banniere

Le portail francophone de la géomatique


Toujours pas inscrit ? Mot de passe oublié ?
Nom d'utilisateur    Mot de passe              Toujours pas inscrit ?   Mot de passe oublié ?

#1 Wed 03 September 2003 08:38

Geo Maumet
Invité

Alerte !! un Virus Mapinfo...

Bonjour,

Attention! On a decouvert le premier virus infectant un programme de
cartographie!  [27.08.2003]

Kaspersky Labs, concepteur de logiciels de securite informatique, a annonce la
decouverte du virus MBA.First, infectant les tableaux MapInfo, un des
programmes de cartographie et d'analyse geographique parmi les plus populaires.
L'activation du virus
se passe a l'ouverture du tableau contenant le code malfaisant. Ensuite,
MBA.First infecte tous les tableaux ouverts par MapInfo. Il peut aussi,
aleatoirement, supprimer ces memes tableaux.

Ce logiciel, elaboration de MapInfo Corporation est un des plus populaires de
ce type. Sa particularite principale vient du fait qu'il emploie son propre
langage de programmation MapBasic pour la creation des applications
utilisateur. Le virus MBA.First,
premier programme malfaisant s'attaquant a MapInfo, est ecrit dans ce langage
MapBasic et se presente sous la forme d'un fichier binaire.

La protection contre ce virus a ete ajoutee a la base de donnees de Kaspersky
Anti-Virus.
Une description plus detaillee de MBA.First est disponible dans
l'Encyclopedie Antivirale de Kaspersky Labs.

http://www.viruslist.com/eng/viruslist.html?id=65994

Merci a Regis LESGUILLIER pour cette info
Salut

 

#2 Tue 15 June 2004 16:39

RPREST
Invité

Re: Alerte !! un Virus Mapinfo...

bonjour,

J'ai decouvert par hasard ce qui suit : etonnant, non ?

bonne journee,
RP

Trouve là : http://www.viruslibrary.com/virusinfo/MBA.First.htm et là : http://viruslist.com/eng/viruslist.html?id=65994

MBA.First

Last Modified: August 27, 2003
The first known virus to infect MapInfo tables. It activates upon the
opening of infected tables and proceeds to infect the MapInfo environment
and every table subsequently opening in MapInfo.

The virus has a payload routine that is triggered according to specific
system dates; the payload corrupts table files.

What is MapInfo

MapInfo is a Geo-Information System, one of the world's leading software
solutions for mapping and geographic analysis. It is developed by the
MapInfo Corporation. MapInfo uses the MapBasic programming language to
create custom applications for use with MapInfo Professional or special
MapInfo runtimes . It is very similar in syntax to Microsoft Visual Basic
but has additional 'statements' for tables and map manipulations.

Virus details

The virus is written in the MapBasic language and is compiled into a binary
application that executes with MapInfo. When the infected table is opened
the virus gains control and infects the MapInfo environment. To do this the
virus copies itself into the MapInfo program directory (the directory where
MapInfo is installed) under the name 0gPiSs1.dll. The 'startup.wor' file has
its own 'startup workspace'. The virus places into the startup workspace of
the startup.wor file the commands that launch the virus code. The startup
workspace is automatically executed prior to the launching of any other
workspace, and thus the virus gains control each time MapInfo is started.

When active, the virus silently collects the filenames of open tables to be
used at a later time.

When MapInfo is closed the virus checks the system time. On Monday it runs
its first payload routine that catalogs (numbers) the table filenames
collected during the current session. With the probability of 1% the virus
tries to delete the table files with the following extensions:

.map, .tif, .pcx or .jpg.
The second payload routine triggers on Friday the 13th and does the same as
the first payload routine but deletes table files with a 14% probability. In
addition it overwrites the mapinfow.prj file with the following text written
in Russian (encoding - Cyrillic KOI-8R):

--- eÏÏÒÄÉÎÁÔÙ ---
aÏÌÇÏÔÁ / uÉÒÏÔÁ , 3, 62, 8, -74, 40.5, 40.6666666667, 41.0333333333, 2000000, 100000
If the payload routines did not trigger, the virus infects all the collected
tables. To do this the virus overwrites the .mif table file with virus code
and inserts the command to run this file upon table opening.

Disinfection

Kaspersky Anti-Virus removes the virus code from files, but cannot restore
files deleted by virus payloads. You have to restore missing .map, .tif,
.pcx and .jpg files from backup. Also you may need to restore the
mapinfow.prj file in the MapInfo program directory from backup or from the
Tools subfolder.

 

Pied de page des forums

Powered by FluxBB