Information System. DoD component IA Programs are the primary method of supporting the DoD Information Assurance Program.

    Status of all systems in the DIACAP program will be available to all who have authorized access.

  • SUBJECT: DoD Information Assurance Certification and Accreditation Process (DIACAP)

    The Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) is replacing with the DoD Information Technology Security Certification and Accreditation Process (DITSCAP). More on DITCAP can be found at the DOD's IASE website.

    What is DIACAP?
    The DIACAP is the DoD process for identifying, implementing, and validating information assurance controls, for authorizing the operation of DoD information systems, and for managing information assurance posture across DoD information systems consistent with the Federal Information Security Management Act (FISMA).

    What is so special about the DIACAP?
    It will replace DoDI 5200.40 and DoD 8510.1-M
    Guide for compliance with the Global Information Grid
    Supports Netcentricity.

    Follow this link to my interpretation of the DIACAP Policy.

    What will we have to do differently with the DIACAP. (soon)

  • yahoo.theherrens.com

    Demonstration of the power of TagCloud from the guy who came up with the code behind the site. TagCloud extracts keywords from rss feed and puts them into a Tag cloud that is linked to related material.

    read more | digg story