Hello,
Ich habe mir in Kazaa ein Bild hinuntergeladen und seit dem sind alle Bild und Sounddateien VBScript Script Dateien. Mein Norton AntiVirus scanner hat jetzt diese Dateien isoliert wie kann ich meine 500 Daten wieder retten? Umwandeln in das ursprüngliche Format. Und abspielbereit.
Thanx
woodman
-IRON- hirod „VBScript Script Files anstatt sound und Bild“
Die MP3s dürften noch zu retten sein, die Bilder sind futsch.
Der Link zu Hoax-Info ist zwar nicht schlecht, aber eventuell irreführend.
Exakte Infos zu Loveletter gibts zum Beispiel bei McAfee
This worm searches all drives connected to the host system and replaces the following files:
*.JPG
*.JPEG
with copies of itself and it adds the extension .VBS to the original filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would contain the worm.
The worm also overwrites the following files:
*.VBS
*.VBE
*.JS
*.JSE
*.CSS
*.WSH
*.SCT
*.HTA
with copies of itself and renames the files to *.VBS.
This virus locates instances of the following file types:
*.MP3
*.MP2
and if found, makes them hidden and copies itself as these filenames except with .VBS extension. For instance, if file exists as "2PAC.MP3", this now becomes a hidden file and the virus is copied as "2PAC.MP3.VBS".
The worm creates a file 'LOVE-LETTER-FOR-YOU.HTM' which contains the worm and this is then sent to the IRC channels if the mIRC client is installed. This is accomplished by the worm replacing the file SCRIPT.INI.
After a short delay the worm uses Microsoft Outlook to send copies of itself to all entries in the address book. The mails will be of the same format as the original mail.
This worm also has another trick up it's sleeve in that it tries to download and install an executable file called WIN-BUGSFIX.EXE from the Internet. This exe file is a password stealing program that will email any cached passwords to the mail address MAILME@SUPER.NET.PH
In order to facilitate this download the worm sets the start-up page of Microsoft Internet Explorer to point to the web-page containing the password stealing trojan.
The email sent by this program is as follows :
-------------copy of email sent-----------
From: [victim machine name]@[victim IP address]
To: mailme@super.net.ph
Subject: Barok... email.passwords.sender.trojan
X-Mailer: Barok... email.passwords.sender.
trojan---by: spyder
Host: [machine name]
Username: [user name]
IP Address: [victim IP address]
RAS Passwords:...[victim password info]
Cache Passwords:...[victim password info]
-------------copy of email sent-----------
The password stealing trojan is also installed via the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
to autorun at system startup. After it has been run the password stealing trojan copies itself to WINDOWS\SYSTEM\WinFAT32.EXE and replaces the registry key with
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
WinFAT32=WinFAT32.EXE
