borntro by TFTDemo
[nfo]
|
||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
|
popularity : 57% |
|||||||||||||
alltime top: #39460 |
|
|||||||||||||
added on the 2001-10-15 19:42:49 by protectin'myhive |
popularity helper
comments
Boring old stuff with lots of text. But it looks as though the intro comes packaged with a free worm!
Hmm, I just scanned my computer for viruses and 0 was found. So if there really is a virus/worm in the zip then I(the coder of this intro) am not responsible for it. Someone else has fucked up the file.
damn, that's one -huuuge- comment. :)
yeah. there is no virus.
and software ruls
and software ruls
Try this url if don't feel safe:
http://www.saunalahti.fi/teppo1/demoscene/dawning/borntro.zip
Note, we are now 'Dawning'
http://www.saunalahti.fi/teppo1/demoscene/dawning/borntro.zip
Note, we are now 'Dawning'
Try this url if you don't feel safe:
http://www.saunalahti.fi/teppo1/demoscene/dawning/borntro.zip
Note, we are now 'Dawning'
http://www.saunalahti.fi/teppo1/demoscene/dawning/borntro.zip
Note, we are now 'Dawning'
bah
hmm. the scroller was as interesting as thrawling the registry for the letter 'e'
Oh well, they introduced themselves now, let's see how they fare next time.
Oh well, they introduced themselves now, let's see how they fare next time.
stupid people =) how the hell can you have a 70kb worm in a 64k intro?!
submit changes
if this prod is a fake, some info is false or the download link is broken,
do not post about it in the comments, it will get lost.
instead, click here !
My Virusfucker says that:
NAME: NewApt
ALIAS: I-Worm.NewApt, W32.NewApt.Worm, Worm.NewApt
SIZE: 69632
The NewApt worm appeared in the middle of December 1999. The worm itself is a Windows PE executable file about 70Kb long. It is transferred via the Internet in e-mail messages as an attachment. The name of the attached worm copy is randomly selected from 26 variants:
panther.exe farter.exe
gadget.exe boss.exe
irngiant.exe monica.exe
casper.exe saddam.exe
fborfw.exe party.exe
cupid2.exe hog.exe
party.exe goal1.exe
bboy.exe pirate.exe
baby.exe video.exe
goal.exe copier.exe
theobbq.exe cooler1.exe
panthr.exe cooler3.exe
chestburst.exe g-zilla.exe
The infected message's subject is "Just for your eyes". Other subject variants are possible: in some cases the worm puts "Re:" to the subject line and adds some text there.
The message body contains lines in plain text format:
he, your lame client cant read HTML, haha.
click attachment to see some stunningly HOT stuff
as well as in HTML format:
Hypercool Happy New Year 2000 funny programs and animations...
We attached our recent animation from this site in our mail! Check it out!
When the infected message is received, one of the above texts is displayed depending on whether recepient's e-mail browser supports HTML e-mail format or not.
When the attached executable is run by a user the worm gets control and installs itself to the system. It copies itself with its current name (as the worm arrived in email) to Windows directory and registers this copy in system registry in "Run=" section:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
'tpawen' = 'C:\WINDOWS\PANTHER.EXE /x'
Note that the worm's name (here it is "PANTHER") is not always the same and can be randomly selected by the worm (see the list above).
To hide its activity the worm displays a fake error message:
The second line is the above messagebox is the infected system's Windows system directory name, 'Path' and 'SystemRoot' system variables.
Then the worm registers itself as a service process (not visible in the task list) and stays memory resident as a hidden application. The worm's main routines (there are two ones working in the background) then periodically scan hard drives for Internet-related files (MS Mail, Outlook Express, Netscape Navigator and other files), open these files, get Internet addresses from there and send worm copies to these addresses.
Starting from 12th of June, 2000 the worm removes "Run=" string from system Registry and does not install itself to system any more. So, this worm's life-time is limited by that date. But copies of the worm left in a system after 12th of June may activate again if system date is set incorrectly.
From 00:00 starting on 26th of December the worm tries to connect to remote computer somewhere at Microsoft each 3 seconds. This is most likely done to ping-bomb the server.
Depending on its counters and some other conditions the worm tries to call phone numbers randomly selected from its internal list. These numbers seem to belong to some company.
It should be also noted that the worm attempts to disguise itself as one of the MessageMates - amusing animations created to be sent to people on various occasions. The MessageMates' website now has a warning about the worm.
VARIANT: NewApt.b
ALIAS: I-Worm.NewApt.b, W32.NewApt.Worm.b, Worm.NewApt.b
This new variant slightly differs from the original version of NewApt worm. It has a different phone line stings so it calls to different places when the payload is activated. The worm tries to ping-bomb some computer at Microsoft on the 2nd of February 2000 and deactivates itself on 12th of July 2000 unlike the original version. All other functionalities are the same as the worm was compiled from the original NewApt sources.
VARIANT: NewApt.c
ALIAS: I-Worm.NewApt.c, W32.NewApt.Worm.c, Worm.NewApt.c
This new variant slightly differs from the original version of NewApt worm. It has a different phone line stings so it calls to different places when the payload is activated. The worm tries to ping-bomb some computer at Microsoft on the 2nd of February 2000 and deactivates itself on 12th of July 2000 unlike the original version. All other functionalities are the same as the worm was compiled from the original NewApt sources.
VARIANT: NewApt.d
ALIAS: I-Worm.NewApt.d, W32.NewApt.Worm.d, Worm.NewApt.d
SIZE: 73728
The NewApt.d worm variant appeared on January 10, 2000. It was sent to several companies from 'sexybitch@porncity.com' e-mail address. This worm variant is slightly different from its earlier versions. It has a bigger list of telephone numbers it calls when the payload it activated. Telephone numbers are also different. Unlike its earlier versions the worm installs itself under one of the following names:
Amateur.exe Bizarre.exe
Ebony.exe Hardcore.exe
Miscellan.exe Blowjob.exe
Fatladies.exe Hidcams.exe
Mixedbag.exe Shemales.exe
Asians.exe Cartoons.exe
Fetish.exe Hidcam.exe
Gay.exe Lesbians.exe
Pornstars.exe Toys.exe
Babes.exe Cumshot.exe
Group.exe Mature.exe
Pregnant.exe Weird.exe
Male.exe
This worm variant shows an aditional link in the message it spreads itself with. The link points to a porno site.
[Analysis: Eugene Kaspersky, AVP team; F-Secure team]
Anti-Virus Trials
F-Secure Radar
Virus Screen Shots
Disable VBS
------------------------------------------------------------------------------------------
Und ??
Was geht?
Whats happening?