Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Panda Software warns of the propagation of Zafi.B

 
Post new topic   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts
View previous topic :: View next topic  
Author Message
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Mon Jun 21, 2004 9:36 am    Post subject: Panda Software warns of the propagation of Zafi.B Reply with quote

Panda Software warns of the propagation of Zafi.B -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, June 14 2004 - According to data from PandaLabs, the Zafi.B worm
-first detected last weekend- is now spreading widely around the world.
Although the number of incidents caused by this malicious code is not
alarming, the extent to which it has spread geographically has increased the
risk of computers being infected by Zafi.B.

Zafi.B spreads, using its own SMTP engine, via e-mail to addresses that it
finds in infected computers in files with the following extensions: htm,
wab, txt, dbx, tbb, asp, php, sht, adb, mbx, eml and pmr.

Messages carrying Zafi.B have variable characteristics and can be written in
various languages including: English, French, Spanish, German or Italian.
For more details on the e-mails carrying Zafi.B, go to Panda Software's
Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/

If users run the file attached to the message an Internet Explorer window
opens and tries to connect to www.google.com or www.microsoft.com. It also
enters several keys in the Window Registry.

Zafi.B copies itself to the infected computer in two files with random
names. It also creates infected files called "Total Commander 7.0
full_install.exe" or "winamp 7.0 full_install.exe"- in directories with
names including the words "share" or "upload".

The worm continually searches for memory process with the strings "regedit",
"task" or "msconfig" and on finding them it terminates them. It also looks
for directories that could contain antivirus programs in order to overwrite
all executable files with its own code.

To prevent incidents involving Zafi.B, Panda Software advises users to take
precautions and update their antivirus software. Panda Software has made the
corresponding updates available to its clients to detect and disinfect this
new malicious code.

For further information about Zafi.B and other computer threats, visit Panda
Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

In addition, users can scan their computers online for free with the
ActiveScan solution, available on the company's web page at:
http://www.pandasoftware.com.

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
DeleterFX
Warrior


Joined: 25 May 2004
Last Visit: 30 Apr 2008
Posts: 259
Location: Maine

PostPosted: Mon Jun 21, 2004 11:06 am    Post subject: Re: Panda Software warns of the propagation of Zafi.B Reply with quote

wawadave wrote:
The worm continually searches for memory process with the strings "regedit",
"task" or "msconfig" and on finding them it terminates them. It also looks
for directories that could contain antivirus programs in order to overwrite
all executable files with its own code


wow, that is some evil programming
_________________
You've Been Deleted
CCSP Website

Member of The ASAP Since 2004
Back to top
View user's profile Send private message AIM Address
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Mon Jun 21, 2004 9:22 pm    Post subject: Reply with quote

Weekly report on viruses and intrusions -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, June 11 2004 - This week's report on viruses and intrusions will
deal with three worms: Plexus.B, Korgo.H and Korgo.I, and the Trojan
Downloader.GK.

Plexus.B is a variant that bears a lot of similarities to the original worm
and uses various means of propagation. It can enter computers directly from
the Internet by exploiting the LSASS Windows vulnerability and it can send
itself as attachment to an e-mail message. It is also designed to spread
across networks and using the file-sharing program (P2P) KaZaA.

Even though Plexus.B can only directly enter computers running Windows XP or
2000, it can still affect other Windows platforms. In these cases however,
it needs the user to execute the infected file.

Plexus.B modifies the Windows host file, overwriting its content. In this
way, it prevents the user from accessing the website of a well-known
antivirus company.

Korgo.H and Korgo.I are two new members of this prolific family of worms
that exploit the Windows LSASS vulnerability. By using this operating system
flaw, they spread across the Internet and automatically enter computers.
Like Plexus.B, the two variants of Korgo also affect all Windows platforms,
although they only automatically infect systems running XP and 2000.

Once they install themselves on a computer, Korgo.H and Korgo.I open several
TCP ports and wait to receive a file to run on the infected computer. To
this end, they also try to connect to several IRC servers.

Finally, Downloader.GK is a Trojan that downloads and runs two adware
programs (Adware/BetterInet and Adware/SearchCentrix) on the infected
computer. It doesn't spread on its own, but is downloaded from certain web
pages when the user accepts the installation of a specific ActiveX control.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Port / Communication port: Point through which a computer transfers
information (inbound / outbound) via TCP/IP.

- P2P (Peer to peer): A program -or network connection- used to offer
services via the Internet (usually file sharing), which viruses and other
types of threats can use to spread. Some examples of this type of program
are KaZaA, Emule, eDonkey, etc.

More technical definitions at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------




*****Locked By TeMerc*****
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group