|
Sharing Security Developments, and Best Practices for corporate and home users
June 2005 - Posts
-
http://isc.sans.org/diary.php?date=2005-06-29
If you're using the popular phpBB bulletin board package, it's time to upgrade. Version 2.0.16, released earlier this week, fixes a critical security issue that can lead to the compromise of the vulnerable web server. The problem is with the viewtopic.php script, which, according to the FrSIRT advisory, fails to properly validate input when processing the "highlight" parameter. A similar vulnerability was being exploited by the Santy worm to deface web sites about half a year ago, as we reported in the December 21, 2004 diary. Please update your copy of phpBB to help prevent another such worm from gaining steam.
For information about the phpBB 2.0.16 release, see the phpBB Group announcement. You can get the updated package from their downloads page.
|
-
-
-
-
-
Hopefully, most companies and individuals are up-to-date on Microsoft security patches. This new exploit has just been developed from the MS05-011 security bulletin published in February. It could be adapted for use in future computer viruses and worms.
MS05-011 - Exploit Code to attack SMB vulnerabilities published
http://isc.sans.org/diary.php?date=2005-06-23
QUOTE: FrSIRT has published exploit code for the recent flaw in Microsoft Server Message Block (SMB). The advisory and patch related to this vulnerability were released on February 8th, 2005. If you still have not patched, you are further urged to do so in light of the release of exploit code.
FfSIRT - Published exploit (be care as POC code is here)
http://www.frsirt.com/exploits/20050623.mssmb_poc.c.php
|
-
The June 2005 TechNet security newletter featured the following security planning guides:
Review the Latest Microsoft Server Security Guides
|
-
Microsoft's Security Guidance Center
 Home Security Protection
Get the information you need to protect your home PC. This site puts valuable tips, tools, and training at your fingertips.
Learn about Computer Security At Home
Security for IT Professionals
Find the tools, training, and updates you need to assist with planning and managing a security strategy for your organization.
Find answers in the TechNet Security Center
Small Business Security Protection
Access important resources for updating software, setting up a firewall, and backing up data in a small business environment.
Visit the Small Business Security Guidance Center
Designing and Developing Secure Applications
Learn how to write more secure code with these developer-focused articles, tools, and security resources.
Get Security Guidance for Developers
|
-
Secunia Research has discovered a vulnerability in various browsers, which can be exploited by malicious web sites to spoof dialog boxes. The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open e.g. a prompt dialog box, which appears to be from a trusted site.
If you go to the test page, please make sure no critical applications are open and test cautiously:
Secunia Browser - Dialog Origin Vulnerability Test
|
-
 Click Here: Microsoft resources to prepare for SQL-Server 2005
quote: Microsoft Learning Resources
Whether you are interested in database administration, database development, or business intelligence, you will find classroom training, books, free skills assessments, and free* e-learning to help you get up to speed on the newest features of the software. The online assessments help you analyze your current skills, and provide you with a learning plan that recommends books, e-learning, classroom training, TechNet and MSDN resources. Our E-Learning courses are an effective way to learn on your own schedule and feature hands-on virtual labs that provide an in-depth, online training experience.
|
-
QUOTE: Opera Software today released the first Opera 8 update, Opera 8.01, for Windows and Linux. To fine-tune the well-received browser, Opera 8.01 includes security and small bug fixes as well as JavaScript improvements. This update succeeds the release of Opera 8 on April 19, 2005, which has now reached more than five million downloads.
Accompanying the Opera 8.01 release for Windows and Linux is the final version of Opera 8 for Macintosh. Read the press release.
To download Opera 8 visit http://www.opera.com/download/
View the changelog.
|
-
Sharing a quick update on latest discoveries. The primary cause of this exposure is improper storage and use of confidential information on their servers, followed by hackers discovering this due to weak security controls.  1. A new phishing attack has been launched to capitalize on this http://www.theregister.co.uk/2005/06/20/mastercard_phishing/
| Quote: |
| From: Master Bank [master@masterbank.com] To: Subject: **Your Mastercard online Confirmation** Dear User, During our regular update and verification of the accounts, we couldn't verify your current information. Either your information has changed or it is incomplete. If the account information is not updated to current information within 5 days then, your access will be restricted. |
2. According to reports, 68,000 MasterCard cardholders have already found fraudulent charges on their accounts.
3. The head of a credit card processing company whose Tucson center was hit by computer hackers says compromised consumer records shouldn't even have been in the data base. Under rules established by Visa and MasterCard, processors aren't supposed to retain cardholder information after handling transactions.
4. CardSystems Solutions C-E-O John Perry tells The New York Times the data was being stored for "research purposes" to determine why some transactions registered as unauthorized or uncompleted.
5. He says that the records known to have been stolen covered roughly 200-thousand of the 40 (m) million compromised credit card accounts. They include Visa, Mastercard and other companies.
|
-
 All new versions of the Bagle/Beagle worm are important to watch as they are technically advanced and disguised well to trick users into opening attachments (use of zip extension).
Beagle.BT - (aka Bagle worm) New Variant
Beagle.BT - new version of Bagle worm
W32.Beagle.BT@mm is a mass-mailing worm that uses its own SMTP engine to send out copies of a Trojan.Tooso variant. The worm also opens a back door on the compromised computer on TCP port 80.
EMAIL FORMAT
From: Spoofed.
Subject: Blank.
Message: "The password is" or "Password:"
Attachment: ZIP ... Multiple Zip files may contain copies of the virus, plus an executable copy of the Trojan.Tooso.
|
-
-
 Please check your statements carefully during the next few billing cycles as hackers recently obtained key information related to Master Card accounts.
Google News Links
CNet Article
Business Week Article
Information Week Article
Reuters Article
KEY IMPACTS
* As many as 40 million cards may have been exposed, making it the largest breach of personal financial data in a string of recent cases.
* The breach occurred at Card Systems Solutions, Inc., a third-party processor of payment card data who processes transactions on behalf of financial institutions and merchants.
* CardSystems has already taken steps to improve the security of its system, MasterCard said it was giving the company "a limited amount of time" to demonstrate compliance with MasterCard security requirements.
|
-
-
-
 McAfee has highlighted 13 new variants during June (one for each day so far). Mytob is one of the most advanced worms and virus writers can easily modify the source code to develop new variants AV vendors must adjust for. This virus hides in a stealth like manner and appears as an email message from an administrator.
Mytob may be worst virus of 2005
The Mytob family is one of the worst of 2005 so far. The Netsky variants continue to be reported as #1 in volume each month. Netsky.P is like the Klez.H worm a few years ago. However, the older Netsky variants are better blocked with current AV definitions.
Each day the virus writers can easily modify the Mytob source code, seed fresh copies, and create new versions that AV products cannot detect. This requires AV vendors to scramble in providing protection for the latest code derivations and compression techniques. Probably, since this family was introduced during March 2005, we are most likely averaging one new copy per day.
Some key reasons are:
* It is stealth-like and it can hide on an infected PCs while lowering security settings.
* It is socially engineered well and appears as an official message from an email administrator (thankfully, most copies use same email format which can be blocked with proper rules)
* Some Mytob variants can exploits some unpatched Microsoft security vulnerabilities (MS04-011),
* It usually carries a secondary payload (e.g., Spybot, Backdoor) which in an unpatched corporate network can spread rapidly
13 new versions in 13 days
http://vil.nai.com/VIL/newly-discovered-viruses.asp
W32/Mytob.cv@MM 06/13/2005 Low Low 4513
W32/Mytob.ch@MM 06/11/2005 Low Low 4512
W32/Mytob.cg@MM 06/11/2005 Low Low 4512
W32/Mytob.cc@MM 06/08/2005 Low Low 4510
W32/Mytob.ca@MM 06/08/2005 Low Low 4509
W32/Mytob.bx@MM 06/07/2005 Low Low 4508
W32/Mytob.gen!eml 06/07/2005 Low Low 4508
W32/Mytob.bw@MM 06/06/2005 Low Low 4508
W32/Mytob.bv@MM 06/06/2005 Low Low 4508
W32/Mytob.br@MM 06/05/2005 Low Low 4507
W32/Mytob.bo@MM 06/02/2005 Low Low 4506
W32/Mytob.bl@MM 06/01/2005 Low Low 4505
W32/Mytob.bk@MM 06/01/2005 Low Low 4504
EMAIL messages to avoid
The virus arrives in an email message from a systems administrator. Always verify these types of messages from your email provider and never click on either links or attachments in an email message even if it looks official.
The general format of Mytob messages are as follows:
From: (Spoofed email sender - may choose from the following list)
support
administrator
mail
service
admin
info
register
webmaster
Subject: (Varies, such as)
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
|
-
 This email has no attachment, but if you click on the link a trojan horse can be downloaded on your PC. This downloader attack can open up your PC from a security perspective. MS00-37, which is a five year old Help File security flaw is also used to attack any completely unpatched PCs. While this new threat is not widespread, the media is reporting it on the news this morning.
ZDnet: Hackers use email URL create Jackson rumor
Trend Micro - PHELP.P Trojan
AVOID CLICKING ON THE URL IF YOU RECEIVE THIS EMAIL MESSAGE
News from Neverland -- Last night, while in his Neverland Ranch, Michael Jackson has made a suicidal attempt. They suggest this attempt follows the last claim was made against the king of pop. 46 years old Michael has left pre-suicid note which describes and interpretes some of his sins.
Read http://mega{BLOCKED}buz.com more...
|
-
 On June 14, 2005, the Microsoft Security Response Center is planning to release:
Security Updates
• 7 Microsoft Security Bulletins affecting Microsoft Windows. The greatest aggregate, maximum severity rating for these security updates is Critical. Some of these updates will require a restart. 5 of these updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA), 2 of these updates will be detectable using the Enterprise Scanning Tool (EST).
• 1 Microsoft Security Bulletin affecting Microsoft Windows and Microsoft Services for UNIX. The greatest aggregate, maximum severity rating for these security updates is Moderate. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA) and using the Enterprise Scanning Tool (EST).
• 1 Microsoft Security Bulletin affecting Microsoft Exchange. The greatest aggregate, maximum severity rating for this security update is Important. This update will not require a restart. This update will be detectable using the Microsoft Baseline Security Analyzer (MBSA) and using the Enterprise Scanning Tool (EST).
• 1 Microsoft Security Bulletin affecting Microsoft Internet Security and Acceleration (ISA) Server and Small Business Server. The greatest aggregate, maximum severity rating for these security updates is Moderate. These updates may require a restart. This update will be detectable using the Enterprise Scanning Tool (EST).
Microsoft Windows Malicious Software Removal Tool
• Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center. Note that this tool will NOT be distributed using Software Update Services (SUS).
|
-
 This new variant of the Skulls mobile phone virus appears to be a free “pirated“ copy of F-Secure's Anti-virus product for Mobile phones. Besides the legal and ethical considerations for using pirated copies of software, this new virus will lock the phone permanently until cleaning is accomplished by buying the real product. This social engineering scheme illustrates the dangers of installing free software offered by email, instant messaging, or other sources.
Links related to this new virus are noted below:
Skulls.L - Pretends to be F-Secure's Mobile AV product
F-Secure's Web Log Description
Skulls.L is a variant of SymbOS/Skulls.C trojan. The component files of the trojan are almost identical to Skulls.C. The main difference between Skulls.L and Skulls.C is that Skulls.L pretends to be a pirate copied version of F-Secure Mobile Anti-Virus.
REMOVAL Techniques
Disinfection with two Series 60 phones
Download F-Skulls tool from FTP site or
Download F-Skulls Tool directly with phone
1. Install F-Skulls.sis into infected phones memory card with a clean phone
2. Put the memory card with F-Skulls into infected phone
3. Start up the infected phone, the application menu should work now
4. Go to application manager and uninstall the SIS file in which you installed the Skulls.L
5. Download and install F-Secure Mobile Anti-Virus to remove any Cabirs dropped by the Skulls.L or with mobile itself http://mobile.f-secure.com
6. Remove the F-Skulls with application manager as the phone is now cleaned
|
-
 Secunia has issued a moderately critical advisory for Mozilla browsers including Firefox 1.04 for a Frame Injection Vulnerability. This new vulnerability has not been exploited in-the-wild and can only occur while processing a trusted and hostile web site at the same time. Firefox users should look for an upcoming release and always be careful of sites visited and email URL links.
ZdNet Article: Mozilla Frame Injection Vulnerability
A 7-year-old flaw that could let an attacker place malicious content on trusted Web sites has resurfaced in the most recent Firefox browser, Secunia has warned. The flaw, which also affects some other Mozilla Foundation programs, lies in the way the software handles frames, which are a way of showing Web content in separate parts of the browser window.
As a result, an attacker could insert content into a frame on a trusted Web site, Secunia said. Account holders who believe they are interacting with a frame belonging to an online bank could be tricked into giving up personal information or downloading malicious code, for example. Secunia rated the issue "moderately critical." The same "frame injection" vulnerability in Mozilla's browsers was detailed by Secunia in July of last year. At the time, it did not affect the most recent versions of the applications.
For a spoofing attempt to work, a surfer would need to have both the attacker's Web site and a trusted Web site open in different windows. A click on a link on the malicious site would then display the attacker's content in a frame on the trusted Web site, Secunia said. The company advised people not to visit trusted and untrusted Web sites at the same time.
Secunia Advisory - Mozilla Frame Injection Vulnerability
Moderately Critical: 
Description: A seven year old vulnerability has been re-introduced in Mozilla and Firefox, which can be exploited by malicious people to spoof the contents of web sites.
Secunia Browser Frame Injection Vulnerability Test
The vulnerability has been confirmed in Firefox 1.0.4 and Mozilla 1.7.8. Other versions may also be affected.
Solution: Do not browse untrusted web sites while browsing trusted sites.
Mozilla Support Forums Information
The vulnerability has not been exploited, a moderator of a support forum on the Mozilla Web site wrote Monday, in response to the Secunia alert. For protection, the moderator advises people to close all other windows and tabs before accessing a Web site such as a bank or online store that requires them to type in personal data.
|
-
 Kaspersky's weblog entry of June 5th entitled "Robots,vile robots everywhere!" is a great read
MS04-007: RBOT variant - 1st worm to exploit ASN.1 via Internet
Investigation of the packets revealed a Microsoft ASN.1 exploit, which tries to download and run an executable from the attacking machine via TFTP. We've secured a binary and took a look under the cover. The responsible worm was a Rbot variant, ...
Besides the ASN.1 exploit - and this is the first worm to use it successfully on the Internet - the Rbot variant uses a multitude of other exploits, DCOM, RPC,Veritas Backup Exec, LSASS, MSSQL, password guessing and so on. It also steals registration keys from a good list of popular games, PayPal accounts logins, has an embedded backdoor and of course, DDoS capabilities.
Basically, it's a worm which tries very hard to spread while at the same time, it tries to steal as many valuable data from the victim machine as it is available. It is a highly infectious worm, written for profit. And yes, most of the other worms we're seeing nowadays are no different.
Spybot.PKC - May be a close example of the new RBOT variant
|
-
 Trend/Secunia also declared MEDIUM RISK on Troj Small.AHE, which is different than Bobax.P, but centers on the same theme.
For users, it's essential to AVOID attachments from ANY politically themed email, as that's often a common social engineering threat (like we saw with the German Sober.Q spam)
Secunia Information
http://secunia.com/virus_information/18540/
http://secunia.com/virus_information/18574/
This downloader trojan was mass-spammed on June 2, 2005. It may arrive in an email message as follows (messages vary):
Subject:
God Bless the USA!
Finally!
Captured..
He has captured..
Body:
Xmong. Npos alter. almonsted nocks
Turn on your TV. Osama Bin Laden has been captured. While CNN has no pictures at this point of time, the military channel (PPV) released some pictures. I managed to capture a couple of these pictures off my TV. Ive attached a slideshow containing all the pictures I managed to capture. I apologize for the low quality, its the best I could do at this point of time. Hopefully CNN will have pictures and a video soon. God bless the USA! Stephen Christensen
Attachment: pics.zip, teamster.zip, usurus.zip, toxicology.zip
|
-
 Ad-Aware SE Personal Edition 1.06 is an excellent adware and spyware removal tool that is free for personal use. The following provide some key links from download.com:
Ad-Aware SE Personal Edition 1.06 - Information
Download Site - Version 1.06
Download.com Review of Ad-Aware SE Personal Edition
 
One of the first applications built to find and remove adware and spyware, Ad-aware SE Personal Edition's excellent reputation is well justified. The sky-blue, skinnable interface features five buttons. The first two, Status and Scan, lead to the core function of the application. These buttons initiate a scan of your files for adware components. After scanning is complete, the program presents a summary of results, followed by a list from which you select exactly which components to remove. Right-clicking an individual entry gives some information about the piece of suspected adware, though we would like more details. Ad-aware SE can alert you to more malignant forms of malware by separating items into critical and negligible categories. The third button, Ad-watch, is nonfunctional in the Standard version. The fourth button, Plug-ins, shows you which Ad-aware plug-ins are installed. The fifth leads to the help files.
Ad-aware SE does an excellent job of quickly finding and removing most adware and spyware components, although you will have to restart and rescan for a seriously infected machine. We were pleased to see an auto-update feature included with the program, keeping Ad-aware up-to-date with the latest adware components. Ad-aware SE should be part of your arsenal for keeping your machine free of adware and spyware components.
|
-
 Spyware S&D is an excellent spyware removal tool that is free for personal use. The following provide some key links from download.com:
Spybot S&D 1.4 Overview
Download Site Version 1.4
Download.com Review of Spybot - Search & Destroy
The latest version of Spybot - Search & Destroy adds some truly useful features to an already excellent application. The program still checks your system against a comprehensive database of adware and other system invaders, but it works much faster now. It also features several interface improvements, including multiple skins for dressing up its appearance. Scan results now appear arranged by groups in a tree, and a sliding panel lets you instantly view information about a selected item to help you decide whether to kill it or not. The Immunize feature blocks a plethora of uninvited Web-borne flotsam before it reaches your computer. Other useful tools, including Secure Shredder, complement the program's basic functionality for completely destroying files. Hosts File blocks adware servers from your computer, and System Startup lets you review which apps load when you start your computer. The functionality makes Spybot - Search & Destroy a must-have for all Internet users, and this version is a worthwhile upgrade.
|
-
 Trend has declared a MEDIUM RISK due to prevalance
MS04-011: Bobax.P - MEDIUM RISK at Trend
MS04-011: Bobax.Z - Symantec version
W32.Bobax.Z is a mass-mailing worm that lowers security settings and allows a compromised computer to be used as a covert proxy. The worm also sends an email to addresses gathered from the compromised computer.
As of June 3, 2005 1:38 AM (PDT/GMT-7:00), TrendLabs has declared a MEDIUM risk alert in order to control the spread of WORM_BOBAX.P. TrendLabs has received several infection reports indicating that this worm is currently spreading in the United States, Singapore, Ireland, Japan, Peru, Australia and India.
Message body: (any of the following)
------------------------------------------
Attached some pics that i found
Check this out :-)
Hello,
I was going through my album, and look what I found..
Long time! Check this out!
Osama Bin Laden Captured.
Remember this?
Saddam Hussein - Attempted Escape, Shot dead
Secret!
Testing
|
-
 The Internet Storm Center shares one handlers toolkit recommendations. This toolkit looks like it will provide you with everything you will need to monitor, troubleshoot and maintain you network. Some us might have personal preferences on AV vendors or other items, but it's still a very nice list.
 ISC publishes Scott's Toolkit for Windows
I've created what I call "Security Kits" on both CD-Rs and now the new FlashRAM memory sticks with a lot of these tools on there  You never know which neighbor or relative is going to be next on the list to go help out 
Antivirus Tools |-- McAfee Stinger (updated routinely) |-- Symantec AV Corporate Edition v9 (soon to be v10) |-- Microsoft Malware Removal Tool (released monthly) |-- Current Symantec AV Intelligent Updater Response Kit |-- NetCat (available now at SecurityFocus) |-- SysInternals AccessEnum |-- SysInternals AutoRuns |-- SysInternals Contig |-- SysInternals DiskView |-- SysInternals FileMon |-- SysInternals ListDLLs |-- SysInternals Page Defrag |-- SysInternals ProcessExplorer |-- SysInternals PS Tools |-- SysInternals RegMon |-- SysInternals Rootkit Revealer |-- SysInternals Sdelete |-- SysInternals ShareEnum |-- SysInternals Sync |-- SysInternals TCPView |-- SysInternals Miscellaneous tools |-- Heysoft LADS |-- myNetWatchman SecCheck |-- Inetcat.org NBTScan |-- FoundStone BinText |-- FoundStone Forensic Toolkit |-- FoundStone Fport |-- FoundStone Galleta |-- FoundStone Pasco |-- FoundStone Rifuti |-- FoundStone Vision |-- FoundStone ShoWin |-- FoundStone SuperScan |-- WinDump |-- Nmap |-- Tigerteam.se SBD (encrypted netcat) |-- GNU based unxutils (from unixutils.sourceforge.net) |-- Good copies of windows binaries (netstat, cmd, ipconfig, nbtstat) Spyware Tools |-- AdAware (updated defs in same directory) |-- CWShredder |-- Hijack This |-- MS AntiSpyWare Beta |-- Spybot Search and Destroy (updated defs in same directory) |-- BHO Demon Security Tools (this is my usual place to dump the .zip or .exe installers) |-- Heysoft LADS (list alternate data streams) |-- Inetcat.org NBTScan |-- MS Baseline Security Analyzer |-- MS IIS Lockdown tool |-- Sam Spade |-- SSH Client (SSH.com or Putty) |-- SysInternals Tools |-- Foundstone Tools |-- BlackIce PC Protection |-- Kerio Personal Firewall |-- Zone Alarm Personal Firewall |-- WinPcap |-- WinDump |-- Ethereal Installer |-- Nmap for windows (cli version) Utilities |-- Adobe Acrobat Reader Installer |-- CPU-Z |-- FireFox Installer |-- Macromedia Flash and ShockWave Installers |-- Quicktime Standalone Installer |-- VNC Installer |-- Winzip Installer |-- ISCAlert Service Packs ( on a 2nd CD ) |-- Windows XP SP2 |-- Windows 2000 SP4 (+rpc/lsass critical patches or SRP when released) |-- Windows 2003 Server SP1 (Some additional CDs I keep around for the Unix geek in me) Knoppix CD Helix CD Note: Any commercial software above that is not freeware/shareware in the list above should be replaced in your toolkit with your company or campus licensed software.
|
-
The social engineering, advanced code, attack methods, and the ease in building new variants makes this family among the worst. Users must keep their AV protection updated daily to keep up with new threats. 
Mytob.BI - Poses as an IT Administrator
The Mytob.BI variant prevents the infected machine from accessing several antivirus and security Web sites by redirecting the connection to a local machine, the security company added. While prevalence of the worm is still low, the damage potential is high, Trend Micro said. U.K.-based antivirus company Sophos PLC also rated the worm as a concern, due to the severe damage it could cause.
Researchers speculated that the Mytob worm family is popular with hackers because its code base is relatively easy to manipulate to create a new variant. Another version, Mytob.ar, was detected earlier this week, containing added spyware and adware elements.
The worm poses as a message from an IT administrator, warning recipients that their e-mail accounts are about to be suspended, Trend Micro said. Possible subject headers for the worm include "*IMPORTANT* Please Validate Your Email Account" and "Notice: **Last Warning**."
|
-
 Please select from links below:
Bagle.BO F-Secure - MEDIUM RISK
Trend Micro Information
Sophos - Troj/BagleDl-Q
Symantec - Tooso.I
Kaspersky - MEDIUM RISK
McAfee - Bagle.dldr
MESSAGE LABS - SPECIAL ALERT
New Bagle Downloader spreading like wildfire via email
31 May 2005 – MessageLabs is warning computer users to be on their guard against a new variant of the Bagle downloader. MessageLabs has intercepted almost 70,000 copies already. The first copy was intercepted today at 13:24 GMT (14:24 BST). 45,769 copies have been stopped in the last hour (3-4pm BST). The virus appears to have originated from a Yahoo group.
The as yet unnamed Bagle downloader variant drops a trojan that attempts to download Bagle from a vast list of locations. Computer users who activate the file attached in the email invoke the virus, which harvests email addresses it finds on the computer's hard drive. The virus then forwards itself onto the list of email addresses it has discovered in infected computer.
|
|
|
|