Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Virus alerts for week of 10/25/04

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts
View previous topic :: View next topic  
Author Message
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Mon Oct 25, 2004 6:13 pm    Post subject: Virus alerts for week of 10/25/04 Reply with quote

10/25: Huayu Worm Exploits LSASS Flaw
W32.Huayu is a worm that spreads by exploiting the Microsoft Windows LSASS Buffer Overrun
Vulnerability, described in Microsoft Security Bulletin MS04-011.
http://nl.internet.com/ct.html?rtr=on&s=1,16zc,1,8qex,95tn,9s3s,a9gz
------------------------------------------------------------
5. 10/25: Turon-B Worm Uses own Engine
Worm_Turon.B is a memory resident worm that arrives and propagates through email using
its own SMTP engine. It is also able to propagate via network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,16zc,1,bhce,ew4l,9s3s,a9gz
------------------------------------------------------------
6. 10/25: Buchon-A a Mass-Mailing Worm
W32.Buchon.A@mm is a mass-mailing worm that uses its own SMTP engine to send itself to
email addresses it finds on the infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,16zc,1,4ptz,avnk,9s3s,a9gz
------------------------------------------------------------
7. 10/25: Rbot-NK Hides in Background
W32/Rbot-NK is a worm that attempts to spread to remote network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,16zc,1,lq46,lugs,9s3s,a9gz
------------------------------------------------------------
8. 10/25: Forbot-BU a Network Worm and Trojan
W32/Forbot-BU is a network worm and IRC backdoor Trojan for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,16zc,1,lxv0,ekb9,9s3s,a9gz
------------------------------------------------------------
9. 10/25: SH/Renepo-A a Shell Script Worm
SH/Renepo-A is a shell script worm targeted at the Macintosh OS X platform.
http://nl.internet.com/ct.html?rtr=on&s=1,16zc,1,fd8f,blem,9s3s,a9gz
------------------------------------------------------------
10. 10/25: Forbot-BW a Network Worm
W32/Forbot-BW is a network worm with backdoor Trojan functionality.
http://nl.internet.com/ct.html?rtr=on&s=1,16zc,1,asn1,a7mw,9s3s,a9gz
------------------------------------------------------------
11. 10/25: Bagz-D a Mass-Mailing Worm
W32/Bagz-D is mass mailing network worm that also contains a backdoor which allows an
intruder to download and install further components.
http://nl.internet.com/ct.html?rtr=on&s=1,16zc,1,k4g,ttp,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Mon Oct 25, 2004 6:17 pm    Post subject: Reply with quote

MADRID, October 25, 2004 - PandaLabs has detected a new worm called Famus.B,
which uses so-called social engineering techniques to spread to users'
computers. Famus.B spreads via email in a message in English and Spanish
referring to the conflict in Iraq. To be more specific, it tries to trick
users into believing that the file contains photographs of these dramatic
events. This message has the following format:

Subject:
Iraq and the crime

Message body:
what is really happening in Iraq?
the pictures of the soldiers and prisoners in Iraq
foward this message.
everybody should know the truth.

Qué está sucediendo realmente en Iraq?
Estas son las fotos de los prisioneros y los
soldados en Iraq.
Reenvia este mensaje, todo el mundo debe saber
la verdad.

The attached file, which actually contains the worm's code, is called
Iraq.scr. What's more, the source code of this file contains the following
message from the author of this malicious code:

Esta computadora ha sido infectada
por el virus LIBERTAD.
Como protesta por la violación del
derecho a la libertad de expresión en
Cuba.
En estos momentos toda la información de
su
disco duro esta siendo borrada
El Hobbit

If the user runs this file, Famus.B displays a false error message on screen
with the text: File corrupted or bad format. The worm also sends itself out
to all the addresses it finds in the files with a DOC, EML, HTM, and HTT
extension on the affected computer. To do this, it uses an SMTP engine that
it creates on the affected computer in the form of an OCX library file.

Finally, Famus.B creates an entry in the Windows Registry in order to ensure
that it is run whenever the affected computer is started up.
Even though Panda Software's Tech Support services have not received any
reports of incidents involving this worm, as it uses a current issue like
the conflict in Iraq, this worm is likely to start causing incidents soon.
For this reason, Panda Software advises users to take precautions and update
their antivirus software. Panda Software has made the corresponding updates
available to its clients to detect and disinfect this new malicious code.

For further information about Famus.B and other computer threats, visit
Panda Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

In addition, users can scan their computers online for free with the Panda
ActiveScan, available at http://www.pandasoftware.com/

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Tue Oct 26, 2004 3:11 pm    Post subject: Reply with quote

10/26: Spydeleter Installs Spyware
Spydeleter is a spyware program that downloads and installs other spyware programs.

http://nl.internet.com/ct.html?rtr=on&s=1,173g,1,2byu,5dao,9s3s,a9gz
------------------------------------------------------------
4. 10/26: Rbot-NU Worm Allows Remote Access
W32/Rbot-NU is a worm that attempts to spread via remote network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,173g,1,3dg4,5rhi,9s3s,a9gz
------------------------------------------------------------
5. 10/26: Swash-A Worm Harvests Hard Disk
Worm_Swash.A is a memory resident worm that spreads via email through Simple Mail
Transfer Protocol (SMTP), gathering target recipients from the local hard disk.
http://nl.internet.com/ct.html?rtr=on&s=1,173g,1,7e5q,f03e,9s3s,a9gz
------------------------------------------------------------
6. 10/26: Vote-L Worm Drops File Into Folder
Worm_Vote.L is a memory resident worm that arrives and propagates via email.
http://nl.internet.com/ct.html?rtr=on&s=1,173g,1,b9zf,azrf,9s3s,a9gz
------------------------------------------------------------
7. 10/26: Sdbot-AE Trojan Opens Remote Access
Backdoor.Sdbot.AE is a backdoor Trojan horse program that spreads via network shares and
allows a remote attacker to gain unauthorized access to a compromised system.
http://nl.internet.com/ct.html?rtr=on&s=1,173g,1,ktoh,dmo0,9s3s,a9gz
------------------------------------------------------------
8. 10/26: Netsky-AE Worm Uses Own Engine
W32.Netsky.AE@mm is a mass-mailing worm that uses its own SMTP engine to send itself to
all email addresses it finds in the Windows Address Book on the infected system.
http://nl.internet.com/ct.html?rtr=on&s=1,173g,1,fkvx,2im,9s3s,a9gz
------------------------------------------------------------
9. 10/26: Mydoom-AG a Mass-Mailing Worm
W32.Mydoom.AG@mm is a mass-mailing worm that uses its own SMTP engine to send itself to
the email addresses that it finds on the infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,173g,1,gs8b,3iu6,9s3s,a9gz
------------------------------------------------------------
10. 10/26: Rbot-NT Worm Spreads to Remote Shares
W32/Rbot-NT is a member of the Rbot family of worms that attempt to spread to remote
network shares with the backdoor functionality for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,173g,1,jmya,hohz,9s3s,a9gz
------------------------------------------------------------
11. 10/26: Rbot-NS a Network Worm and Trojan
W32/Rbot-NS is a network worm that contains IRC backdoor Trojan functionality, allowing
unauthorized remote access to the infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,173g,1,8xjp,6w6z,9s3s,a9gz
------------------------------------------------------------
12. 10/26: Famus-B Worm Sends Email About Iraq
Panda Software has issued an alert for a new worm called Famus.B, which uses so-called
social engineering techniques to spread to users' computers.
http://nl.internet.com/ct.html?rtr=on&s=1,173g,1,ly6r,lxjv,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Tue Oct 26, 2004 4:51 pm    Post subject: Reply with quote

VIRUS TARGETS MAC OS X USERS | SearchSecurity.com

Security experts say the Opener virus should serve as a warning that
non-Microsoft users? machines aren't attack-proof.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1019129,00.html?track=NL-102&ad=494263
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Wed Oct 27, 2004 1:29 pm    Post subject: Reply with quote

10/27: Anpes Mass-Mailing Worm Uses Outlook
W32.Anpes@mm is a mass-mailing worm that uses Microsoft Outlook to send itself to email
addresses gathered from the infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,176e,1,amve,97qa,9s3s,a9gz
------------------------------------------------------------
4. 10/27: Bag-E Worm Spreads Via Email
Some security vendors have issued an alert for Worm_Bagz.E, which, like earlier BAGZ
variants, spreads via email using SMTP (Simple Mail Transfer Protocol).
http://nl.internet.com/ct.html?rtr=on&s=1,176e,1,hr8r,9z1,9s3s,a9gz
------------------------------------------------------------
5. 10/27: Unix/Opener.worm Contains Shell Script
Unix/Opener.worm is a file containing a Unix type shell script.
http://nl.internet.com/ct.html?rtr=on&s=1,176e,1,jose,id6p,9s3s,a9gz
------------------------------------------------------------
6. 10/27: Trojan.Ceegar Exploits IE Flaw
Trojan.Ceegar is a downloader Trojan horse program that exploits the Microsoft Internet
Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability.
http://nl.internet.com/ct.html?rtr=on&s=1,176e,1,jl9f,lsbc,9s3s,a9gz
------------------------------------------------------------
7. 10/27: Agobot-NS Worm also a Trojan
W32/Agobot-NS is a network worm that contains IRC backdoor Trojan functionality, allowing
a remote user to access the infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,176e,1,52sg,gqof,9s3s,a9gz
------------------------------------------------------------
8. 10/27: Rbot-NV Worm has Trojan Abilities
W32/Rbot-NV is a worm with backdoor Trojan functionality.
http://nl.internet.com/ct.html?rtr=on&s=1,176e,1,byof,d5cj,9s3s,a9gz
------------------------------------------------------------
9. 10/27: Rbot-OB Worm Spreads Via Shares
W32/Rbot-OB is a network worm that attempts to spread via network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,176e,1,l96f,ei36,9s3s,a9gz
------------------------------------------------------------
10. 10/27: Rbot-NY a Worm and Backdoor
W32/Rbot-NY is a network worm and IRC backdoor for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,176e,1,34hu,cfm5,9s3s,a9gz
------------------------------------------------------------
11. 10/27: Rbot-NZ Spreads Through OS Flaws
W32/Rbot-NZ is a network worm and IRC backdoor for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,176e,1,gfzh,6zz4,9s3s,a9gz
------------------------------------------------------------
12. 10/27: Famus-C Worm Sends Private Data
Famus.C is a worm that sends private data of the affected computer to its author.
http://nl.internet.com/ct.html?rtr=on&s=1,176e,1,g5n9,fjit,9s3s,a9gz
------------------------------------------------------------

*********************************************************************
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Wed Oct 27, 2004 3:09 pm    Post subject: Reply with quote

SECURITY BYTES: NEW WORM VARIANTS PLAGUE E-MAIL; FLAWS FOUND IN LINUX
AND SOLARIS | SearchSecurity.com

Famus-B uses Iraq war to spread, while Myflip claims to be from eBay.
IBM announces new security index.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1019679,00.html?track=NL-102&ad=495732
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Thu Oct 28, 2004 1:54 pm    Post subject: Reply with quote

10/28: Gaobot-BOW is Network-Aware
W32.Gaobot.BOW is a network-aware worm that has backdoor capabilities and can be
controlled through IRC channels.
http://nl.internet.com/ct.html?rtr=on&s=1,179p,1,flc3,lvkx,9s3s,a9gz
------------------------------------------------------------
5. 10/28: Erkez-C Worm Finds Addresses
W32.Erkez.C@mm is a mass-mailing worm that sends itself to email addresses it finds on
the infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,179p,1,5uwx,9l9c,9s3s,a9gz
------------------------------------------------------------
6. 10/28: Ranky-J Trojan Lets Attackers In
Backdoor.Ranky.J is a backdoor server program that allows a remote attacker to use the
infected computer as a covert proxy.
http://nl.internet.com/ct.html?rtr=on&s=1,179p,1,5e7i,4s1n,9s3s,a9gz
------------------------------------------------------------
7. 10/28: Backdoor.Ranky-K a Server Program
Backdoor.Ranky.K is a backdoor server program that allows an infected computer to be used
as a covert proxy.
http://nl.internet.com/ct.html?rtr=on&s=1,179p,1,jas,jtsf,9s3s,a9gz
------------------------------------------------------------
8. 10/28: Zafi-C an Email Worm
W32/Zafi.c@MM is an email worm that bears similarities to its predecessors, for example
W32/Zafi.b@MM.
http://nl.internet.com/ct.html?rtr=on&s=1,179p,1,3spo,9f0p,9s3s,a9gz
------------------------------------------------------------
9. 10/28: Exploit-RealSkin Detects Zip Files
Exploit-RealSkin is a detection for ZIP files that have been modified exploit a
vulnerability in a component of Real Player.
http://nl.internet.com/ct.html?rtr=on&s=1,179p,1,6i8o,kcc4,9s3s,a9gz
------------------------------------------------------------
10. 10/28: Randex-BRD Worm Targets Passwords
W32.Randex.BRD is a network-aware worm that spreads to network shares protected by weak
passwords.
http://nl.internet.com/ct.html?rtr=on&s=1,179p,1,divj,d3t5,9s3s,a9gz
------------------------------------------------------------
11. 10/28: Backdoor.Futro a Server Program
Backdoor.Futro is a typical backdoor server program.
http://nl.internet.com/ct.html?rtr=on&s=1,179p,1,ec5z,gqep,9s3s,a9gz
------------------------------------------------------------
12. 10/28: Bagz-F a Mass-Mailing Worm
W32.Bagz.F@mm is a mass-mailing worm that uses its own SMTP engine to send itself to
email addresses gathered from the compromised system.
http://nl.internet.com/ct.html?rtr=on&s=1,179p,1,abgh,d7u5,9s3s,a9gz
------------------------------------------------------------
13. 10/28: Gaobot-BOW Worm also a Trojan
W32.Gaobot.BOW is a network-aware worm that has backdoor capabilities and can be
controlled through IRC channels.
http://nl.internet.com/ct.html?rtr=on&s=1,179p,1,9tl6,4hjy,9s3s,a9gz
------------------------------------------------------------
14. 10/28: Forbot-BZ an IRC Trojan and Worm
W32/Forbot-BZ is a IRC backdoor Trojan and network worm for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,179p,1,9aoo,b8ym,9s3s,a9gz
------------------------------------------------------------
15. 10/28: Agobot-NU a Worm and Backdoor
W32/Agobot-NU is a worm and backdoor for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,179p,1,5re,jusy,9s3s,a9gz
------------------------------------------------------------

*********************************************************************
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Fri Oct 29, 2004 10:43 am    Post subject: Reply with quote

AMBER ALERT: A new variant, BC, of the Bagle worm
appears and spreads rapidly -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

MADRID, October 29, 2004 - PandaLabs has detected the appearance of the BC
variant of the Bagle worm. This new malicious code has started spreading
rapidly, causing numerous incidents in users' computers around the globe.
For this reason, Panda Software has declared an amber alert. Panda Software
clients that have already installed the new TruPrevent Technologies have
preventive protection against this worm, as they were able to detect and
block this new virus without needing to be able to identify it first (more
information about the new TruPrevent Technologies at
http://www.pandasoftware.com/truprevent).

Panda Software has made the corresponding updates available to its clients
to detect and disinfect this new malicious code.

Bagle.BC spreads rapidly via email. The messages carrying this worm have the
following characteristics:

Subject: (any of the following):
Re:
Re:Hello
Re:Hi
Re:Thank you!
Re:Thanks Smile

Message: Smile ó Smile)

Attachments (any of the following):
Joke
Price
price

The extension of these files can be: com, cpl, exe or scr.

What's more, Bagle.BC spoofs the address of the sender of the email message
that causes the infection.

If the user runs the attachment, Bagle.BC looks for email addresses to send
itself out to in the files with certain extensions stored on the affected
computer. To do this, and to spread even wider, Bagle.BC copies itself to
all the directories whose name contains the text string 'shar', which are
usually shared folders. By doing this, it can easily spread across networks
and P2P applications. To achieve this aim, it uses a large number of
attractive names to entice users, such as ACDSee 9.exe, Adobe Photoshop 9
full.exe or Ahead Nero 7.exe, and many others.

Bagle.BC also ends the processes of many antivirus and security programs,
leaving the computer vulnerable to attack from other malicious code, making
Bagle.BC an even more dangerous worm. However, Bagle.BC cannot deactivate
the TruPrevent Technologies, and therefore, computers with this protection
installed are perfectly safe from this worm.

Another dangerous effect of Bagle.BC is that it opens the TCP communications
port 81, allowing a hacker to carry out remote attacks. It also tries to
download a file called G.JPG from certain Internet addresses.

In order to ensure that it is always present on computers, Bagle.BC creates
three copies of itself called wingo.exe, wingo.exeopen and
wingo.exeopenopen, and inserts an entry in the Windows Registry to ensure it
is run whenever the computer is started up.

According to Luis Corrons, head of PandaLabs, "Bagle.BC is here to pick up
the cyberwar that started a few months ago between several groups of virus
creators. This time, it is a malicious code that uses social engineering and
can spread extremely rapidly. These two characteristics make Bagle.BC a
particularly dangerous worm, as users have a high probability of receiving
an email message carrying this malicious code."

To prevent incidents involving Bagle.BC, Panda Software advises users to
take precautions and update their antivirus software.

Panda Software's clients can already access the updates for installing the
new TruPrevent Technologies along with their antivirus protection, providing
a preventive layer of protection against this and other new malicious code.
For users with a different antivirus program installed, Panda TruPrevent
Personal is the perfect solution, as it is both compatible with and
complements these products, providing a second layer of preventive
protection that acts while the new virus is still being studied and the
corresponding update is incorporated into traditional antivirus programs,
decreasing the risk of infection. More information about TruPrevent
Technologies at http://www.pandasoftware.com/truprevent.

For further information about Bagle.BC, visit Panda Software's Virus
Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=5
3891.

In addition, users can scan their computers online for free with Panda
ActiveScan, available at http://www.pandasoftware.com.

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Fri Oct 29, 2004 3:32 pm    Post subject: Reply with quote

Virus Alerts [RED ALERT: While the Bagle.BC continues causing inc idents worldwide, new variants, BD and BE, have appeared - 10/29/04] Inbox

Virus Alerts
<virusalerts@pandasoftware.com> to virusalertscom
More options 9:18am (8 hours ago)
- RED ALERT: While the Bagle.BC continues causing
incidents worldwide, new variants, BD and BE, have appeared -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

MADRID, October 29, 2004 - The Bagle.BC worm is increasing its already high
rate of propagation, causing more and more incidents in users' computers
worldwide. Just a few hours after it appeared, it has made the top half of
the ranking of the viruses most frequently detected by the online antivirus
scanner, Panda ActiveScan. Even so, the number of incidents caused by this
worm is expected to continue increasing and new variants are expected to
emerge over the next few hours.

This has prompted Panda Software to declare a Red Virus Alert as a
preventive measure, so that all users can protect themselves against these
worms and prevent their computers from being infected. Similarly, companies
also risk their communications being slowed down by the large number of
emails that mail servers will have to process.

In addition to this worm, PandaLabs has detected the appearance of the two
new variants, BD and BE, of the same worm. As with Bagle.BC, Panda Software
clients that have already installed the new TruPrevent Technologies have
preventive protection against these worms, as they were able to detect and
block these new variants of the Bagle worm without needing to be able to
identify them first (more information about the new TruPrevent Technologies
at http://www.pandasoftware.com/truprevent).

Panda Software has made the corresponding updates available to its clients
to detect and disinfect these new worms. What's more, it has made its free
PQRemove utility available to all users to effectively detect and eliminate
Bagle.BC from computers affected by this worm. Users can download this
utility from http://www.pandasoftware.com/download/utilities/

With the appearance of these new variants, the objective of the authors of
these worms is obvious: release the maximum number of malicious code to
increase the huge probability of computers being hit by one of them.
According to Luis Corrons: "this is a technique that is being used more
often. Virus creators know that the reaction time to new threats is
critical, and therefore, the faster they can release various viruses, the
easier it is for users to take too long to update their system. This problem
is resolved with our TruPrevent Technologies, which have blocked these new
worms without users needing to do a thing."

The new variants detected are very similar to Bagle.BC, a worm that spreads
via email, networks and P2P applications like KaZaA. However, they do have
some difference, such as the number of files they generate on the computers
they infect.

The three new Bagle worms share the fact that they have been designed to end
the processes belonging to antivirus and security applications running in
memory. However, none of these worms can affect the functioning of the
TruPrevent Technologies.

To prevent incidents involving the new variants of Bagle, Panda Software
advises users to take precautions and to keep their antivirus software
updated.

Panda Software's clients can already access the updates for installing the
new TruPrevent Technologies along with their antivirus protection, providing
a preventive layer of protection against these and other new malicious code.
For users with a different antivirus program installed, Panda TruPrevent
Personal is the perfect solution, as it is both compatible with and
complements these products, providing a second layer of preventive
protection that acts while the new virus is still being studied and the
corresponding update is incorporated into traditional antivirus programs,
decreasing the risk of infection. More information about TruPrevent
Technologies at http://www.pandasoftware.com/truprevent

For further information about Bagle.BC, Bagle.BD and Bagle.BE, visit Panda
Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

In addition, users can scan their computers online for free with Panda
ActiveScan, available at http://www.pandasoftware.com

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Fri Oct 29, 2004 3:33 pm    Post subject: Reply with quote

Oxygen3 24h-365d [Bagle.BC is spreading rapidly worldwide - 29/10 /04] Inbox

Oxygen3 24h-365d
<oxygen@pandasoftware.com> to oxygen3com
More options 9:22am (8 hours ago)
- Bagle.BC is spreading rapidly worldwide -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, October 29, 2004 - PandaLabs has detected the appearance of the BC
variant of the Bagle worm. This new malicious code has started spreading
rapidly, causing numerous incidents in users' computers around the globe.
For this reason, Panda Software has declared a red alert. Panda Software
clients that have already installed the new TruPrevent Technologies have
preventive protection against this worm, as they were able to detect and
block this new virus without needing to be able to identify it first (more
information about the new TruPrevent Technologies at
http://www.pandasoftware.com/truprevent). Panda Software has made the
corresponding updates available to its clients to detect and disinfect this
new malicious code.

This has prompted Panda Software to declare a Red Virus Alert as a
preventive measure, so that all users can protect themselves against this
worm and prevent their computers from being infected. Similarly, companies
also risk their communications being slowed down by the large number of
emails that mail servers will have to process.

Bagle.BC spreads rapidly via email. The messages carrying this worm have the
following characteristics:

Subject: (any of the following): Re:; Re:Hello; Re:Hi; Re:Thank you!;
Re:Thanks Smile

Message: Smile ó Smile)

Attachments (any of the following): Joke,; Price; price

The extension of these files can be: com, cpl, exe or scr.

What's more, Bagle.BC spoofs the address of the sender of the email message
that causes the infection.

If the user runs the attachment, Bagle.BC looks for email addresses to send
itself out to in the files with certain extensions stored on the affected
computer. To do this, and to spread even wider, Bagle.BC copies itself to
all the directories whose name contains the text string 'shar', which are
usually shared folders. By doing this, it can easily spread across networks
and P2P applications. To achieve this aim, it uses a large number of
attractive names to entice users, such as ACDSee 9.exe, Adobe Photoshop 9
full.exe or Ahead Nero 7.exe, and many others.

Bagle.BC also ends the processes of many antivirus and security programs,
leaving the computer vulnerable to attack from other malicious code, making
Bagle.BC an even more dangerous worm. However, Bagle.BC cannot deactivate
the TruPrevent Technologies, and therefore, computers with this protection
installed are perfectly safe from this worm.

Another dangerous effect of Bagle.BC is that it opens the TCP communications
port 81, allowing a hacker to carry out remote attacks. It also tries to
download a file called G.JPG from certain Internet addresses.

In order to ensure that it is always present on computers, Bagle.BC creates
three copies of itself called wingo.exe, wingo.exeopen and
wingo.exeopenopen, and inserts an entry in the Windows Registry to ensure it
is run whenever the computer is started up.

PandaLabs has detected the appearance of the two new variants, BD and BE, of
the same worm. As with Bagle.BC, Panda Software clients that have already
installed the new TruPrevent Technologies have preventive protection against
these worms, as they were able to detect and block these new variants of the
Bagle worm without needing to be able to identify them first.

Panda Software has made the corresponding updates available to its clients
to detect and disinfect these new worms. What's more, it has made its free
PQRemove utility available to all users to effectively detect and eliminate
Bagle.BC from computers affected by this worm. Users can download this
utility from the following address:
http://www.pandasoftware.com/download/utilities/

For further information about Bagle.BC, Bagle.BD and Bagle.BE visit Panda
Software's Virus Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Fri Oct 29, 2004 3:36 pm    Post subject: Reply with quote

1. Another Bagle Variant Tears up the Internet
Yet another variant from the virulent Bagle family of worms is rampaging across the
Internet.
http://nl.internet.com/ct.html?rtr=on&s=1,17cy,1,f2ny,at5f,9s3s,a9gz

10/29: Bagle-AS Worm Arrives Via Email
Win32/Bagle.AS is a worm that arrives via email or shared folders.
http://nl.internet.com/ct.html?rtr=on&s=1,17cy,1,llvc,8z86,9s3s,a9gz
------------------------------------------------------------
6. 10/29: Bagle-AT Virus Sends Attachments
Security vendor Trend Micro has declared a MEDIUM risk virus alert to control the spread
of Worm_Bagle.AT.
http://nl.internet.com/ct.html?rtr=on&s=1,17cy,1,7kmj,bwmm,9s3s,a9gz
------------------------------------------------------------
7. 10/29: Bagle-BD Virus Harvests Addresses
W32/Bagle.bd@MM is a variant of the W32/Bagle virus.
http://nl.internet.com/ct.html?rtr=on&s=1,17cy,1,lxfz,1ye,9s3s,a9gz
------------------------------------------------------------
8. 10/29: Bagle-BC Raising a Ruckus
W32/Bagle.bc is a new variant of the Bagle virus.
http://nl.internet.com/ct.html?rtr=on&s=1,17cy,1,49nx,4zzn,9s3s,a9gz
------------------------------------------------------------
9. 10/29: Bagle-BB Virus a 'Medium Threat'
W32/Bagle.bb@mm is a mass-mailing virus with a medium threat assessment by McAfee due to
high prevalence.
http://nl.internet.com/ct.html?rtr=on&s=1,17cy,1,5vgk,emu1,9s3s,a9gz
------------------------------------------------------------
10. 10/29: Singu-B Allows Remote Access
Backdoor.Singu.B is a Trojan horse program that allows unauthorized remote access.
http://nl.internet.com/ct.html?rtr=on&s=1,17cy,1,1u2p,j4k7,9s3s,a9gz
------------------------------------------------------------
11. 10/29: Trojan.Disabler Kills Open Apps
Trojan.Disabler is a trojan program that closes open applications and may cause unsaved
data to be lost.
http://nl.internet.com/ct.html?rtr=on&s=1,17cy,1,afzl,6v79,9s3s,a9gz
------------------------------------------------------------
12. 10/29: Beagle@mm!CPL Detects Worms
W32.Beagle@mm!cpl is a generic detection for variants of W32.Beagle@mm that use Control
Panel applets as droppers.
http://nl.internet.com/ct.html?rtr=on&s=1,17cy,1,jw8b,2e5x,9s3s,a9gz
------------------------------------------------------------
13. 10/29: Beagle-AU Worm Hitting Hard & Fast
W32.Beagle.AU@mm is a mass-mailing worm that also spreads through file-sharing networks.

http://nl.internet.com/ct.html?rtr=on&s=1,17cy,1,bre1,avsr,9s3s,a9gz
------------------------------------------------------------
14. 10/29: Beagle-AW Worm Opens Port 81
W32.Beagle.AW@mm is a mass-mailing worm that also spreads through file-sharing networks.

http://nl.internet.com/ct.html?rtr=on&s=1,17cy,1,k41g,djup,9s3s,a9gz
------------------------------------------------------------
15. 10/29: Beagle-AV a Mass-Mailing Worm
W32.Beagle.AV@mm is a mass-mailing worm that also spreads through file-sharing networks.

http://nl.internet.com/ct.html?rtr=on&s=1,17cy,1,4tt1,bjcs,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Fri Oct 29, 2004 9:35 pm    Post subject: Reply with quote

Dear Trend Micro customer,

As of October 29, 2004 9:40 AM (GMT -7:00; Daylight Saving Time), TrendLabs has
declared a Medium Risk Virus Alert to control the spread of WORM_BAGLE.AU.
TrendLabs has received several infection reports indicating that this malware is
spreading in US, Japan, Sweden, Germany, Mexico, France, Argentina, Chile,
Brazil, and Canada.

Like other BAGLE variants, the success of this worm may be attributed to its
plain and brief email messages that bear the following details:

From:<spoofed>
Subject any of the following
• Re:
• Re: Hello
• Re: Hi
• Re: Thank you!
• Re: Thanks Smile

Message body: any of the following
Smile
Smile)

Attachment:
any of the following
• PRICE
• JOKE

with the following extension names
• COM
• CPL
• EXE
• SCR

This worm scans an infected system for files with certain extension names to
acquire its target recipients. It then uses its own SMTP engine and the domain
servers of its harvested email addresses for its mailing routine. Unsuspecting
users may then receive email messages from trusted acquaintances and readily
execute the attachment, thus launching this worm.

When run, it proceeds to drop copies of itself in folders with names containing
the text string shar, or in shared folders. It also uses file names that appear
legitimate and attractive. This enables this worm to propagate through the
network as other users may accidentally download a copy of this worm thinking it
is a normal application or a text file.

This worm also compromises system security by terminating several antivirus and
security-related applications if found active on a system. It also connects to a
list of Web sites where it may download components. It also opens port 81
possibly for its backdoor activities.

Continuing a notable BAGLE routine, it attacks another worm family known as
NETSKY. It deletes several registry entries and file names associated with
NETSKY. It also creates several mutexes that prevent the execution of NETSKY
variants on the infected machine.

It runs on Windows 95, 98, ME, NT, 2000, and XP.


TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy 132
Official Pattern Release 2.226.00
Damage Cleanup Template 445

For more information on WORM_BAGLE.AU, you can visit our Web site at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AU

You can modify subscription settings for Trend Micro newsletters at:

http://www.trendmicro.com/subscriptions/default.asp


----------------------------------------------o0o----
IMPORTANT NOTE!
TrendLabs will also be releasing a 3-digit pattern file that corresponds with
the pattern indicated in this email. This 3-digit pattern is a special release
for users running non-NPF compliant products (i.e., old 3-digit pattern format)
and is designed to provide protection against the most current malware threats.
Users running non-NPF compliant products are still urged to apply the NPF
solution http://www.trendmicro.com/en/support/npf/overview.htm. These users
may also upgrade to the latest product version. Only NPF-compliant products will
be able to update with regular pattern releases.

______________________________________________________________________
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Sun Oct 31, 2004 3:01 pm    Post subject: Reply with quote

Truth will rise above falsehood as oil above water."
Miguel de Cervantes Saavedra (1547-1616); Spanish writer.

- Weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, October 31, 2004 - This week's report will look at seven worms
-Bagle.BC, Zafi.C, the B and C variants of Famus, Swash.A, Buchon.A and
Buchon.B- and a spyware application known as Spyware/Spydeleter.

Bagle.BC spreads via email in a message with variable characteristics,
through P2P (peer-to-peer) file sharing programs, and across networks. It
opens TCP port 81 and listens in on the communications for a remote
connection. Through this connection, the worm will allow remote access to
the affected computer. This would allow a remote user to carry out actions
that could compromise the confidentiality of user data or impede the tasks
carried out. What's more, Bagle.BC ends the processes belonging to security
tools, such as antivirus applications, leaving the computer vulnerable to
attack from other malware.

Zafi.C spreads through peer-to-peer (P2P) file sharing programs and via
email. To spread via email it uses its own SMTP engine and sends itself to
the addresses whose domain does not contain certain text strings. It obtains
these addresses from the files with a htm, wab, txt, dbx, tbb, asp, php,
sht, adb, mbx, eml or pmr extension it finds on the affected computer.

The language of the message sent by Zafi.C varies depending on the extension
of the domain to which the message is sent. If the domain corresponds to the
following countries: Germany, the Czech Republic, Denmark, Spain, Finland,
France, Holland, Hungary, Italy, Lithuania, Norway, Poland or Sweden, the
text will appear in the corresponding languages, and if not, it will be in
English.

Zafi.C tries to launch Denial of Service (DoS) attacks against three
websites belonging to Google, Microsoft and the Hungarian Prime Minister.
What's more, it ends the processes containing the strings 'firewall' and
'virus', and blocks access to applications that include the text 'reged',
'msconfig2' and 'task2'.

The next worms we will look at are the B and C variants of Famus. Both these
worms spread via email in a file attached to a message written in English
and Spanish, which uses social engineering techniques to spread to as many
computers as possible. The message tries to trick users into opening the
attachment by making them believe it contains interesting images of the
conflict in Iraq. When the file is run, they display a false error message
on screen and send themselves out to the addresses they find in the files
with a doc, eml, htm, or htt extension on the affected computer.

Famus.B and Famus.C also collect data from infected computer, such as the
mail account, server, user name, version of Windows, etc., and sends them to
the author of the code.

Swash.A is a worm that spreads via email in a message with variable
characteristics and through P2P file sharing programs. It ends the processes
belonging to security programs, like antivirus programs and firewalls, and
blocks access to the websites of the main developers of antivirus software.
Due to these actions, Swash.A leaves the infected computer vulnerable to
other malware.

The last worms in today's report are Buchon.A and Buchon.B, which spread via
email. A curious characteristic of these worms is that once they are run,
they wait ten minutes before starting to send out infected messages. The
difference between these two variants is that variant B was compiled seven
hours later and that it checks the system date before waiting ten minutes to
send itself out via email.

We are going to finish today's report with Spyware/Spydeleter, a spyware
application that is automatically downloaded when users visit web pages
containing links to malicious Java scripts, which try to install it. Once it
has been installed on a computer, Spyware/Spydeleter downloads other spyware
applications via FTP. Similarly it creates several processes and leaves them
memory resident so that they are running at all times.

Spyware/Spydeleter creates several entries in the Windows Registry in the
affected computer, whose most significant effect is that they change the
home page of Microsoft Internet Explorer for another page warning the user
that the computer could be infected by spyware. This page contains a link
where the user can supposedly find help to clean the computer. However, if
the user clicks on this link, a page opens from which the application Spy
Deleter is downloaded, which will delete the spyware application for the 29
dollars, and which has apparently been programmed by the same person that
created and distributed Spyware/Spydeleter.

Users affected by Spyware/Spydeleter will also find that two links called
'Click to Remove Spyware' and 'Remove Spyware Now' have been created on
their desktop which point to this purchase page.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/.

NOTE: The address above may not show up on your screen as a single line.
This would prevent you from using the link to access the web page. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group