Spyware Warrior

[wawadave]

Weekly report on viruses and intrusions -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, July 30 2004 - This week's report on viruses and intruders looks at
four worms (Lovgate.AT, Mydoom.N, Zindos.A and Mabutu.B), a Trojan
(Dropper.O), a spy program (Ndrv) and an exploit (MhtRedir.N).

Lovgate.AT is a worm that uses a wide range of propagation techniques, such
as email messages, the KaZaA file sharing program, shared network resources,
etc. It also opens a backdoor on the computer, and sends a message by email
to a remote user letting them know that the system has been infected and is
accessible through a backdoor.

The most significant event this week has been the appearance of Mydoom.N.
This worm is designed to spread rapidly via email to addresses that it finds
in infected computers. However, it also uses the four main Internet search
engines to search for all these addresses, thereby trying to saturate them
with traffic. One of them, Google, suffered serious problems for some hours
at the beginning of the week.

Mydoom.N also uses a communication port to create a backdoor on the infected
computer. This backdoor is exploited by the Zindos.A worm in order to
spread. The worm appeared one day after Mydoom.N, which makes it seem likely
that both malicious code are the work of the same person. In addition,
Zindos.A launches DDoS (Distributed Denial of Service) attacks against
Microsoft's website.

Mabutu.B is a worm that connects to different IRC servers to notify its
creator that the computer has been affected and to receive messages from
remote users. The email messages that it uses to spread have variable
characteristics.

Dropper.O is a Trojan that downloads the Adware/Nsearch application onto the
computers it infects. Dropper.O spreads via web pages previously infected by
the MhtRedir.N exploit, which was also detected for the first time this
week. MhtRedir.N has been designed to exploit a vulnerability in Microsoft
Outlook Express, which it uses to install Dropper.O on computers.

Finally, Ndrv is a spyware program offering use of a program in exchange for
viewing a series of advertising messages. Ndrv is made up of a DLL which
loads along with Internet Explorer, so that every time the browser is
opened, the spyware is activated.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Adware: A program that can be installed for free in exchange for viewing
advertising banners while using it.

- Exploit: This can be a technique or a program that takes advantage of a
vulnerability or security hole in a certain communication protocol,
operating system, or other IT utility or application.

More technical definitions at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

LOCK DOWN REMOTE ACCESS TO THE WINDOWS REGISTRY
Take the steps outlined in this article to secure the Windows
registry from being remotely compromised by attackers.
http://www.net-security.org/news.php?id=5679

WHY ARE VIRUS WRITERS SO TOUGH TO CATCH?
The fight to rout Sasser and its ilk is fraught with ethical
ambiguities. "Out of the 75,000 viruses that are written each year,
all but 1,000 never infect anybody. So is it a crime to just write a
virus?" asked David Perry of Trend Micro. "We are an open society. Do
we give up all those [liberties] that make us Americans?"
http://www.net-security.org/news.php?id=5685

GOOGLE WORM ATTACK CONFIRMED
Antivirus companies have confirmed yesterday's Macworld report
claiming a new Internet assault against search engines, including
those run by Lycos and Google.
http://www.net-security.org/news.php?id=5688
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

DETAILS OF MICROSOFT ANTIVIRUS SOFTWARE LEAK OUT
An executive of Microsoft in France divulged on Wednesday some of the
software maker's plans for its highly anticipated entry into the
antivirus software market.
http://www.net-security.org/news.php?id=5709
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

GREAT HACKERS
A few months ago I finished a new book, and in reviews I keep
noticing words like "provocative'' and "controversial.'' To say
nothing of "idiotic.''
http://www.net-security.org/news.php?id=5710


COUNTING THE COST OF A WORST-CASE WORM
A single 'superworm' attack could cost business as much as $50bn.
http://www.net-security.org/news.php?id=5711


RUSSIAN HACKERS IN NET HEIST
Russian hackers inflicted tens of millions of dollars of damage on
British bookmakers in an internet extortion scheme, officials have
revealed.
http://www.net-security.org/news.php?id=5712


HACKERS GATHER IN VEGAS FOR ANNUAL DIGITAL HUDDLES
For the next few days corporate executives sporting coats and ties
will rub elbows with a T-shirt-wearing crowd sporting names like Ne0n
Ra1n and Mudge.
http://www.net-security.org/news.php?id=5713


VIRUS WRITING ON THE INCREASE
A report published by Sophos which reveals that the number of new
viruses being written is increasing.
http://www.net-security.org/news.php?id=5716


STORM OVER IPOD 'HACKER TACTICS'
Apple says it is looking closely at software firm RealNetworks' claim
that it has found a way for tunes from its online store to be played
on iPods.
http://www.net-security.org/news.php?id=5717


SECURE PROGRAMMING WITH THE OPENSSL API
Create basic secure and unsecure connections.
http://www.net-security.org/news.php?id=5718


HACKERS TRADE TOOL TIPS
MetaSploit toolkit can access, control PCs over the Internet 'for
good or evil,' writers say.
http://www.net-security.org/news.php?id=5719


HACKERS HARNESS GOOGLE TO HUNT FOR WEAKNESSES
A security expert says the search engine can be used by hackers to
pinpoint sites with weak security.
http://www.net-security.org/news.php?id=5720
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

COVERT JAVA: OBFUSCATING CLASSES
Obfuscation can help prevent the hacking of your Java code, but how
does it work? Alex Kalinovsky explains the most common methods and
how they can help protect your intellectual property in this chapter.
http://www.net-security.org/news.php?id=5724


PDA VIRUSES COULD GET NASTY
Pests could easily run undetected on handhelds and spread quickly
online, security expert warns.
http://www.net-security.org/news.php?id=5725


INTERNET SNAGGED IN THE HOOKS OF PHISHERS
Maybe it's time we all went to digital self-defense school. How else
can we learn how to deflect the Internet thieves pounding on our
electronic doors?
http://www.net-security.org/news.php?id=5726
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

ZINDOS CAPITALIZES ON MYDOOM.O INFECTIONS
========================================================================
Posted July 28, 2004 9:41 AM Pacific Time

Antivirus companies issued warnings and software updates on Tuesday for
a new Internet worm, dubbed Zindos, that infects machines already
compromised by the MyDoom.O worm, which appeared on Monday, and launches
an attack on the Microsoft Corp. Web site.

For the full story:
http://newsletter.infoworld.com/t?ctl=7DE16F:1F6421C
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

8/2: MyDoom-P Sends Spoofed Emails
W32/Mydoom.p@MM is a new variant of W32/Mydoom that is packed with ASPack.
http://nl.internet.com/ct.html?rtr=on&s=1,11i3,1,j10v,2bpg,9s3s,a9gz
------------------------------------------------------------
4. 8/2: Mydoom-O Uses SMTP Engine
W32/MyDoom-O is a mass-mailing worm that spreads by emailing itself via its own
SMTP
engine.
http://nl.internet.com/ct.html?rtr=on&s=1,11i3,1,ghnd,7yq,9s3s,a9gz
------------------------------------------------------------
5. 8/2: Gaobot-BAJ Worm Teams with MyDoom
W32.Gaobot.BAJ is a worm that spreads through open network shares and through
backdoors
that the Mydoom family of worms open.
http://nl.internet.com/ct.html?rtr=on&s=1,11i3,1,62dm,mffj,9s3s,a9gz
------------------------------------------------------------
6. 8/2: Exruntel Trojan Allows Remote Access
Trojan.Exruntel is a backdoor Trojan horse that allows unauthorized remote
access to an
infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,11i3,1,gien,e5zu,9s3s,a9gz
------------------------------------------------------------
7. 8/2: W32.Rotor Targets .Exe, .Scr Files
W32.Rotor is a virus that appends itself to .exe and .scr files and contains
backdoor
functionality.
http://nl.internet.com/ct.html?rtr=on&s=1,11i3,1,bs9o,b9q6,9s3s,a9gz
------------------------------------------------------------
8. 8/2: Stewon-A a P2P Network Worm
W32/Stewon-A is a peer-to-peer network worm.
http://nl.internet.com/ct.html?rtr=on&s=1,11i3,1,ej8p,138r,9s3s,a9gz
------------------------------------------------------------
9. 8/2: CmjSpy-Z a Keylogging Trojan
Troj/CmjSpy-Z is a keylogging Trojan.
http://nl.internet.com/ct.html?rtr=on&s=1,11i3,1,e382,4c8h,9s3s,a9gz
------------------------------------------------------------
10. 8/2: Bugbros-C Considered Minor Variant
W32.Bugbros.C@mm is a minor variant of W32.Bugbros.B@mm.
http://nl.internet.com/ct.html?rtr=on&s=1,11i3,1,7b8i,8axa,9s3s,a9gz
------------------------------------------------------------

*********************************************************************
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

1. PC Takeover Flaw in Mozilla, Netscape
A 'highly critical' vulnerability puts users at risk of remote code execution.
http://nl.internet.com/ct.html?rtr=on&s=1,11l5,1,8sgl,ku2u,9s3s,a9gz
------------------------------------------------------------
2. 8/3: Korgo-AD Worm Exploits LSASS Flaw
W32.Korgo.AD is a worm that attempts to propagate by exploiting the Microsoft
Windows
LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin
MS04-011) on
TCP port 445.
http://nl.internet.com/ct.html?rtr=on&s=1,11l5,1,kb96,cf7y,9s3s,a9gz
------------------------------------------------------------
3. 8/3: Scaner-A Worm Uses Port 445
W32/Scaner-A is a worm that exploits the LSASS vulnerability detailed in
MS04-011.
http://nl.internet.com/ct.html?rtr=on&s=1,11l5,1,dpnq,ehhb,9s3s,a9gz
------------------------------------------------------------
4. 8/3: Agobot-LM Trojan Opens IRC Channel
W32/Agobot-LM is an IRC backdoor Trojan and network worm that establishes an IRC
channel
to a remote server in order to grant an intruder access to the compromised
computer.
http://nl.internet.com/ct.html?rtr=on&s=1,11l5,1,lz4w,ht20,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

Panda Software warns of the new worm Mydoom.P -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

MADRID, August 3 2004 - Panda's New TruPrevent Technologies combat viruses
and intrusions have also detected and blocked Mydoom.P, without having a
signature file

PandaLabs has detected the presence of Mydoom.P, a new variant of the
well-known Mydoom worm. Incidents involving this new variant have already
been reported.

Mydoom.P spreads via e-mail using its own SMTP engine. Mydoom P opens the
notepad (which is empty).
Mydoom.P might arrive with any of the following subjects:

SN: New secure mail
Secure delivery
failed transaction
Re: hello (Secure-Mail)
Re: Extended Mail
Delivery Status (Secure)
Re: Server Reply
SN: Server Status

Posible attachment file names are: mail, message, attachment, transcript,
text, document, file, readme. It can arrive with the following extensions:
.exe, .zip, -txt.exe, -htm.exe y -txt.scr. More details of the messages that
Mydoom.P uses are available from Panda Software's virus Encyclopedia at
http://www.pandasoftware.com/virus_info/encyclopedia/

PandaLabs detected this new variant using Panda Software's new TruPrevent
Technologies which detected and successfully blocked MyDoom.P as well as
Mydoom.N, without prior knowledge of the malicious code. TruPrevent
Technologies complement traditional antivirus, as they are capable of detect
and block the unknown viruses, like MyDoom.P, using behavioural analysis and
can be used alongside of other companies antivirus solutions.

To prevent incidents involving Mydoom.P, Panda Software advises users to
take precautions and update their antivirus software. Panda Software has
made the corresponding updates available to its clients to detect and
disinfect this new malicious code.

For further information about Mydoom.P and other computer threats, visit
Panda Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

In addition, users can scan their computers online for free with the
ActiveScan solution, available on the company's web page at:
http://www.pandasoftware.com

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

8/4: Nachi-L Worm Carries Backdoor
Worm_Nachi.L exploits several Windows vulnerabilities to propagate across
networks.
http://nl.internet.com/ct.html?rtr=on&s=1,11p5,1,lnb0,gkui,9s3s,a9gz
------------------------------------------------------------
5. 8/4: Evaman-C Sends Get Requests to Yahoo
W32.Evaman.C@mm is a mass-mailing worm that sends HTTP Get requests to the Web
site,
email.people.yahoo.com, to obtain email addresses.
http://nl.internet.com/ct.html?rtr=on&s=1,11p5,1,jvq,59a7,9s3s,a9gz
------------------------------------------------------------
6. 8/4: Febelneck-A Arrives As Zip File
W32/Febelneck-A is a worm that disguises itself as a zip file.
http://nl.internet.com/ct.html?rtr=on&s=1,11p5,1,a12b,3b59,9s3s,a9gz
------------------------------------------------------------

*********************************************************************
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

4. 8/5: Nachi-K Worm Modifies Data
W/32-Nachi.K is a worm that modifies data on the computer.
http://nl.internet.com/ct.html?rtr=on&s=1,11rl,1,gco4,109u,9s3s,a9gz
------------------------------------------------------------
5. 8/5: VBS/Cata-A Virus Deletes Files
VBS/Cata-A is a virus that spreads via email attachments, network shares and
infected
files.
http://nl.internet.com/ct.html?rtr=on&s=1,11rl,1,91jz,d7xi,9s3s,a9gz
------------------------------------------------------------
6. 8/5: Lovgate-AD Spreads Several Ways
W32/Lovgate-AD is a worm that spreads by email messages, email attachments,
network
shares and Peer-to-peer.
http://nl.internet.com/ct.html?rtr=on&s=1,11rl,1,ewpx,8j34,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

Three-in-One Virus Zapper Released
[August 2, 2004] Microsoft's latest virus removal tool helps disinfect systems
impacted by the recent Mydoom, Zindos and Doomjuice worm attacks.
Read the article:
http://nl.internet.com/ct.html?rtr=on&s=1,11iq,1,gjdu,mcw7,9s3s,a9gz
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

4. 8/6: Gobot-C a Peer-to-Peer Worm
W32/Gobot-C is a peer-to-peer worm and mIRC backdoor Trojan.
http://nl.internet.com/ct.html?rtr=on&s=1,11uo,1,ib6r,hjxl,9s3s,a9gz
------------------------------------------------------------
5. 8/6: Lovgate-F a Mass-Mailing Worm
W32/Lovgate-F is a mass mailing and network worm.
http://nl.internet.com/ct.html?rtr=on&s=1,11uo,1,639p,1waj,9s3s,a9gz
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd