Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Virus alerts for week of 12/13/04

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts
View previous topic :: View next topic  
Author Message
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Mon Dec 13, 2004 11:21 am    Post subject: Virus alerts for week of 12/13/04 Reply with quote

"Always forgive your enemies; nothing annoys them so much."
Oscar Wilde (1854-1900); Irish dramatist and novelist.

- Weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, December 12 2004 - This week's virus report looks at four worms: Maslam.A, Maslam.B, Atak.D and Atak.E.

Maslam.A and Maslam.B affect computers running Windows 95/98/ME/NT/2000/XP, by exploiting the LSASS vulnerability. They send themselves out via email using their own SMTP engine. Both worms have the following characteristics.

- They monitor Internet Explorer Windows, searching for those containing the following strings: evocash, e-bullion, e-gold, mail, bank, trade or paypal. When they find one, they log all the information entered by the user and sent it to a website.

- They search for files with the extension rar, zip, pif or exe, and which have the following text strings in the path name: distr, download, setup or share, and then replace these files with copies of themselves.

- When they are run they display an error message on screen.

The main difference between the A and B variants of Maslam is the name of the file attached to the message in which they are sent and the text that appears in the subject field of the email.

The other two worms that we are looking at in today's report are the D and E variants of Atak, which spread via email in messages with variable characteristics. The emails include an attachment with the extension bat, com, exe, pif or scr. This file is sometimes compressed in a zip file. Both of these worms also spoof the email address o the sender in order to trick the recipient.

Atak.D and Atak.E also have the following characteristics:

- They use their own SMTP engine to send themselves to address obtained from the computers they infect.

- In the Windows system directory, they create a copy of the worms -in the case of Atak.D this file is called A1G.EXE, and with Atak.E it is called DAPDLL.EXE.

- They edit a registry entry to ensure it is run every time the system is started up.

The main differences between Atak D and E are:

- Atak.D is 12037 bytes when compressed with FSG, while the E variant is 11189 bytes.

- The mutex they create to make sure there is no more than copy of the worm running at a time is different for each worm.

For further information about these and other computer threats, visit Panda Software's Encyclopedia: http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The address above may not show up on your screen as a single line. This would prevent you from using the link to access the web page. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Mon Dec 13, 2004 12:09 pm    Post subject: Reply with quote

WAR OF THE WORMS: NETSKY-P TOPS THIS YEAR'S LIST
Sophos has released a report revealing the hardest hitting viruses of
2004. In a year which saw a 51.8% increase in the number of new
viruses, the Netsky-P worm has accounted for almost a quarter of all
incidents reported.
http://www.net-security.org/news.php?id=6687
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Mon Dec 13, 2004 1:14 pm    Post subject: Reply with quote

Netsky-P Biggest Threat of 2004
Netsky-P, first discovered March 22, has deftly used social engineering tricks to
continually rank it as one of the most dangerous worms in the wild.
http://nl.internet.com/ct.html?rtr=on&s=1,1a6i,1,joon,j60k,9s3s,a9gz

Author of Zafi-B Worm Trailed to Hungary
The search for the author of the fourth most wide-spread bug on the Internet has led
authorities to Hungary.
http://nl.internet.com/ct.html?rtr=on&s=1,1a6i,1,ixjo,b0cq,9s3s,a9gz
------------------------------------------------------------
5. 12/13: VBS.Junkmail a Mass-Mailing Worm
VBS.Junkmail@mm is a generic VBS mass-mailing worm that copies itself to files on the C
drive of the infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1a6i,1,hbgn,7ge3,9s3s,a9gz
------------------------------------------------------------
6. 12/13: Janx Worm Exploits Windows Flaw
W32.Janx is a worm that attempts to exploit the Microsoft Windows LSASS Buffer Overrun
Vulnerability (Microsoft Security Bulletin MS04-011).
http://nl.internet.com/ct.html?rtr=on&s=1,1a6i,1,4gmy,9679,9s3s,a9gz
------------------------------------------------------------
7. 12/13: Rbot-RN a Network Worm
W32/Rbot-RN is a network worm that attempts to spread via network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,1a6i,1,2zog,leqx,9s3s,a9gz
------------------------------------------------------------
8. 12/13: Sdbot-SB Worm Has Backdoor
W32/Sdbot-SB is a member of the W32/Sdbot family of worms with a backdoor component.
http://nl.internet.com/ct.html?rtr=on&s=1,1a6i,1,1bhf,fd7m,9s3s,a9gz
------------------------------------------------------------
9. 12/13: Atak-F Worm Spreads Via Email
W32/Atak-F is a Windows worm that spreads via email.
http://nl.internet.com/ct.html?rtr=on&s=1,1a6i,1,jw7v,bbpu,9s3s,a9gz
------------------------------------------------------------
10. 12/13: Brabot-A a Backdoor Trojan
Troj/Brabot-A is a backdoor Trojan that accepts commands via IRC.
http://nl.internet.com/ct.html?rtr=on&s=1,1a6i,1,67ag,h7q1,9s3s,a9gz
------------------------------------------------------------

viruses are up this week!!!!
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Mon Dec 13, 2004 1:15 pm    Post subject: Reply with quote

Netsky-P Biggest Threat of 2004
Netsky-P, first discovered March 22, has deftly used social engineering tricks to
continually rank it as one of the most dangerous worms in the wild.
http://nl.internet.com/ct.html?rtr=on&s=1,1a6i,1,joon,j60k,9s3s,a9gz
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Tue Dec 14, 2004 11:17 am    Post subject: Reply with quote

Virus Alerts [ORANGE ALERT: The new Zafi.D worm wishes you "happy holidays" - 12/14/04] Inbox

Virus Alerts
<virusalerts@pandasoftware.com> to VIRUSALERTSCOM
More options 10:12am (3 hours ago)
- ORANGE ALERT: The new Zafi.D worm wishes you
"happy holidays" -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)


MADRID, December 14, 2004 - PandaLabs has detected the appearance of the new Zafi.D worm, which spreads in messages that pass themselves off as Christmas greetings, as well as through P2P (peer-to-peer) file sharing applications. As we are in the run up to Christmas, this type of social engineering could help this new malicious code to infect a large number of computers. In fact, Panda Software's international tech support network has already stated to receive reports of incidents caused by Zafi.D in a large number of countries. For this reason, users are advised to take precautions with any email messages they receive. Panda Software clients who already have the new TruPrevent Technologies installed have been protected since the worm first emerged, as these preventive technologies have been able to detect and block Zafi.D without needing to be able to identify it first (more information about the new TruPrevent Technologies at http://www.pandasoftware.com/truprevent).

Zafi.D reaches computers in an email message whose subject is a person's name selected at random and the message text Happy holidays! in the language corresponding to the domain of the email address the message is being sent to. Therefore, if the message is sent to an email address ending in .es, it will be written in Spanish, whereas if it ends with the domain .de, the text will be written in German. Similarly, these email messages contain an attached file with a variable name, selected from a long list of options.

If the user runs this file, which actually contains Zafi.D, a false error message is displayed on screen and the worm sends itself out via email, using its own SMTP engine, to all the addresses it finds in the files with certain extensions stored on the affected computer. This worm ends any processes running in memory that contain the text firewall or virus. Similarly, it prevents access to applications that contain the text reged, msconfig or task.

What's more, Zafi.D inserts several entries in the windows registry in order to ensure it is run whenever the computer is started up.

In order to spread via P2P application, Zafi.D copies itself to all the folders in the C: drive whose path contains the text share, upload or music. These names of these files are winamp 5.7 new!.exe or ICQ 2005a new!.exe.

Due to the possibility of being infected by Zafi.D, Panda Software advises users to take precautions and update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect this new malicious code.

Panda Software's clients can already access the updates for installing the new TruPrevent Technologies along with their antivirus protection, providing a preventive layer of protection against this and other new malicious code. For users with a different antivirus program installed, Panda TruPrevent Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection. More information about TruPrevent Technologies at http://www.pandasoftware.com/truprevent

In addition, users can scan their computers online for free with Panda ActiveScan, available at http://www.pandasoftware.com/

For further information about Zafi.D, visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=56161

NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Tue Dec 14, 2004 4:25 pm    Post subject: Reply with quote

viruses are picking up speed this week!!!

1. New Zafi-D Worm Spreads Christmas Fear
The latest variant in the Zafi worm family has hit the Wild, disguising itself as a
Christmas greeting. Discovered on Dec. 13, the worm already has earned 'medium threat
alert' status.
http://nl.internet.com/ct.html?rtr=on&s=1,1a9o,1,ekza,lgvg,9s3s,a9gz
------------------------------------------------------------
2. 12/14: Sdbot-SG Worm Has Trojan Functions
W32/Sdbot-SG is a worm with backdoor Trojan functionality.
http://nl.internet.com/ct.html?rtr=on&s=1,1a9o,1,p5b,957p,9s3s,a9gz
------------------------------------------------------------
3. 12/14: Zafi-D Worm Disguised as E-Greeting
Several vendors have issued alerts for Zafi.D, a worm that ends the active processes
whose name contains the text strings firewall or virus.
http://nl.internet.com/ct.html?rtr=on&s=1,1a9o,1,eqck,jlx6,9s3s,a9gz
------------------------------------------------------------
4. 12/14: Worm_Rbot-AEF Arrives as File
Worm_Rbot.AEF arrives as the file WIN23UPD.EXE on affected machines.
http://nl.internet.com/ct.html?rtr=on&s=1,1a9o,1,fxyj,j6tk,9s3s,a9gz
------------------------------------------------------------
5. 12/14: Worm_Bagz.I Spreads Via Email
Worm_Bagz.I is a memory-resident worm that arrives and propagates through email.
http://nl.internet.com/ct.html?rtr=on&s=1,1a9o,1,6cdm,fw6p,9s3s,a9gz
------------------------------------------------------------
6. 12/14: Trojan.Conycspa Downloads Programs
Trojan.Conycspa is a Trojan horse program that downloads and executes adware, dialers,
and spamming Trojan horse programs from the Internet.
http://nl.internet.com/ct.html?rtr=on&s=1,1a9o,1,ce6i,i43p,9s3s,a9gz
------------------------------------------------------------
7. 12/14: Backdoor.Ranky-N Acts as Covert Proxy
Backdoor.Ranky.N is a backdoor program that allows a compromised computer to be used as a
covert proxy.
http://nl.internet.com/ct.html?rtr=on&s=1,1a9o,1,axng,m78o,9s3s,a9gz
------------------------------------------------------------
8. 12/14: Qeds Worm Sends Itself as Attachment
W32.Qeds@mm is a mass-mailing worm that sends a copy of itself as an attachment to the
email addresses that it gathers from the files on an infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1a9o,1,3zbu,9ht8,9s3s,a9gz
------------------------------------------------------------
9. 12/14: Atak-G a Windows Worm
W32/Atak-G is a Windows worm that spreads via email.
http://nl.internet.com/ct.html?rtr=on&s=1,1a9o,1,crwd,af7e,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Wed Dec 15, 2004 9:42 am    Post subject: Reply with quote

ZAFI-D SPREADING IN FAKE HOLIDAY MESSAGES | SearchSecurity.com

The latest Zafi variant uses a message of holiday cheer to spread.
http://www.searchSecurity.com/originalContent/0,289142,sid14_gci1034292,00.html?track=NL-102&ad=499864
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Thu Dec 16, 2004 3:42 pm    Post subject: Reply with quote

1. Zafi-D Worm Infecting 1 Out of 10 Emails
The Zafi-D worm, which hit the Wild with great speed this past Monday, is infecting one
out of every 10 emails traveling the Internet, according to anti-virus reports.
http://nl.internet.com/ct.html?rtr=on&s=1,1agp,1,9a53,32wv,9s3s,a9gz

12/16: Rbot-RR Worm Hits Remote Shares
W32/Rbot-RR is a worm that attempts to spread to remote network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,1agp,1,bhzn,dkjz,9s3s,a9gz
------------------------------------------------------------
5. 12/16: Forbot-BI an IRC Trojan and Worm
W32/Forbot-BI is an IRC backdoor Trojan and network worm for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1agp,1,3j8g,zbq,9s3s,a9gz

6. 12/16: Atak-F Worm Collects Addresses
W32.Atak.F@mm is a mass-mailing worm that sends itself to addresses collected from the
infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1agp,1,gomd,954k,9s3s,a9gz
------------------------------------------------------------
7. 12/16: VBS.Sorpe-B Worm Disables Utilities
VBS.Sorpe.B@mm is a mass-mailing worm that sends itself to the email addresses gathered
from the files on an infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1agp,1,d2tp,cqti,9s3s,a9gz
------------------------------------------------------------
8. 12/16: VBS.Sorpe-A a Mass-Mailing Worm
VBS.Sorpe.A@mm is a mass-mailing worm that sends itself to email addresses gathered from
files on the infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1agp,1,jw87,fs1s,9s3s,a9gz
------------------------------------------------------------
9. 12/16: Ginena a Macro Virus
W97M.Ginena is a macro virus that infects the Microsoft Word Normal.dot template and is
triggered when a Word document is opened, closed, or saved.
http://nl.internet.com/ct.html?rtr=on&s=1,1agp,1,9sam,62fq,9s3s,a9gz
------------------------------------------------------------
10. 12/16: VBS.Feadfe Worm Mails Itself
VBS.Feadfe@mm is a mass-mailing worm that sends itself to email addresses it finds in the
Microsoft Outlook Address Book.
http://nl.internet.com/ct.html?rtr=on&s=1,1agp,1,esgm,1dj6,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Thu Dec 16, 2004 5:28 pm    Post subject: Reply with quote

ORANGE ALERT: Zafi.D is spreading rapidly and is already
the virus most frequently detected by Panda ActiveScan -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

MADRID, December 15, 2004 - According to data gathered by the free online antivirus Panda ActiveScan, the Zafi.D worm, which appeared just yesterday, is already the most frequently detected virus around the globe, mainly in South America and Europe, where the most affected countries are Italy, Spain, Bulgaria and Hungary.

This worm spreads in a file attached to email messages containing the text Happy holidays! As we are in the run up to Christmas, users are sending millions of greetings via email, which is helping Zafi.D to spread widely and rapidly.

To prevent this worm from continuing to spread, especially through computers that do not have adequate anti-malware protection installed, Panda Software has released its free PQREMOVE utility, which detects and eliminates Zafi.D from all the computers it may have infected. This tool can be downloaded from: http://www.pandasoftware.com/download/utilities.

Zafi.D is a multi-lingual worm, as it can adapt the language of the message to the domain of the email address it is being sent to, for example, a German-speaking user will receive the message in German. This significantly increases the capacity of this worm to spread.

"Zafi.D is a typical example of a worm that takes advantage of important dates to spread as widely as possible. This has happened in the past, and therefore, we were not surprised when it emerged. However, Zafi.D uses social engineering effectively, above all in adapting the message to the recipient's language, who will not be surprised to receive Christmas greetings from companies, family and friends which include an animation," explains Luis Corrons, head of PandaLabs.

What's more, Zafi.D can be used to gain control of affected computers, as it opens a backdoor in affected computers through a communications port. This allows an attacker to connect to the port and gain remote control of the affected computer.

Due to the high possibility of being infected by Zafi.D, Panda Software advises users to take precautions with any email messages they receive and to update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect this new malicious code.

Panda Software clients who already have the new TruPrevent Technologies installed have been protected since the worm first emerged, as these preventive technologies have been able to detect and block Zafi.D without needing to be able to identify it first (more information about the new TruPrevent Technologies at http://www.pandasoftware.com/truprevent).

Users can scan their computers online for free with Panda ActiveScan, available at http://www.pandasoftware.com/

For further information about Zafi.D, visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=56161

NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Thu Dec 16, 2004 5:29 pm    Post subject: Reply with quote

- ORANGE ALERT: Three variants of the Atak worm join Zafi.D
in wishing users a "Merry Christmas" -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

MADRID, December 15, 2004 - PandaLabs has detected the appearance of variants H, I and J of the Atak worm, which spread in messages that pass themselves off as Christmas greetings. These are similar to the Zafi.D worm, which appeared yesterday and also uses the same type of social engineering technique to spread.

The new variants of the Atak worm are very similar to one another; only differing in aspects like the size of the file attached to infected email messages. However, due to a programming error, Atak.J cannot send itself out. Panda Software clients who already have the new TruPrevent Technologies installed have been protected against all of these malicious code since they first emerged, as these preventive technologies have been able to detect and block them without needing to be able to identify them first (more information about the new TruPrevent Technologies at http://www.pandasoftware.com/truprevent).

The new variants of Atak reach computers in email messages with the subject Merry X-Mas! or Happy New Year! and the message text Happy New year and wish you good luck on next year! or Mery Chrismas & Happy New Year! 2005 will be the beginning! What's more, the address of the sender of the messages is spoofed, as they use the addresses they collect from other infected computers. The attachment is always compressed in zip and contains a file that could be called bat, com, pif or scr. If the user runs this file, the worms create copies of themselves in the Windows system directory under the name dec25.exe. At the same time, they use their own SMTP engine to send themselves out to all the addresses they find in files with certain extensions stored on the affected computer.

"We are witnessing an attempted -we don't know if it is organized or not-, to saturate users' inboxes with a huge number of virus infected Christmas greetings. This is obviously a significant threat to computers that are not properly protected, as the probability of being hit by one of these new malicious code is very high, especially considering that at this time of the year, it is not unusual to receive a large amount of emails of this kind. However, it is also possible that, over the next few hours, other viruses that use the same technique will appear. For this reason, it is highly recommendable to take precautions when opening email messages," explains Luis Corrons, head of PandaLabs.

The Zafi.D worm, which spreads in a message with the text Happy holidays! written in the language of the recipient of the email, is still spreading around the globe and causing incidents in users' computers. In fact, it has been the virus most frequently detected by the free online antivirus Panda ActiveScan for a few hours now. What's more, the difference between the percentage of detections of this worm and the second malicious code in the ranking is growing.
To prevent Zafi.D from reaching epidemic levels, Panda Software has released its free PQREMOVE utility, which detects and eliminates Zafi.D from all the computers it may have infected. This tool can be downloaded from: http://www.pandasoftware.com/download/utilities.

Due to the high possibility of being infected by Zafi.D or the new variants of Atak, Panda Software advises users to take precautions with any email messages they receive and to update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect these new malicious code.

Panda Software's clients can already access the updates for installing the new TruPrevent Technologies along with their antivirus protection, providing a preventive layer of protection against these and other new malicious code. For users with a different antivirus program installed, Panda TruPrevent Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection. More information about TruPrevent Technologies at http://www.pandasoftware.com/truprevent

In addition, users can scan their computers online for free with Panda ActiveScan, available at http://www.pandasoftware.com/

For further information about the Atak and Zafi.D worms, visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia

NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the UR
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Thu Dec 16, 2004 5:31 pm    Post subject: Reply with quote

Zafi.D is spreading rapidly around the globe -
Oxygen3 24h-365d, por Panda Software (http://www.pandasoftware.es)

Madrid, 15 de diciembre de 2004 - According to data gathered by the free online antivirus Panda ActiveScan, the Zafi.D worm, which appeared just yesterday, is the most frequently detected virus around the globe, mainly in South America and Europe.

This worm spreads in a file attached to email messages containing the text "Happy holidays!". To prevent this worm from continuing to spread, especially through computers that do not have adequate anti-malware protection installed, Panda Software has released its free PQREMOVE utility, which detects and eliminates Zafi.D from all the computers it may have infected. This tool can be downloaded from: http://www.pandasoftware.com/download/utilities

Zafi.D is a multi-lingual worm, as it can adapt the language of the message to the domain of the email address it is being sent to, for example, a German-speaking user will receive the message in German. This significantly increases the capacity of this worm to spread.

What's more, Zafi.D can be used to gain control of affected computers, as it opens a backdoor in affected computers through a communications port. This allows an attacker to connect to the port and gain remote control of the affected computer.

Three new worms have also appeared today -Atak.H, Atak.I and Atak.J- which include festive greetings. Given that we are in the festive season, users are sending out millions of Christmas greetings, which is helping Zafi.D to spread widely and rapidly, and could also happen with these variants of Atak.

Due to the high possibility of being infected by Zafi.D, Atak.H, Atak.I and Atak.J, Panda Software advises users to take precautions with any email messages they receive and to update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect this new malicious code.

Panda Software's clients can already access the updates for installing the new TruPrevent Technologies along with their antivirus protection, providing a preventive layer of protection against these and other new malicious code. For users with a different antivirus program installed, Panda TruPrevent Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection. More information about TruPrevent Technologies at http://www.pandasoftware.com/truprevent

Users can scan their computers online for free with Panda ActiveScan, available at http://www.pandasoftware.com/

For further information about these and other computer threats, visit Panda Software's Encyclopedia: http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Fri Dec 17, 2004 5:33 pm    Post subject: Reply with quote

Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, December 17, 2004 - This week's report focuses on five worms -Zafi.D, Atak.H, Atak.I, Atak.J and Janx.A-, and a Trojan called HideProc.B.

At the beginning of this week, Zafi.D started spreading rapidly to a large number of computers hidden in email messages with variable characteristics, which passed themselves off as Christmas greetings. This worm is multi-lingual, as it is capable of adapting the language of the text that appears in the email message to the domain of the email address it is being sent to. What's more, Zafi.D can also spread via P2P (peer-to-peer) file sharing programs.

Zafi.D creates a backdoor by opening port 8181 and waiting for a file, usually another malicious code, to be transferred in order to run it. It also prevents access to applications containing the text string regedit, msconfig or task. After it has infected a computer, Zafi.D displays an error message on screen.

Like Zafi.D, the H, I and J variants of Atak also spread via email in messages that pretend to be seasonal greetings. These reach computers in email messages with the subjects "Merry X-Mas!" or "Happy New Year!" and the message body "Happy New year and wish you good luck on next year!" or "Mery Chrismas & Happy New Year! 2005 will be the beginning!".

The messages carrying Atak.H, Atak.I and Atak.J include an attachment compressed in .zip, which contains a file called bat, com, pif or scr. If the user runs this file, these worms copy themselves to the Windows system directory under the name dec25.exe. At the same time, they use their own SMTP engine to send themselves out to all the addresses they find in files with certain extensions stored on the affected computer.

These three variants of Atak are very similar to one another; differing only in aspects like the size of the file attached to infected messages. However, due to a programming error, Atak.J cannot send itself out via email.

The final worm in today's report is Janx.A, which spreads across the Internet by exploiting the LSASS vulnerability. To be more specific, it spreads automatically to computers running Windows XP/2000, which are not correctly updated. It also works on other Windows operating systems, if the file carrying the virus is run.

Janx.A connects to an IRC server and waits for control commands to carry out on the affected computer. What's more, it installs an FTP server in port 5533.

The Trojan in today's report is HideProc.B, which cannot spread automatically, as it requires intervention from an attacker. HideProc.B consists of a DLL (Dynamic Link Library), which is used by another malicious code to hide the execution of up to two processes.

For further information about these and other computer threats, visit Panda Software's Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/.

NOTE: The address above may not show up on your screen as a single line. This would prevent you from using the link to access the web page. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.

Zafi-D Worm Infecting 1 Out of 10 Emails
The Zafi-D worm, which hit the Wild with great speed this past Monday, is infecting one
out of every 10 emails traveling the Internet, according to anti-virus reports.
http://nl.internet.com/ct.html?rtr=on&s=1,1ai3,1,9a53,32wv,9s3s,a9gz
------------------------------------------------------------
5. 12/17: Envid-B Worm Steals Outlook Contacts
W32.Envid.B@mm is a worm that sends email to all addresses found in the Microsoft Outlook
Address Book.
http://nl.internet.com/ct.html?rtr=on&s=1,1ai3,1,7jt5,klfw,9s3s,a9gz
------------------------------------------------------------
6. 12/17: Forbot-EQ an IRC Trojan and Worm
W32/Forbot-EQ is an IRC backdoor Trojan and network worm for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1ai3,1,pp8,5927,9s3s,a9gz
------------------------------------------------------------
7. 12/17: Forbot-DA Worm Targets Flaws
W32/Forbot-DA is a worm that attempts to spread to remote network shares and computers
vulnerable to common exploits.
http://nl.internet.com/ct.html?rtr=on&s=1,1ai3,1,hqh9,lx6,9s3s,a9gz
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Fri Dec 17, 2004 10:21 pm    Post subject: Reply with quote

As of December 14, 2004 8:13 AM PST, TrendLabs has declared a Medium Risk Virus
Alert to control the spread of WORM_ZAFI.D. TrendLabs has received several
infection reports indicating that this malware is spreading in Germany, France
and Spain.

The following is a brief overview of the worm process:

This worm spreads via email or peer-to-peer (P2P) file-sharing networks.

Here is a sample of the email:

Subject:
Re: Merry Chrsitmas!

Message body:
Happy Hollydays!

Smile Pamela M.

Attachment:
postcard.index.php1111.pif

Note that the language of the email may change depending on the domain of the
recipients.

TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy 137
Official Pattern Release 2.297.00
Damage Cleanup Template 467

For more information on WORM_ZAFI.D, you can visit our Web site at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D

You can modify subscription settings for Trend Micro newsletters at:
http://www.trendmicro.com/subscriptions/default.asp

----------------------------------------------o0o----
IMPORTANT NOTE!
TrendLabs will also be releasing a 3-digit pattern file 986 that corresponds
with the pattern indicated in this email. This 3-digit pattern is a special
release for users running non-NPF compliant products (i.e., old 3-digit pattern
format) and is designed to provide protection against the most current malware
threats. Users running non-NPF compliant products are still urged to apply the
NPF solution <http://www.trendmicro.com/en/support/npf/overview.htm>. These
users may also upgrade to the latest product version. Only NPF-compliant
products will be able to update with regular pattern releases.
______________________________________________________________________
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Sat Dec 18, 2004 9:44 am    Post subject: Reply with quote

Warning! Worm.Win32.Zafi.D!

The 4. variant of the Zafi worm is spreading since yesterday. Worm.Win32.Zafi.D has a size of 11,745 bytes and is packed with FSG. It spreads via email as a christmas greeting and also via file sharing networks. In addition to the spreading mechanism Worm.Win32.Zafi.D installs a Backdoor on the computer which enables remote administration of the machine.

A more detailed description of the worm can be found at the aČ Malware Database:
http://www.emsisoft.com/en/malware/?Worm.Win32.Zafi.D

Zafi.D can be detected and removed with aČ Free and aČ Personal with the latest signature updates. The latest versionaČ Personal background guard will block the worm if it is started. Please run the aČ Online-Update immediately and ensure that the new automatic update feature in aČ Personal is enabled.


Sincerely yours,

Your aČ Team
http://www.emsisoft.com

even a2 is nailing this one!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Sun Dec 19, 2004 8:31 am    Post subject: Reply with quote

"An ounce of action is worth a ton of theory."
Ralph Waldo Emerson (1803 - 1882); US philosopher, writer.

- Weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, December 19, 2004 - This week's report focuses on five worms -Zafi.D, Atak.H, Atak.I, Atak.J and Janx.A-, and a Trojan called HideProc.B.

At the beginning of this week, Zafi.D started spreading rapidly to a large number of computers hidden in email messages with variable characteristics, which passed themselves off as Christmas greetings. This worm is multi-lingual, as it is capable of adapting the language of the text that appears in the email message to the domain of the email address it is being sent to. What's more, Zafi.D can also spread via P2P (peer-to-peer) file sharing programs.

Zafi.D creates a backdoor by opening port 8181 and waiting for a file, usually another malicious code, to be transferred in order to run it. It also prevents access to applications containing the text string regedit, msconfig or task. After it has infected a computer, Zafi.D displays an error message on screen.

Like Zafi.D, the H, I and J variants of Atak also spread via email in messages that pretend to be seasonal greetings. These reach computers in email messages with the subjects "Merry X-Mas!" or "Happy New Year!" and the message body "Happy New year and wish you good luck on next year!" or "Mery Chrismas & Happy New Year! 2005 will be the beginning!".

The messages carrying Atak.H, Atak.I and Atak.J include an attachment compressed in .zip, which contains a file called bat, com, pif or scr. If the user runs this file, these worms copy themselves to the Windows system directory under the name dec25.exe. At the same time, they use their own SMTP engine to send themselves out to all the addresses they find in files with certain extensions stored on the affected computer.

These three variants of Atak are very similar to one another; differing only in aspects like the size of the file attached to infected messages. However, due to a programming error, Atak.J cannot send itself out via email.

The final worm in today's report is Janx.A, which spreads across the Internet by exploiting the LSASS vulnerability. To be more specific, it spreads automatically to computers running Windows XP/2000, which are not correctly updated. It also works on other Windows operating systems, if the file carrying the virus is run.

Janx.A connects to an IRC server and waits for control commands to carry out on the affected computer. What's more, it installs an FTP server in port 5533.

The Trojan in today's report is HideProc.B, which cannot spread automatically, as it requires intervention from an attacker. HideProc.B consists of a DLL (Dynamic Link Library), which is used by another malicious code to hide the execution of up to two processes.

For further information about these and other computer threats, visit Panda Software's Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/.

NOTE: The address above may not show up on your screen as a single line. This would prevent you from using the link to access the web page. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group