Brauche dringend Hilfe !!!!!!!

Beiträge: 9
Zugriffe: 727 / Heute: 1
wembly:

Brauche dringend Hilfe !!!!!!!

 
03.09.01 14:59
Norton Anti-Virus weißt auf meinem Rechner folgenden Virus aus:
10_Past_3.748, befallen ist die Datei C:\windows\system\csh.dll.
Reparieren ist nicht möglich.
Kann mir jemand helfen ? Weiß jemand was über diesen Virus (Wirkungsweise)?
Danke im voraus

wembly
derGURU:

Schau doch mal auf der HP

 
03.09.01 15:03
von Symantec nach, was die da so schreiben.
Ich habe mal in meinem Windows-Verzeichnis nachgeschaut, die Datei csh.dll hab ich gar nicht. Vermute also mal, dass es keine für Windows notwendige Datei ist. Entweder sie ist bösartiger Weise durch das Internet bei Dir gelandet oder ein Anwendungsprogramm hat sie installiert. Demnach müsste man sie löschen können und die Anwendung neu installieren und das Prob wäre gelöst.
Aber warte erst mal ab, was die PC-Experten hier auf dem Board so meinen.
Al Bundy:

Hier:

 
03.09.01 15:04
Name: 10_past_3
Größe: 748
Typ: Resident  COM-Dateien  
Beseitigung: Der Virus kann mit F-PROT entfernt werden.

Dieser Virus wurde bisher noch nicht analysiert.  
schoebel:

@wmbly

 
03.09.01 15:05
hier die antwort von symantec

NAME:              10_Past_3.748
ALIASES:           "Tea Time"
TARGETS:           COM
RESIDENT:          At 9800h:0000h
MEMORY_SIZE:       748
STORAGE_SIZE:      748
WHERE:             Appending
STEALTH:           None
POLYMORPHIC:       None
ARMOURING:         Trace
TUNNELLING:        None
INFECTIVITY:       4
OBVIOUSNESS:       Quite
COMMONNESS:        3 (South Africa)
COMMONNESS_DATE:   1993-01-06
TRANSIENT_DAMAGE:  Reboot during INT 21h;
T_DAMAGE_TRIGGER:  year>=1991 and day=22 then reboot
TRANSIENT_DAMAGE:  tamper with interrupt vectors so as to hang PC;
T_DAMAGE_TRIGGER:  year>=1991 and day=29 then trash INT 13h;
                  year>=1991 and day= 1 then trash INT  9h;
                  year>=1991 and day=10 then trash INT  Dh;
                  year>=1991 and day=16 then trash INT 10h.
TRANSIENT_DAMAGE:  install new kbd handler which affects Shft & Ctrl states.
T_DAMAGE_TRIGGER:  15h10=1991 and day=22 then display message and reboot
TRANSIENT_DAMAGE:  tamper with interrupt vectors so as to hang PC;
T_DAMAGE_TRIGGER:  year>=1991 and day=29 then trash INT 13h;

                  year>=1991 and day= 1 then trash INT  9h;
                  year>=1991 and day=10 then trash INT 0Dh;
                  year>=1991 and day=16 then trash INT 10h;
TRANSIENT_DAMAGE:  install new kbd handler which affects Shft & Ctrl states.
T_DAMAGE_TRIGGER:  15h10 once if another
                  INT21-hooker intervenes.
SELFREC_ON_DISK:   File [3] == 88h and File [4] == 31h
                  [fourth and fifth bytes are 88 31]
LIMITATIONS:       NONE
COMMENTS:          The INT21/0A handler is strange; all it does is set an
                  internal flag, call the real INT21 handler, and then reset
                  the flag before returning to the caller.  Perhaps a later
                  version will use this flag to mess up string input?
                  The INT24 handler that's used during infection is much
                  more elaborate than usual, spending several lines of code
                  in order to automatically "ignore" only write-protect errors,
                  sending all other errors along to the original INT24 handler.
ANALYSIS_BY:       David Chess, IBM HICL
DOCUMETATION_BY:   David Chess, IBM HICL
ENTRY_DATE:        1993/06/24
LAST_MODIFIED:     1993/06/24
SEE_ALSO:
END:


NAME:              Dudley
ALIASES:           Dudley
TARGETS:           COM, EXE, ZM
RESIDENT:          Twixt
MEMORY_SIZE:       4608
STORAGE_SIZE:      1153 + degarbler + EXE_rounding
WHERE:             Appending
STEALTH:           None
POLYMORPHIC:       Poly-12
ARMOURING:         None
TUNNELLING:        None
INFECTIVITY:       5
OBVIOUSNESS:       None
COMMONNESS:        3
COMMONNESS_DATE:   1993-03-10
TRANSIENT_DAMAGE:  None
T_DAMAGE_TRIGGER:  None
PERMANENT_DAMAGE:  None
P_DAMAGE_TRIGGER:  None
SIDE_EFFECTS:      None
INFECTION_TRIGGER: INT 21h && (AX  == 4B00h ||
                             (AH  == 3Dh   || AH  == 56h || AH == 6Ch) &&
                             (ext == COM   || ext == EXE))
MSG_DISPLAYED:     None
MSG_NOT_DISPLAYED: ""
INTERRUPTS_HOOKED: 21h/4B00h 21h/3Dh 21h/56h 21h/6Ch 21h/5454h
SELFREC_IN_MEMORY: INT21h;AX=5454h -> AX=0000
SELFREC_ON_DISK:   EXE_Checksum==5045h; COM_start==7100h
LIMITATIONS:       None
COMMENTS:          Polymorphic COM and EXE infector.  Contains code that
                  attempts to avoid infecting a file with name ????SC??.???,
                  but it has a bug.
ANALYSIS_BY:       David M. Chess
DOCUMENTATION_BY:  David M. CHess
ENTRY_DATE:        1993-03-10
LAST_MODIFIED:     1993-03-10
SEE_ALSO:          None
END:


NAME:              Exe_Bug.A
ALIASES:           "CMOS virus"
TARGETS:           MBR, FBR
RESIDENT:          Top
MEMORY_SIZE:       1K
STORAGE_SIZE:      1S
WHERE:             At 0/0/17 (hard), At 40/0/1 (360), At 80/0/1 (other floppy)
STEALTH:           13h/02, 13h/03
POLYMORPHIC:       None
ARMOURING:         None
TUNNELLING:        Sector
INFECTIVITY:       6
OBVIOUSNESS:       Quite
COMMONNESS:        5 (South Africa)
COMMONNESS_DATE:   1993-05-01
TRANSIENT_DAMAGE:  None
T_DAMAGE_TRIGGER:  None
PERMANENT_DAMAGE:  Sectors on hard drive converted to disc-trashing trojan,
                  sectors on floppies converted to virus-dropping trojan.
P_DAMAGE_TRIGGER:  int13hwrite and sect=3 and buffer[0]='M' and
                    ((disc=hard and 512 AX=03FC
SELFREC_ON_DISK:   Checksum of entrypoint
LIMITATIONS:       None
COMMENTS:          Relatively straightforward, mildly polymorphic,
                  tunneling EXE and COM infector that also infects
                  the MBR in order to get back into memory after a
                  boot.   Doesn't infect diskette boot records.
ANALYSIS_BY:       David M. Chess, IBM HICL
DOCUMETATION_BY:   David M. Chess, IBM HICL
ENTRY_DATE:        1993/05/25
LAST_MODIFIED:     1993/05/25
SEE_ALSO:
END:


NAME:              Peter
ALIASES:           None
TARGETS:           MBR, FBR [only if sectors/track is at least 15]
RESIDENT:          TOP, AT 9F00:0000 [Reduces 0000:0413 by 4,
                  then copies itself to 9F00:0000, regardless
                  of memory size]
MEMORY_SIZE:       4K
STORAGE_SIZE:      5S
WHERE:             AT 0/0/2 (HARD), AT 50/0/2 (FLOPPY)
STEALTH:           INT 13 / 02, INT 13 / 03
                  [stealth applies only to hard disk, not floppies]
POLYMORPHIC:       NONE
ARMOURING:         NONE
TUNNELING:         NONE
INFECTIVITY:       LIKE Stoned.Standard
                  [except for only infecting large floppies]
OBVIOUSNESS:       SLIGHTLY
COMMONNESS:        3 (Japan)
COMMONNESS_DATE:   93/05/27
TRANSIENT_DAMAGE:  When the CMOS clock contains 2 and 27 in the month
                  and date fields, it displays a message, garbles
                  part of the hard disk by XORing with hex 78, and
                  then asks four questions, in English, about pop
                  music. (See PERMANENT_DAMAGE)
PERMANENT_DAMAGE:  If the user answers any of the questions
                  incorrectly, the virus returns without restoring
                  the garbled part of the hard disk.  If the user
                  answers correctly, the virus restores the garbled
                  part of the hard disk and boots normally.  (I
                  haven't actually tested this.)
T_DAMAGE_TRIGGER:  CMOS clock bytes 7 and 8 contain 27 and 2.
P_DAMAGE_TRIGGER:  User answers a question in the quiz wrong.
SIDE_EFFECTS:      None
INFECTION_TRIGGER: MBR: (Boot) & (MBR[0x1FD]!=0xBB)
                  FBR: (INT13) & (AX==02 | AX==03) &
                       (FBR[0x1FD]!=11) & (FBR[0x18]>=0x0F)
                  [That is, when you boot from an infected floppy,
                  it infects the hard disk unless its mark is already
                  there, and when you use a floppy in A: it gets
                  infected unless the mark is there, or it has
                  less than 15 sectors/track.]
MSG_DISPLAYED:
"Good morning,EVERYbody,I am PETER II
Do not turn off the power, or you will lost all of the data in Hardisk!!!

WAIT for 1 MINUTES,please...

Ok.If you give the right answer to the following questions,I will save your HD:


A. Who has sung the song called "I`ll be there" ?
 1.Mariah Carey  2.The Escape Club  3.The Jackson five  4.All  (1-4):


B. What is Phil Collins ?
 1.A singer  2.A drummer  3.A producer  4.Above all   (1-4):


C. Who has the MOST TOP 10 singles in 1980`s ?
 1.Michael Jackson  2.Phil Collins (featuring Genesis)
 3.Madonna  4.Whitney Houston   (1-4):

CONGRATULATIONS !!! YOU successfully pass the quiz!
AND NOW RECOVERING YOUR HARDISK ......
Sorry!Go to Hell.Clousy man!"; Encrypted
MSG_NOT_DISPLAYED: None
INTERRUPTS_HOOKED: 13/02, 13/03
SELFREC_IN_MEMORY: None
SELFREC_ON_DISK:   MBR [0x1FD] == 0xBB, FBR [0x1FD] == 0x11
LIMITATIONS:       CPU >= 286 [uses PUSHA and POPA], CMOS
                  [for date for payload]
COMMENTS:          The answers to the questions (see above) are
                  4, 4, 2, at least in the virus's opinion.  The
                  coding style is very odd and self-taught-looking;
                  he doesn't seem to know about direct addressing
                  modes, and does things like "MOV BX,0460;
                  MOV [BX],AX" rather than "MOV [460],AX".  For
                  instance. It's also a "copy-protected" virus, in
                  that it formats track 0x50 to store the on-disk
                  part of itself, and the original MBR, on.
ANALYSIS_BY:       David M. Chess, IBM HICL
DOCUMETATION_BY:   David M. Chess, IBM HICL
ENTRY_DATE:        93/05/24
LAST_MODIFIED:     93/05/24
SEE_ALSO:
END:


NAME:              QRRY
ALIASES:
TARGETS:           MBR, FBR
RESIDENT:          TOP
MEMORY_SIZE:       1K
STORAGE_SIZE:      1S
WHERE:             AT 27h/01h/09h
STEALTH:           None
POLYMORPHIC:       None
ARMOURING:         None
TUNNELLING:        None
INFECTIVITY:       6
OBVIOUSNESS:
COMMONNESS:        3
COMMONNESS_DATE:   1993-03-08
TRANSIENT_DAMAGE:  None
T_DAMAGE_TRIGGER:  None
PERMANENT_DAMAGE:  Overwrites the first nine sectors of the first three
                  tracks on any disk or diskette head that's read from.
P_DAMAGE_TRIGGER:  Real_Time_Clock_Month == 12
SIDE_EFFECTS:      None
INFECTION_TRIGGER: INT 13h & AX==0201h & CX=0001h
MSG_DISPLAYED:     None
MSG_NOT_DISPLAYED: None
INTERRUPTS_HOOKED: 13/0201
SELFREC_IN_MEMORY: None
SELFREC_ON_DISK:   bootrec[0]==EBh & bootrec[0170h]==ABCDh
LIMITATIONS:       None
COMMENTS:          Simple MBR infector with rather nasty damage; "QRRY" is just
                  some ASCII that happens to appear in the code of the virus.
ANALYSIS_BY:       David M. Chess, IBM
DOCUMENTATION_BY:  David M. CHess, IBM
ENTRY_DATE:        1993-03-08
LAST_MODIFIED:     1993-03-08
SEE_ALSO:          None
END:


NAME:              Runtime
ALIASES:           None
TARGETS:           COM (including COMMAND.COM)
RESIDENT:          None
MEMORY_SIZE:       0
STORAGE_SIZE:      365
WHERE:             MOVE
STEALTH:           Restores original time and date stamps to files after
                  infection.
POLYMORPHIC:       None
ARMOURING:         None
TUNNELING:         None
INFECTIVITY:       3
OBVIOUSNESS:       SLIGHTLY
COMMONNESS:        1
COMMONNESS_DATE:   1993-06-07
TRANSIENT_DAMAGE:  Hangs system occasionally on trigger
PERMANENT_DAMAGE:  None
T_DAMAGE_TRIGGER:  On Fridays before 11:00 AM if clock @ 40:06Ch >0b0h
P_DAMAGE_TRIGGER:  None
SIDE_EFFECTS:      Uncontrolled file growth due to multiple infections
INFECTION_TRIGGER: Upon execution of an infected file
MSG_DISPLAYED:     "Runtime error 412" followed by possible garbage
MSG_NOT_DISPLAYED: None
INTERRUPTS_HOOKED: None
SELFREC_IN_MEMORY: None
SELFREC_ON_DISK:   Faulty but code intends to check for initial NEAR CALL (0e8h)
LIMITATIONS:       DOS 3.x or later
COMMENTS:          Cannot infect read-only files.
ANALYSIS_BY:       Wolfgang Stiller
DOCUMETATION_BY:   Wolfgang Stiller
ENTRY_DATE:        1993-06-07
LAST_MODIFIED:     1993-06-07
SEE_ALSO:
END:


NAME:              Su
ALIASES:           Susan
TARGETS:           .EXE
RESIDENT:          Low
MEMORY_SIZE:       864
STORAGE_SIZE:      571
WHERE:             Overwrites
STEALTH:           None
POLYMORPHIC:       None
ARMOURING:         None
TUNNELING:         None
INFECTIVITY:       2
OBVIOUSNESS:       Extremely
COMMONNESS:        1 (United States)
COMMONNESS_DATE:   1993-04-28
TRANSIENT_DAMAGE:  None
T_DAMAGE_TRIGGER:  None
PERMANENT_DAMAGE:  Infected files are overwritten and destroyed.
P_DAMAGE_TRIGGER:  See INFECTION_TRIGGER
PERMANENT_DAMAGE:  Deletion of all files in current directory.
P_DAMAGE_TRIGGER:  16 Infections since activation
SIDE_EFFECTS:      None
INFECTION_TRIGGER: (A single "DIR" issued) and (FindFirst -> DTA=
                  uninfected .EXE file)
MSG_DISPLAYED:     "Bad command or file name"
MSG_NOT_DISPLAYED: "Susan", "*.*", "*.EXE", "DIR"
INTERRUPTS_HOOKED: 2F/10F, 2F/AE00, 2F/AE01
SELFREC_IN_MEMORY: INT 2Fh;AX=010Fh -> AX=CS:[0103h]="Su"
SELFREC_ON_DISK:   FileTime.Seconds=1Fh
LIMITATIONS:       DOS>=3.30  (Bug: Checks for DOS 3.03)
COMMENTS:          This virus does not hand control over to the infected
                  program; instead it terminates with the aforementioned
                  message. It uses INT 21;AX=5D00h to delete files.
                  The hooked interrupts (AH=0AEh) are reportedly called
                  by COMMAND.COM just before executing commands from
                  the keyboard.
ANALYSIS_BY:       Snorre Fagerland
DOCUMETATION_BY:   Snorre Fagerland
ENTRY_DATE:        1993-04-28
LAST_MODIFIED:     1993-06-25
SEE_ALSO:          None
END:


NAME:              Techno
ALIASES:           None
TARGETS:           .COM
RESIDENT:          None
MEMORY_SIZE:       None
STORAGE_SIZE:      1123+15
WHERE:             Appending
STEALTH:           None
POLIMORPHIC:       None
ARMOURING:         None
TUNNELING:         None
INFECTIVITY:       2
OBVIOUSNESS:       Quite
COMMONESS:         1
COMMONESS_DATE:    1992-12-28
TRANSIENT_DAMAGE:  Music, Videoeffect
T_DAMAGE_TRIGGER:  Random(0.0025)
PERMANENT_DAMAGE:  None
P_DAMAGE_TRIGGER:  None
SIDE_EFFECT:       None
INFECTION_TRIGGER: (DIRECT_ACTION) and (LengthCOM >=10) and (LengthCom12 and counter=2112
P_DAMAGE_TRIGGER:  Month=12 and Day=21
SIDE_EFFECTS:      PC may hang due to direct residency
INFECTION_TRIGGER: Exec and (580=3.10
COMMENTS:          The poem printed by the virus states it was written by
                  "Marvin Giskard", the pseudonym of the person claiming
                  to have written 10_Past_3.748. The poem is dedicated to
                  "T"; 10_Past_3.789, a rework of .748, includes code to
                  print the name "Therese".
ANALYSIS_BY:       Paul Ducklin
DOCUMENTATION_BY:  Paul Ducklin
ENTRY_DATE:        1993-01-11
LAST_MODIFIED:     1993-02-15
SEE_ALSO:          10_Past_3.748, 10_Past_3.789
END:


NAME:              V163
ALIASES:           None
TARGETS:           COM
RESIDENT:          AT 0060
MEMORY_SIZE:       163
STORAGE_SIZE:      163
WHERE:             Appending
STEALTH:           None
POLIMORPHIC:       None
ARMOURING:         None
TUNNELING:         None
INFECTIVITY:       4
OBVIOUSNESS:       Slightly
COMMONESS:         1
COMMONESS_DATE:    1993-02-22
TRANSIENT_DAMAGE:  None
T_DAMAGE_TRIGGER:  None
PERMANENT_DAMAGE:  None
P_DAMAGE_TRIGGER:  None
SIDE_EFFECT:       NE/LE executables will be damaged by the infection process
INFECTION_TRIGGER: Exec
MSG_DISPLAYED:     None
MSG_NOT_DISPLAYED: None
INTERRUPTS_HOOKED: 21h/4Bh
SELFREC_IN_MEMORY: [0000:0086]=60h
SELFREC_ON_DISK:   FILE[0]=4Dh
LIMITATIONS:       None
COMMENTS:          The virus does no secure SELFREC_IN_MEMORY anything
                  resident, that hooks INT21 will cause the virus to become
                  resident again!
ANALYSIS_BY:       Christoph Fischer, Micro-BIT Virus Center, University of Karlsruhe
DOCUMENTATION_BY:  Christoph Fischer, Micro-BIT Virus Center, University of Karlsruhe
ENTRY_DATE:        1993-02-22
LAST_MODIFIED:     1993-02-25
SEE_ALSO:
END:


mfg otto
1st_baseman:

antwort

 
03.09.01 15:06
check mal ab wie alt deine norton antivirus version ist...
dann schau auf der seite von norton nach einem update, wenn das nicht funktioniert, dann lade dir auf www.mcaffee.com einen neuen virenscanner herunter.

mfG Daniel

wembly:

@1st_basemann

 
03.09.01 15:15
Ist auf dem aktuellen stand :-(
1st_baseman:

so sieht der virus aus....

 
03.09.01 15:16
hab den gleichen virus... so sieht er aus..

Brauche dringend Hilfe !!!!!!! 403216members.tripod.de/untouchables/spermm.jpg" style="max-width:560px" >
1st_baseman:

lösung

 
03.09.01 15:20
auf www.mcaffee.com steht dazu folgende anleitung:

Removal Instructions:  

Script,Batch,Macro and non memory-resident:
Use specified engine and DAT files for detection and removal.
PE,Trojan,Internet Worm and memory resident:
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:


SCANPM /ADL /CLEAN /ALL
Additional information for Windows ME users:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.
Disabling the Restore Utility

1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.

AVERT Recommended Updates:


vorher musst du dir aber die aktuelle version von mcaffee runterladen

wembly:

Danke o.T.

 
03.09.01 17:32
Es gibt keine neuen Beiträge.


Börsen-Forum - Gesamtforum - Antwort einfügen - zum ersten Beitrag springen
--button_text--