Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Virus alerts for week of 1/17/05

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts
View previous topic :: View next topic  
Author Message
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Mon Jan 17, 2005 9:52 am    Post subject: Virus alerts for week of 1/17/05 Reply with quote

WINDOWS TROJANS HIT P2P
Madrid-based anti-virus firm Panda Software reports the circulation
on peer-to-peer (P2P) networks of Trojans that are spread by
exploiting digital rights management features in Windows media
player, reports The Register.
http://www.net-security.org/news.php?id=6926

TROJAN EXPLOITS WINDOWS DRM
Anti-Virus and security vendor Panda Labs is reporting the discovery
of a threat that takes advantage of Windows Digital Rights Management
(DRM).
http://www.net-security.org/news.php?id=6903

MICROSOFT VIRUS CLEAN-UP TOOL SPARKS CONTROVERSY
Microsoft debuts a malicious software removal tool today. It
represents the first tangible fruits of Microsoft's June 2003
acquisition of Romanian anti-virus firm GeCAD Software.
http://www.net-security.org/news.php?id=6898

MORE WORMS TARGET MOBILE PHONES
Latest variants could be a sign of what's to come, security experts
warn.
http://www.net-security.org/news.php?id=6882

The significance of a man is not in what he attains,
but rather what he longs to attain."
Kahlil Gibran (1883-1931); Lebanese artist & poet.

- Weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, January 16 2005 - This week's virus report looks at three
vulnerabilities, two Trojans -WmvDownloader.A and WmvDownloader.B-, and two
worms -Lasco.A and Gaobot.CKP-.

We start this report by looking at three security problems, for which
Microsoft has this week published the corresponding patches.

- Vulnerability in the Windows HTML help, that could allow hackers to take
control of a computer with the same privileges as the user that started the
session. It could be exploited by the creation of a specially designed web
page and affects computers with Windows 2003/XP/2000/NT/Me/98.

- A security problem in the format of Windows icons and cursors. A user
could exploit it to take control of a vulnerable computer by hosting a
specially created icon or cursor on a malicious web page or HTML email. It
affects computers with Windows 2003/XP/2000/NT/Me/98.

- Vulnerability in the Index Server service, which allows remote code to be
executed and privilege escalation. It affects computers with Windows XP
-without Service Pack 2- and Windows 2003.

WmvDownloader.A and WmvDownloader.B are two Trojans that spread across P2P
networks in the form of video files with the extension ".wmv".

In order to spread, WmvDownloader.A and WmvDownloader.B use Windows Media
Digital Rights Management (DRM), a technology that demands a valid license
number when a protected Windows Media file is run. If a user were to execute
a video file infected with WmvDownloader.A or WmvDownloader.B, these Trojans
simulate the download of the corresponding license from certain web pages.
However, what they really do is redirect users to other addresses from which
malicious applications like adware, dialers or spyware are downloaded.

The first worm we'll look at today is Lasco.A, which spreads to cell phones
using the Symbian operating system. Although at first it targeted Nokia 60
series phones, it can also target other devices using the same software.

Lasco.A uses the following means of propagation.

1.- Via Bluetooth (technology that allows wireless connection between
devices over short distances).
When executed, Lasco.A starts a search for other devices connected using
Bluetooth and if it finds any, it sends a copy of itself in a file called
VELASCO.SIS. When the device to which it has sent a file is out of range of
Bluetooth, Lasco.A searches for others to infect.

2.- Inserting its code in all SIS files on the affected device. When these
files are distributed and run in new devices, these are then infected by
Lasco.A.

In order to be able to spread, Lasco.A requires intervention from users, as
they receive a message announcing the fact that it has been received. If the
users accept this message, the worm installs itself on the device.

We end today's report with Gaobot.CKP, a worm that spreads by making copies
of itself in shared resources on the network and exploits the LSASS, RPC
DCOM and WebDAV vulnerabilities. It can also enter computers running SQL
Server, whose System Administrator account's password is blank, and in
computers running DameWare Mini Remote Control. Finally, Gaobot.CKP also
accesses computers affected by the following malware: Bagle.A, Mydoom.A,
Optix, NetDevil, Kuang and SubSeven.

Gaobot.CKP lets attackers take remote control of the computer it affects,
allowing them to execute commands, download and execute files, log
keystrokes and carry out Distributed Denial of Services attacks (DDoS).

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Mon Jan 17, 2005 9:58 am    Post subject: Reply with quote

missed posting this is last weeks still has usefull info!


Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, January 14 2005 - This week's virus report looks at three
vulnerabilities, two Trojans -WmvDownloader.A and WmvDownloader.B-, and two
worms -Lasco.A and Gaobot.CKP-.

We start this report by looking at three security problems, for which
Microsoft has this week published the corresponding patches.

- Vulnerability in the Windows HTML help, that could allow hackers to take
control of a computer with the same privileges as the user that started the
session. It could be exploited by the creation of a specially designed web
page and affects computers with Windows 2003/XP/2000/NT/Me/98.

- A security problem in the format of Windows icons and cursors. A user
could exploit it to take control of a vulnerable computer by hosting a
specially created icon or cursor on a malicious web page or HTML email. It
affects computers with Windows 2003/XP/2000/NT/Me/98.

- Vulnerability in the Index Server service, which allows remote code to be
executed and privilege escalation. It affects computers with Windows XP
-without Service Pack 2- and Windows 2003.

WmvDownloader.A and WmvDownloader.B are two Trojans that spread across P2P
networks in the form of video files with the extension ".wmv".

In order to spread, WmvDownloader.A and WmvDownloader.B use Windows Media
Digital Rights Management (DRM), a technology that demands a valid license
number when a protected Windows Media file is run. If a user were to execute
a video file infected with WmvDownloader.A or WmvDownloader.B, these Trojans
simulate the download of the corresponding license from certain web pages.
However, what they really do is redirect users to other addresses from which
malicious applications like adware, dialers or spyware are downloaded.

The first worm we'll look at today is Lasco.A, which spreads to cell phones
using the Symbian operating system. Although at first it targeted Nokia 60
series phones, it can also target other devices using the same software.

Lasco.A uses the following means of propagation.

1.- Via Bluetooth (technology that allows wireless connection between
devices over short distances).
When executed, Lasco.A starts a search for other devices connected using
Bluetooth and if it finds any, it sends a copy of itself in a file called
VELASCO.SIS. When the device to which it has sent a file is out of range of
Bluetooth, Lasco.A searches for others to infect.

2.- Inserting its code in all SIS files on the affected device. When these
files are distributed and run in new devices, these are then infected by
Lasco.A.

In order to be able to spread, Lasco.A requires intervention from users, as
they receive a message announcing the fact that it has been received. If the
users accept this message, the worm installs itself on the device.

We end today's report with Gaobot.CKP, a worm that spreads by making copies
of itself in shared resources on the network and exploits the LSASS, RPC
DCOM and WebDAV vulnerabilities. It can also enter computers running SQL
Server, whose System Administrator account's password is blank, and in
computers running DameWare Mini Remote Control. Finally, Gaobot.CKP also
accesses computers affected by the following malware: Bagle.A, Mydoom.A,
Optix, NetDevil, Kuang and SubSeven.

Gaobot.CKP lets attackers take remote control of the computer it affects,
allowing them to execute commands, download and execute files, log
keystrokes and carry out Distributed Denial of Services attacks (DDoS).

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Tue Jan 18, 2005 6:00 pm    Post subject: Reply with quote

Another Worm Hits Online Tsunami Relief
Launches DoS attack on German domain Web site.
http://nl.internet.com/ct.html?rtr=on&s=1,1c9m,1,kr1z,3mjg,9s3s,a9gz
------------------------------------------------------------
3. 1/18: Zar Worm Sends Tsunami Email
W32/Zar@MM is a mass-mailing worm that spreads via Microsoft Outlook, by sending itself
to all addresses found in the Global Address Book.
http://nl.internet.com/ct.html?rtr=on&s=1,1c9m,1,716a,4umk,9s3s,a9gz
------------------------------------------------------------
4. 1/18: Zar-A Worm Launches DoS Attack
Several vendors have issued alerts for Zar.A, a worm that attempts to launch DoS (Denial
of Service) attacks against the website www.hacksector.de.
http://nl.internet.com/ct.html?rtr=on&s=1,1c9m,1,jwoc,gax1,9s3s,a9gz
------------------------------------------------------------
5. 1/18: Agobot-XB an IRC Trojan & Network Worm
W32/Agobot-XB is an IRC backdoor Trojan and network worm.
http://nl.internet.com/ct.html?rtr=on&s=1,1c9m,1,c7rs,baka,9s3s,a9gz
------------------------------------------------------------
6. 1/18: Rbot-TS Worm Spreads to Weak Shares
W32/Rbot-TS is a member of the W32/Rbot family of network worms.
http://nl.internet.com/ct.html?rtr=on&s=1,1c9m,1,2iqy,baxd,9s3s,a9gz
------------------------------------------------------------
7. 1/18: Baba-C Worm Has Trojan Component
W32/Baba-C is a mass-mailing worm with a backdoor Trojan component.
http://nl.internet.com/ct.html?rtr=on&s=1,1c9m,1,gi24,lkbk,9s3s,a9gz
------------------------------------------------------------
8. 1/18: Anzae-A a Spanish Mass-Mail Worm
W32/Anzae-A is a Spanish mass-mailing worm.
http://nl.internet.com/ct.html?rtr=on&s=1,1c9m,1,9qr,4s1e,9s3s,a9gz
------------------------------------------------------------
9. 1/18: Multidr-BP a Trojan Dropper
Troj/Multidr-BP is a multicomponent Trojan dropper for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1c9m,1,d2si,4t7v,9s3s,a9gz
------------------------------------------------------------
10. 1/18: Forbot-DM Worm Exploits LSASS Flaw
W32/Forbot-DM is a network worm with backdoor Trojan functionality.
http://nl.internet.com/ct.html?rtr=on&s=1,1c9m,1,kyy6,beu7,9s3s,a9gz
------------------------------------------------------------
11. 1/18: Rbot-TQ Worm Spreads to Remote Shares
W32/Rbot-TQ is a worm that attempts to spread to remote network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,1c9m,1,k179,2poe,9s3s,a9gz
------------------------------------------------------------
12. 1/18: MyDoom-AA a Mass-Mailing Worm
W32/MyDoom-AA is a mass mailing worm that can also spread using popular peer-to-peer
networking applications.
http://nl.internet.com/ct.html?rtr=on&s=1,1c9m,1,5wy9,5dif,9s3s,a9gz
------------------------------------------------------------
13. 1/18: Sdbot-TO Worm Runs in Background
W32/Sdbot-TO is a Windows worm that spreads via networks shares, drops files and contains
backdoor functions that allow unauthorized remote access to the infected computer via IRC
channels while running in the background.
http://nl.internet.com/ct.html?rtr=on&s=1,1c9m,1,i3n3,7eh6,9s3s,a9gz
------------------------------------------------------------
14. 1/18: Trojan.Netdepix-B Downloads File
Trojan.Netdepix.B is a Trojan horse program that attempts to exploit the Microsoft
Windows LSASS Buffer Overrun Vulnerability (Microsoft Security Bulletin MS04-011) on
randomly selected computers.
http://nl.internet.com/ct.html?rtr=on&s=1,1c9m,1,5fdg,jduy,9s3s,a9gz
------------------------------------------------------------
15. 1/18: Mydoom-AI Worm Uses Own Engine
Some vendors have issued alerts for W32.Mydoom.AI@mm, a mass-mailing worm that uses its
own SMTP engine to send itself to email addresses that it finds on a compromised
computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1c9m,1,mehf,6kwl,9s3s,a9gz
------------------------------------------------------------
16. 1/18: IRC.Whisper-B Trojan Lets Attacker In
Backdoor.IRC.Whisper.B is a back door that allows an attacker unauthorized remote access
to a compromised host through an IRC channel.
http://nl.internet.com/ct.html?rtr=on&s=1,1c9m,1,1bqj,9zkx,9s3s,a9gz
------------------------------------------------------------
17. 1/18: Lateda-B Trojan Executes Files
Backdoor.Lateda.B is a back door Trojan horse program that allows a remote attacker to
download and execute files onto a compromised computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1c9m,1,4yef,8zhb,9s3s,a9gz
------------------------------------------------------------
18. 1/18: VBS.Rowam-A Trojan Deletes Files
VBS.Rowam.A is a Trojan horse that attempts to delete files and perform various nuisance
actions, including sending email to all addresses in the Microsoft Outlook address book.

http://nl.internet.com/ct.html?rtr=on&s=1,1c9m,1,5db3,hfmr,9s3s,a9gz
------------------------------------------------------------
19. 1/18: Mydoom-AE Worm Modifies Hosts File
Mydoom.AE is a worm that modifies the Hosts file, in order to prevent the user from
accessing websites belonging to several antivirus companies.
http://nl.internet.com/ct.html?rtr=on&s=1,1c9m,1,7wwd,cd1y,9s3s,a9gz
------------------------------------------------------------

*********************************************************************
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Wed Jan 19, 2005 1:23 pm    Post subject: Reply with quote

1/19: Admincash Trojan Lowers Security
Downloader.Admincash is a Trojan horse program that infects the Explorer.exe file, lowers
security settings in Windows, and downloads adware and dialers.
http://nl.internet.com/ct.html?rtr=on&s=1,1cdo,1,buww,i11e,9s3s,a9gz
------------------------------------------------------------
5. 1/19: Wurmark-D Worm Searches for Addresses
Worm_Wurmark.D propagates via email by searching for target email addresses in files with
certain file name extensions.
http://nl.internet.com/ct.html?rtr=on&s=1,1cdo,1,47se,cvn8,9s3s,a9gz
------------------------------------------------------------
6. 1/19: Rbot-TV Worm Spreads to Remote Shares
W32/Rbot-TV is a worm that attempts to spread to remote network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,1cdo,1,9ik,gdwl,9s3s,a9gz
------------------------------------------------------------
7. 1/19: Rbot-TW Worm Has Backdoor Functions
W32/Rbot-TW is a worm with backdoor Trojan functionality.
http://nl.internet.com/ct.html?rtr=on&s=1,1cdo,1,2gop,lyj2,9s3s,a9gz
------------------------------------------------------------
8. 1/19: Kassbot-A Worm Exploits Several Flaws
W32/Kassbot-A is a network worm with backdoor functionality.
http://nl.internet.com/ct.html?rtr=on&s=1,1cdo,1,jfd,11xt,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Thu Jan 20, 2005 4:59 pm    Post subject: Reply with quote

1/20: PWSteal.Tarno-L Trojan Logs Information
PWSteal.Tarno.L is a password-stealing Trojan horse program that attempts to log
information entered into web forms.
http://nl.internet.com/ct.html?rtr=on&s=1,1chc,1,eflj,b0om,9s3s,a9gz
------------------------------------------------------------
6. 1/20: Trojan.Tannick-B Monitors Sites Visited
Trojan.Tannick.B is a Trojan horse program that monitors Web sites visited and sends the
information to a remote attacker.
http://nl.internet.com/ct.html?rtr=on&s=1,1chc,1,45mo,3yp0,9s3s,a9gz
------------------------------------------------------------
7. 1/20: Gaobot.batch Worms Drop in Variants
Worms belonging to the Gaobot family use several methods in order to spread to other
computers.
http://nl.internet.com/ct.html?rtr=on&s=1,1chc,1,gpl0,ewyb,9s3s,a9gz
------------------------------------------------------------
8. 1/20: Oddbob-C Worm Contacts Web Site
W32/Oddbob-C is a worm for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1chc,1,4b3,34qq,9s3s,a9gz
------------------------------------------------------------
9. 1/20: PWSteal.Formglieder a Trojan Horse
PWSteal.Formglieder is a Trojan horse program with keylogging capabilities that steals
passwords for several banking web sites and web applications.
http://nl.internet.com/ct.html?rtr=on&s=1,1chc,1,2r3b,9uxe,9s3s,a9gz
------------------------------------------------------------
10. 1/20: RemAdm-DWRC Detects Unwanted Apps
RemAdm-DWRC is a detection of application type for 'potentially unwanted applications,'
it is not a virus.
http://nl.internet.com/ct.html?rtr=on&s=1,1chc,1,cnu3,de8r,9s3s,a9gz
------------------------------------------------------------
11. 1/20: Bropia Worm Spreads Via MSN Messenger
Several vendors have issued alerts for W32/Bropia.worm, which may spread via MSN
Messenger.
http://nl.internet.com/ct.html?rtr=on&s=1,1chc,1,6kcb,5znd,9s3s,a9gz
------------------------------------------------------------
12. 1/20: Forbot-DR Worm Exploits LSASS Flaw
W32/Forbot-DR is a network worm with backdoor Trojan functionality accessible via IRC.
http://nl.internet.com/ct.html?rtr=on&s=1,1chc,1,iyr4,3gcd,9s3s,a9gz
------------------------------------------------------------
13. 1/20: Sdbot-TQ Worm Has Backdoor Functions
W32/Sdbot-TQ is a network worm with backdoor functionality for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1chc,1,hryp,35u7,9s3s,a9gz
------------------------------------------------------------

*********************************************************************
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Fri Jan 21, 2005 3:19 pm    Post subject: Reply with quote

1/20: PWSteal.Tarno-L Trojan Logs Information
PWSteal.Tarno.L is a password-stealing Trojan horse program that attempts to log
information entered into web forms.
http://nl.internet.com/ct.html?rtr=on&s=1,1cla,1,eflj,b0om,9s3s,a9gz
------------------------------------------------------------
6. 1/20: Trojan.Tannick-B Monitors Sites Visited
Trojan.Tannick.B is a Trojan horse program that monitors Web sites visited and sends the
information to a remote attacker.
http://nl.internet.com/ct.html?rtr=on&s=1,1cla,1,45mo,3yp0,9s3s,a9gz
------------------------------------------------------------
7. 1/20: Gaobot.batch Worms Drop in Variants
Worms belonging to the Gaobot family use several methods in order to spread to other
computers.
http://nl.internet.com/ct.html?rtr=on&s=1,1cla,1,gpl0,ewyb,9s3s,a9gz
------------------------------------------------------------
8. 1/20: Oddbob-C Worm Contacts Web Site
W32/Oddbob-C is a worm for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1cla,1,4b3,34qq,9s3s,a9gz
------------------------------------------------------------
9. 1/20: PWSteal.Formglieder a Trojan Horse
PWSteal.Formglieder is a Trojan horse program with keylogging capabilities that steals
passwords for several banking web sites and web applications.
http://nl.internet.com/ct.html?rtr=on&s=1,1cla,1,2r3b,9uxe,9s3s,a9gz
------------------------------------------------------------
10. 1/20: RemAdm-DWRC Detects Unwanted Apps
RemAdm-DWRC is a detection of application type for 'potentially unwanted applications,'
it is not a virus.
http://nl.internet.com/ct.html?rtr=on&s=1,1cla,1,cnu3,de8r,9s3s,a9gz
------------------------------------------------------------
11. 1/20: Bropia Worm Spreads Via MSN Messenger
Several vendors have issued alerts for W32/Bropia.worm, which may spread via MSN
Messenger.
http://nl.internet.com/ct.html?rtr=on&s=1,1cla,1,6kcb,5znd,9s3s,a9gz
------------------------------------------------------------
12. 1/20: Forbot-DR Worm Exploits LSASS Flaw
W32/Forbot-DR is a network worm with backdoor Trojan functionality accessible via IRC.
http://nl.internet.com/ct.html?rtr=on&s=1,1cla,1,iyr4,3gcd,9s3s,a9gz
------------------------------------------------------------
13. 1/20: Sdbot-TQ Worm Has Backdoor Functions
W32/Sdbot-TQ is a network worm with backdoor functionality for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1cla,1,hryp,35u7,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Sun Jan 23, 2005 4:18 pm    Post subject: Reply with quote

- Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, January 21 2005 - This week's virus report looks at three worms
-Bropia.A, Zar.A and Mydoom.AE-, and Gaobot.batch.

Bropia.A spreads via MSN Messenger. It does this by searching the
application for an instance of the class 'IMWindowClass' and, if it finds
one, it sends itself out with one of the following names: Drunk_lol.pif,
Webcam_004.pif, sexy_bedroom.pif, naked_party.pif and love_me.pif.

After it is run, Bropia.A searches -in %systemdir%- files with the following
names: adaware.exe, VB6.EXE, lexplore.exe and Win32.exe. If they don't
exist, it creates a file that contains a copy of a variant of Gaobot.
Bropia.A also generates several empty files in the path %systemdir% and
opens them to prevent the taskmgr.exe and cmd.exe processes from executing.
Similarly, Bropia.A disables the CTRL+ALT+Del key combination, and can also
disable the right button on the mouse.

Zar.A spreads via email in a message that refers to the tsunamis that struck
Asia in December 2004. Both the subject and the message text make an appeal
for help for the victims, and the attachment is called TSUNAMI.EXE. When the
file is run, the computer is infected by Zar.A, which, using MAPI, sends a
copy of itself to all addresses in the Outlook address book.

Zar.A creates three files and generates a Windows registry entry to ensure
that it is run every time the computer is started up. This worm also tries
to launch Denial of Service attacks (DoS), against the w w w.hacksector.de
website.

The next worm we'll be looking at today is Mydoom.AE, which spreads in an
email with variable characteristics, and through P2P file sharing programs.

Once it infects a computer, Mydoom.AE takes the following action:

- It opens Notepad and displays a text made up of random characters.

- It alters the HOSTS file to prevent users from accessing the web pages of
certain antivirus companies. It also terminates processes belonging to
certain antivirus programs, leaving the computer vulnerable to attack from
other malware.

- It terminates processes belonging to malware.

- It tries to download a file from the Internet.

We end today's report with a mention of Gaobot.batch, which is a batch
process file that deletes the original Gaobot file when this has been
installed on the computer.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Batch files / BAT files: Files with a BAT extension that allow operations
to be automated.

- MAPI (Messaging Application Program Interface): A system used to enable
programs to send and receive e-mail via a certain messaging system.

More technical definitions at:
http://www.pandasoftware.es/virus_info/glosario/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group