Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Virus alerts for week of 10/18/04

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts
View previous topic :: View next topic  
Author Message
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Mon Oct 18, 2004 7:59 am    Post subject: Virus alerts for week of 10/18/04 Reply with quote

Weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, October 17, 2004 - This week's report will focus on Netsky.AG,
Darby.gen, JPGTrojan.D, Funner.A and Nemsi.A.

Netsky.AG -which has been created by modifying the executable file of
Netsky.B- sends itself out via email to all the addresses it finds in files
with certain extensions, using its own SMTP engine. In order to deceive
users, Netsky.AG spoofs the address of the sender of the message using one
of the addresses it obtains from the files on the affected computer. This
worm can also spread through P2P (peer-to-peer) file sharing programs.

When it is run, Netsky.AG shows an error message on screen and tries to copy
itself to all the drives on the computer, except to the CD-ROM drives. This
variant of Netsky also deletes the Registry entries created by other worms,
including Mydoom.A and Mimail.T.

Darby.gen is a generic detection for future variants of the Darby family of
worms. This group of worms spreads via email and P2P file sharing programs.
They also end the processes belonging to antivirus programs and other
security applications, such as firewalls and system monitoring tools,
leaving computers vulnerable to attack from other malware.

The third worm in today's report is JPGTrojan.D, a program that allows JPG
images to be created, which exploits the Buffer Overrun in JPEG processing
vulnerability (described in the Microsoft bulletin MS04-028).

The effects of opening an image created by JPGTrojan.D include specifying
that a port must be opened, allowing remote access to the affected computer,
and downloading an executable file from the Internet and running it on the
affected computer.

Funner.A is a worm that spreads through MSN Messenger and modifies the HOSTS
file, preventing the user from accessing certain websites. What's more, in
Windows Me/98/95 computers, it changes the SYSTEM.INI file, to ensure that
it is run whenever the computer starts up, and overwrites the RUNDLL32.EXE
file and replaces it with a copy of itself.

We are going to finish today's report with Nemsi.A, a virus that does not
spread automatically using its own means. It reaches computers when
previously infected files are distributed, which can enter computers through
any of the usual means of transmission (floppy disks, CD-ROMs, email
messages with infected attachment, IRC channels, etc.).

Nemsi.A infects EXE files by inserting its code at the beginning of them
(prepending). After it has infected a computer, this virus changes the icon
of the infected EXE files. If it is run on September 13, it causes a general
protection fault (blue screen) in Windows.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/.

Additional information

- Prepending: This is a technique used by viruses for infecting files by
adding their code to the beginning of the file. By doing this, these viruses
ensure that they are activated when an infected file is used.

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Mon Oct 18, 2004 10:36 am    Post subject: Reply with quote

SECURITY BYTES: NEW MEDIUM-RISK NETSKY WORM CIRCULATING |
SearchSecurity.com

In other news, a Trojan masquerades as a Michael Jackson home movie,
flaws in LibTiff and a medical microchip sparks HIPAA concerns.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1015999,00.html?track=NL-102&ad=494251
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Mon Oct 18, 2004 5:08 pm    Post subject: Reply with quote

10/18: Trax.B Worm Has Several Functions
W32/Trax.B is a worm that bears multiple characteristics.
http://nl.internet.com/ct.html?rtr=on&s=1,16k8,1,lo88,dt6n,9s3s,a9gz
------------------------------------------------------------
4. 10/18: Mydoom-AF a Mass-Mailing Worm
W32.Mydoom.AF@mm is a mass-mailing worm that uses its own SMTP engine to send itself to
the email addresses that it finds from an infected system.
http://nl.internet.com/ct.html?rtr=on&s=1,16k8,1,fra2,2csk,9s3s,a9gz
------------------------------------------------------------
5. 10/18: Narcs Worm Executes Spybot Worm
W32.Narcs is a worm that spreads through IRC, IMesh, and KaZaA networks.
http://nl.internet.com/ct.html?rtr=on&s=1,16k8,1,58cx,1o5i,9s3s,a9gz
------------------------------------------------------------
6. 10/18: Forbot-BI a Trojan and Worm
W32/Forbot-BI is an IRC backdoor Trojan and network worm for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,16k8,1,gdmu,all9,9s3s,a9gz
------------------------------------------------------------
7. 10/18: Rbot-NA is a Network Worm
W32/Rbot-NA is a network worm that contains IRC backdoor Trojan functionality.
http://nl.internet.com/ct.html?rtr=on&s=1,16k8,1,cn32,k90p,9s3s,a9gz
------------------------------------------------------------
8. 10/18: Forbot-AZ Worm Allows Remote Access
W32/Forbot-AZ is a worm that attempts to spread to remote network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,16k8,1,80lk,dosl,9s3s,a9gz
------------------------------------------------------------
9. 10/18: Sluter-E a Trojan and a Worm
W32/Sluter-E is an IRC backdoor Trojan and network worm for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,16k8,1,3t3w,kl8r,9s3s,a9gz
------------------------------------------------------------
10. 10/18: Wort-B Worm Downloads EXE
W32/Wort-B attempts to download an EXE file, and spreads using the LSASS flaw.
http://nl.internet.com/ct.html?rtr=on&s=1,16k8,1,e2za,frn3,9s3s,a9gz
------------------------------------------------------------
11. 10/18: Rbot-NC Worm Uses Backdoor
Rbot-NC is a network worm that uses an IRC backdoor Trojan.
http://nl.internet.com/ct.html?rtr=on&s=1,16k8,1,cimq,kfrt,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Tue Oct 19, 2004 12:45 pm    Post subject: Reply with quote

10/19: Mydoom-AD Modifies HOSTS File
Mydoom.AD is a worm that modifies the HOSTS file, in order to prevent the user from
accessing several antivirus companies.
http://nl.internet.com/ct.html?rtr=on&s=1,16n0,1,2pom,bv9w,9s3s,a9gz

19/19: Wootbot-BJ Worm Uses LSASS Flaw
Worm_Wootbot-BJ takes advantage of the Windows LSASS vulnerability in order to propagate.

http://nl.internet.com/ct.html?rtr=on&s=1,16n0,1,7if7,82o7,9s3s,a9gz
------------------------------------------------------------
6. 10/19: Darby-B Worm Spreads Via IRC
W32.Darby.B is a worm that uses file-sharing networks, email, network file sharing, and
Internet Relay Chat (IRC) to spread.
http://nl.internet.com/ct.html?rtr=on&s=1,16n0,1,cygn,ks29,9s3s,a9gz
------------------------------------------------------------
7. 10/19: Spybot-FBG Worm Launches DDoS
W32.Spybot.FBG is a worm that may be remotely controlled via IRC channels.
http://nl.internet.com/ct.html?rtr=on&s=1,16n0,1,l6qi,gae,9s3s,a9gz
------------------------------------------------------------
8. 10/19: Bacros Trojan Drops W97M.Bancros
W32.Bacros is a Trojan horse that drops W97M.Bacros.
http://nl.internet.com/ct.html?rtr=on&s=1,16n0,1,3f3x,4g4,9s3s,a9gz
------------------------------------------------------------
9. 10/19: Forbot-BP Worm Allows Remote Access
W32/Forbot-BP is a network worm that attempts to spread via network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,16n0,1,mas,l3l5,9s3s,a9gz
------------------------------------------------------------
10. 10/19: Mydoom-AE a Mass-Mailing Worm
W32/Mydoom.ae@MM is a mass-mailing worm.
http://nl.internet.com/ct.html?rtr=on&s=1,16n0,1,bfsy,m87t,9s3s,a9gz
------------------------------------------------------------
11. 10/19: Rbot-ND Worm is Backdoor for Windows
W32/Rbot-ND is a worm and backdoor for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,16n0,1,duel,1nkn,9s3s,a9gz
------------------------------------------------------------
12. 10/19: Forbot-BN Worm Has Trojan Functions
W32/Forbot-BN is a network worm with backdoor Trojan functionality.
http://nl.internet.com/ct.html?rtr=on&s=1,16n0,1,gff3,3vje,9s3s,a9gz
------------------------------------------------------------
13. 10/19: Forbot-AR Spreads to Remote Shares
W32/Forbot-AR is a worm that attempts to spread to remote network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,16n0,1,cjr6,gzgz,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Wed Oct 20, 2004 4:05 pm    Post subject: Reply with quote

10/20: Bagz-E Worm Kills Antivirus Apps
Bagz.E is a worm that ends processes belonging to antivirus programs and other security
tools, among others.
http://nl.internet.com/ct.html?rtr=on&s=1,16pw,1,9057,bc6q,9s3s,a9gz
------------------------------------------------------------
3. 10/20: Forbot-BR a Worm, IRC Trojan
W32/Forbot-BR is a network worm and IRC backdoor Trojan for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,16pw,1,ffq1,lggl,9s3s,a9gz
------------------------------------------------------------
4. 10/20: Mydoom-AA Worm Spreads Via Email
Worm_Mydoom.AA, like earlier Mydoom variants, mainly spreads via email.
http://nl.internet.com/ct.html?rtr=on&s=1,16pw,1,81jy,mfa5,9s3s,a9gz
------------------------------------------------------------
5. 10/20: Watsoon-A a Polymorphic Trojan
W32.Watsoon.A is a polymorphic Trojan that opens a backdoor on the compromised system.
http://nl.internet.com/ct.html?rtr=on&s=1,16pw,1,lui9,lrhq,9s3s,a9gz
------------------------------------------------------------
6. 10/20: Backdoor.Roxe-B Trojan Exploits Flaw
Backdoor.Roxe.B is a backdoor Trojan horse that exploits the Microsoft GDI+ Library JPEG
Segment Length Integer Underflow vulnerability (described in the Microsoft Security
Bulletin MS04-028).
http://nl.internet.com/ct.html?rtr=on&s=1,16pw,1,dv16,7mqr,9s3s,a9gz
------------------------------------------------------------
7. 10/20: Spybot-FCD Worm Remotely Run
W32.Spybot.FCD Is a worm that may be remotely controlled, via Internet Relay Chat (IRC)
channels.
http://nl.internet.com/ct.html?rtr=on&s=1,16pw,1,dn3v,2536,9s3s,a9gz
------------------------------------------------------------
8. 10/20: Bagz-D Worm Disables Security
W32/Bagz.d@MM is a variant of W32/Bagz@MM and is similar to previous variants (for
example W32/Bagz.b@MM ).
http://nl.internet.com/ct.html?rtr=on&s=1,16pw,1,k3fz,bxx1,9s3s,a9gz
------------------------------------------------------------
9. 10/20: Spybot-DF an IRC Backdoor Worm
W32/Spybot-DF is an IRC backdoor worm.
http://nl.internet.com/ct.html?rtr=on&s=1,16pw,1,e5va,b6iy,9s3s,a9gz
------------------------------------------------------------
10. 10/20: Forbot-BQ a Networm Worm
W32/Forbot-BQ is a network worm with backdoor Trojan functionality.
http://nl.internet.com/ct.html?rtr=on&s=1,16pw,1,ewia,drga,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Thu Oct 21, 2004 1:09 pm    Post subject: Reply with quote

10/21: Trojan.Sens Monitors Network Activity
Trojan.Sens is a Trojan horse program that installs itself as a service and monitors
network activity on the infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,16ta,1,jp6i,5bro,9s3s,a9gz
------------------------------------------------------------
7. 10/21: Bagz-C Worm Uses SMTP Engine
Worm_Bagz.C uses Simple Mail Transfer Protocol (SMTP) to mass-mail copies of itself.
http://nl.internet.com/ct.html?rtr=on&s=1,16ta,1,kggz,3sia,9s3s,a9gz
------------------------------------------------------------
8. 10/21: Bloodhound.Exploit-17 Detects Files
Bloodhound.Exploit.17 is a heuristic detection for malformed Windows Metafile (WMF) and
Enhanced Metafile (EMF) image files.
http://nl.internet.com/ct.html?rtr=on&s=1,16ta,1,clzj,k623,9s3s,a9gz
------------------------------------------------------------
9. 10/21: Rbot-NG Worm Spreads Remotely
W32/Rbot-NG is a worm that attempts to spread to remote network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,16ta,1,5tem,5ox4,9s3s,a9gz
------------------------------------------------------------
10. 10/21: Toraja-I an Office 97 Macro Virus
OF97/Toraja-I is a macro virus for the Microsoft Office 97 platform.
http://nl.internet.com/ct.html?rtr=on&s=1,16ta,1,qii,hunh,9s3s,a9gz
------------------------------------------------------------
11. 10/21: Banker-EK an Info-Stealing Trojan
Troj/Banker-EK is an information stealing Trojan.
http://nl.internet.com/ct.html?rtr=on&s=1,16ta,1,2bqp,5gcw,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Fri Oct 22, 2004 11:02 am    Post subject: Reply with quote

- Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, October 22 2004 - Today's report looks at Constructor/EMFTrojan.C,
Netsky.AH, Netsky.AI, Bagz.E, Mydoom.AD and Scranor.A.

Constructor/EMFTrojan.C is a program designed to create malformed image
files to exploit a remote code execution vulnerability in the rendering of
Enhanced Metafile (EMF) image formats, described in Microsoft's MS04-032
bulletin.

Constructor/EMFTrojan offers several options to configure the generated
code, giving the option to take the following action when the file is
opened:

- Open a port through which commands can be sent to the compromised
computer.

- Download and run a file from a specified URL.

To protect computers from this and other similar threats, Panda Software has
developed Exploit/MS04-032.gen, a generic detection for EMF images crafted
specifically to exploit this security flaw.

The first worms that we'll look at today are the AH and AI variants of
Nestky, which are sent via email, using their own SMTP engine, to addresses
that they get from files that are less than 10,000,000 bytes and have one of
the following extensions: DBX, WAB, MBX, EML, MDB, TBB or DAT. They are sent
ten minutes after they are executed and are only sent between October 20 and
October 25 2004. To prevent simultaneous execution Netsky.AH and Netsky.AI
create the mutex "0x452A561C".

The next worm in today's report is Bagz.E, which spreads in an email with
variable characteristics. It terminates processes of applications such as
antivirus programs, leaving the computer vulnerable to attack from other
malware.

Bagz.E creates several files in the Windows directory of the computer it
affects. This worm also modifies the HOSTS file, preventing access to the
websites of several antiviruses an IT security company.

Mydoom.AD, also spreads via email in a variable message. It spoofs the
sender's address using a set list of names and domains.

Using its own SMTP engine, Mydoom.AD sends a copy of itself to all addresses
in the files it finds with the following extensions (provided they don't
have certain text strings): ADB, ASP, CFG, CGI, DBX, EML, HTM, HTML, JSP,
MBX, MDX, MSG, PHP, PL, SHT, TBB, TXT, UIN, VBS, WAB, WSH, XLS and XML.

To ensure that only one copy of itself ids run at a time, Mydoom.AD creates
a mutex called My-Game. Just the like the worm mentioned above, Mydoom.AD
also edits the HOSTS file to prevent access to the websites of several
antivirus companies.

The AD variant of Mydoom tries to download a file from a web page
corresponding to Scranor.A, another worm. It saves the file in the root
directory, renames it and then executes it.

Finally we will look at Scranor.A, a worm that propagates by making copies
of itself without infecting other files. Its aim is to saturate and crash
computers and networks.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- SMTP (Simple Mail Transfer Protocol): This is a protocol used on the
Internet exclusively for sending e-mail messages.

More technical definitions at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Fri Oct 22, 2004 7:23 pm    Post subject: Reply with quote

10/22: Buchon Worm Mass Mails Itself
W32/Buchon.gen@MM is a worm that is a new Netsky variant, but is not considered to be a
member of the W32/Netsky family, according to McAfee.
http://nl.internet.com/ct.html?rtr=on&s=1,16wj,1,m9ax,h829,9s3s,a9gz
------------------------------------------------------------
4. 10/22: JS/Scob-A a JavaScript Trojan
JS/Scob-A is a JavaScript Trojan that is reported to be appended to HTML files on IIS
machines.
http://nl.internet.com/ct.html?rtr=on&s=1,16wj,1,bzd9,cfvu,9s3s,a9gz
------------------------------------------------------------
5. 10/22: Emcommander Trojan Sent as EMF Image
Backdoor.Emcommander is a Backdoor Trojan distributed as an EMF image file.
http://nl.internet.com/ct.html?rtr=on&s=1,16wj,1,ehqh,55j8,9s3s,a9gz
------------------------------------------------------------
6. 10/22: Netsky-AI Worm Spoofs Email Failure
Netsky.AI is a worm without damaging effects that spreads via e-mail in a message with
the subject 'Mail Delivery failure.'
http://nl.internet.com/ct.html?rtr=on&s=1,16wj,1,7c7h,ecjr,9s3s,a9gz
------------------------------------------------------------
7. 10/22: Netsky-AH a Low-Risk Worm
W32/Netsky.ah@MM worm is somewhat of a stripped down version compared to previous Netsky
variants.
http://nl.internet.com/ct.html?rtr=on&s=1,16wj,1,5ecm,euf8,9s3s,a9gz
------------------------------------------------------------
8. 10/22: Baba-A a Mass-Mailing Worm
W32/Baba-A is a mass-mailing worm.
http://nl.internet.com/ct.html?rtr=on&s=1,16wj,1,2on,hgai,9s3s,a9gz
------------------------------------------------------------
9. 10/22: Rbot-NJ Worm Has Trojan Functions
W32/Rbot-NJ is a network worm that contains IRC backdoor Trojan functionality, allowing
unauthorized remote access to the infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,16wj,1,79y5,gm6k,9s3s,a9gz
------------------------------------------------------------
10. 10/22: Netsky-AE Worm Harvests Addresses
Security vendors have issued an alert for W32/Netsky-AE, a mass-mailing worm of the
Netsky family.
http://nl.internet.com/ct.html?rtr=on&s=1,16wj,1,lrii,jgz9,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Sun Oct 24, 2004 5:25 pm    Post subject: Reply with quote

Nothing can be done except little by little."
Charles Baudelaire (1821-1867); French poet.

- Weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http:// www.pandasoftware.com)

Madrid, October 24 2004 - Today's report looks at Constructor/EMFTrojan.C,
Netsky.AH, Netsky.AI, Bagz.E, Mydoom.AD and Scranor.A.

Constructor/EMFTrojan.C is a program designed to create malformed image
files to exploit a remote code execution vulnerability in the rendering of
Enhanced Metafile (EMF) image formats, described in Microsoft's MS04-032
bulletin.

Constructor/EMFTrojan offers several options to configure the generated
code, giving the option to take the following action when the file is
opened:

- Open a port through which commands can be sent to the compromised
computer.

- Download and run a file from a specified URL.

To protect computers from this and other similar threats, Panda Software has
developed Exploit/MS04-032.gen, a generic detection for EMF images crafted
specifically to exploit this security flaw.

The first worms that we'll look at today are the AH and AI variants of
Nestky, which are sent via email, using their own SMTP engine, to addresses
that they get from files that are less than 10,000,000 bytes and have one of
the following extensions: DBX, WAB, MBX, EML, MDB, TBB or DAT. They are sent
ten minutes after they are executed and are only sent between October 20 and
October 25 2004. To prevent simultaneous execution Netsky.AH and Netsky.AI
create the mutex "0x452A561C".

The next worm in today's report is Bagz.E, which spreads in an email with
variable characteristics. It terminates processes of applications such as
antivirus programs, leaving the computer vulnerable to attack from other
malware.

Bagz.E creates several files in the Windows directory of the computer it
affects. This worm also modifies the HOSTS file, preventing access to the
websites of several antiviruses an IT security company.

Mydoom.AD, also spreads via email in a variable message. It spoofs the
sender's address using a set list of names and domains.

Using its own SMTP engine, Mydoom.AD sends a copy of itself to all addresses
in the files it finds with the following extensions (provided they don't
have certain text strings): ADB, ASP, CFG, CGI, DBX, EML, HTM, HTML, JSP,
MBX, MDX, MSG, PHP, PL, SHT, TBB, TXT, UIN, VBS, WAB, WSH, XLS and XML.

To ensure that only one copy of itself ids run at a time, Mydoom.AD creates
a mutex called My-Game. Just the like the worm mentioned above, Mydoom.AD
also edits the HOSTS file to prevent access to the websites of several
antivirus companies.

The AD variant of Mydoom tries to download a file from a web page
corresponding to Scranor.A, another worm. It saves the file in the root
directory, renames it and then executes it.

Finally we will look at Scranor.A, a worm that propagates by making copies
of itself without infecting other files. Its aim is to saturate and crash
computers and networks.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- SMTP (Simple Mail Transfer Protocol): This is a protocol used on the
Internet exclusively for sending e-mail messages.

More technical definitions at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group