Spyware Warrior

[wawadave]

"All truths are easy to understand once they are discovered;
the point is to discover them."
Galileo Galilei (1564-1642); Italian astronomer & physicist.

- Weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, November 21 2004 - This week's virus report looks at five worms
-Sober.I, Bagle.BG, Yanz.A, Drew.A and Aler.A-, and a Trojan called
Msnsoug.A.

Sober.I is sent by email using its own SMTP engine, in a message either in
German or English depending on the recipient. It gets email addresses from
the infected computer and stores them in files. In order to ensure it is run
whenever the computer is started up, it creates several entries in the
Windows registry.

Bagle.BG sends itself out in emails with variable characteristics. The
action it takes includes opening and listening on TCP port 2002. It acts as
a backdoor allowing access to the infected computer. Bagle.BG also
terminates processes belonging to certain applications that update antivirus
solutions, leaving the computer vulnerable to future attack.

Yanz.A is an email worm that spreads in messages with highly variable
characteristics and which displays false sender addresses. It can also use
P2P file-sharing programs to spread creating files, with variable names,
with copies of itself in folders whose name contains the letters 'shar'.
Both the messages and the shared files it creates, make reference to the
Chinese singer Sun Yan Zi.

Should the file containing the worm be executed, Yanz.A displays a small
window with the text "Kernel Hatasi". It also opens and listens on TCP port
67. Through this port it will try to download all shorts of malware which
Yanz.A will immediately execute.

Drew.A spreads both via email and P2P applications. In the first case it
uses its own SMTP engine to send messages with a highly variable format.
Both the message subject and text, along with the name of the attachment are
chosen at random from a list of options. To spread via P2P applications,
Drew.A searches all folders with the text 'share' and copies itself to these
folders using names aimed at enticing users such as "Cameron Dias.scr",
"Delphi 8 keygen.com" and "DrWeb 4.32 Key.com".

If a user runs one of the attachments with Drew.A, this worm creates two
files on the affected computer with copies of itself. At the same time, it
sends itself to all entries in the users address book and deletes all files
with HTM or TXT extension that it finds on the computer.

The last worm we'll look at today is Aler.A which, although it first
appeared a few days ago, has been distributed massively over the last week
in email messages. The messages have the subject "Latest News about Arafat
!!!", and include two attachments. One of them is an image file with a
picture of the funeral of the Palestinian politician. The other however,
contains code designed to exploit a vulnerability in Internet Explorer.
Through this flaw, it automatically installs the Aler.A worm which is
designed to spread across inadequately protected networks.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

SKULLS TROJAN ATTACKS SYMBIAN MOBILE PHONES
========================================================================
Posted November 22, 2004 9:11 AM Pacific Time

Users of Nokia's 7610 smart phone and possibly other phones running
Symbian's Series 60 software should be aware of a new Trojan program on
the Internet.

For the full story:
http://newsletter.infoworld.com/t?ctl=A12428:2F3DA83
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

Posted November 22, 2004 5:28 AM Pacific Time

Web site visitors who clicked on banner ads on a number of popular
European Web sites this weekend could have infected their computers with
variants of the Bofra worm, experts warned on Monday.

For the full story:
http://newsletter.infoworld.com/t?ctl=A12429:2F3DA83
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

11/22: Backdoor-CLK Trojan Copies Itself
BackDoor-CLK is a backdoor Trojan that is executed it copies itself to the %Sysdir%
folder as CSMSS.EXE.
http://nl.internet.com/ct.html?rtr=on&s=1,18wa,1,drem,7u5n,9s3s,a9gz
------------------------------------------------------------
3. 11/22: Trojan Exploits IE Flaw
Exploit-IEDobExt is a Trojan that exploits a vulnerability in Microsoft Internet Explorer
(IE) that allows a malicious website to bypass the 'download security warning' feature in
Microsoft Windows XP SP2.
http://nl.internet.com/ct.html?rtr=on&s=1,18wa,1,e5ac,66pq,9s3s,a9gz
------------------------------------------------------------
4. 11/22: Swizzor-BQ Trojan Downloads, Runs Files
Troj/Swizzor-BQ is a downloader Trojan that attempts to download and run executable files
without the user's consent.
http://nl.internet.com/ct.html?rtr=on&s=1,18wa,1,u44,653f,9s3s,a9gz

11/22: Sober-I a Mass-Mailing Worm
Security vendors have issued alerts for W32.Sober.I@mm, a mass-mailing worm that uses its
own SMTP engine to spread by sending itself as an email attachment to addresses gathered
from the infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,18wa,1,65qq,76kz,9s3s,a9gz
------------------------------------------------------------
7. 11/22: Trojan Targets Nokia Phones
Some security vendors have issued alerts for SymbOS/Skulls, a Trojan written for Nokia
Series-60 phones.
http://nl.internet.com/ct.html?rtr=on&s=1,18wa,1,gy5,gfr3,9s3s,a9gz
------------------------------------------------------------
8. 11/22: Troj/Banker-AM Steals Bank Info
Troj/Banker-AM is a Trojan that steals bank details.
http://nl.internet.com/ct.html?rtr=on&s=1,18wa,1,38lp,4zxx,9s3s,a9gz
------------------------------------------------------------
9. 11/22: Narod-D a Password-Stealing Trojan
Troj/Narod-D is a password stealing Trojan for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,18wa,1,bkd8,d16b,9s3s,a9gz
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

Banner Ads Serving Up MyDoom
[November 22, 2004] New move in virus battle renders banner ads susceptible to
MyDoom variant.
Read the article:
http://nl.internet.com/ct.html?rtr=on&s=1,18ur,1,fcke,libc,9s3s,a9gz
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

11/23: Tasin-A Worm a 'High-Level Threat'
Security vendor Panda Software has issued a high threat level of Tasin.A, a worm that
spreads via e-mail in a message with variable characteristics.
http://nl.internet.com/ct.html?rtr=on&s=1,18zd,1,duqv,9ipr,9s3s,a9gz
------------------------------------------------------------
2. 11/23: Exploit-DoubleExt Targets IE Flaw
Exploit-DoubleExt targets a vulnerability in Microsoft Internet Explorer (IE) allowing a
malicious website to bypass the 'download security warning' feature in Microsoft Windows
XP SP2.
http://nl.internet.com/ct.html?rtr=on&s=1,18zd,1,fcx4,58za,9s3s,a9gz

11/23: Anzae-B Worm Sends Spanish Email
W32/Anzae.B is a mass-mailing worm written in MSVB.
http://nl.internet.com/ct.html?rtr=on&s=1,18zd,1,5sg3,hpij,9s3s,a9gz
------------------------------------------------------------
5. 11/23: Agobot-OD Worm Lets Intruders In
W32/Agobot-OD is a network worm that allows unauthorized remote access to the computer
via IRC channels.
http://nl.internet.com/ct.html?rtr=on&s=1,18zd,1,gr0j,kjdi,9s3s,a9gz
------------------------------------------------------------
6. 11/23: Backdoor.Jupdate Lets Attacker In
Backdoor.Jupdate is a backdoor program that allows a remote attacker to download and
execute files on an infected machine.
http://nl.internet.com/ct.html?rtr=on&s=1,18zd,1,5e0q,1idq,9s3s,a9gz
------------------------------------------------------------
7. 11/23: JS.Gynamed a JScript Virus
JS.Gynamed is a JScript virus that infects other JScript files.
http://nl.internet.com/ct.html?rtr=on&s=1,18zd,1,hvhy,el5b,9s3s,a9gz
------------------------------------------------------------
8. 11/23: Backdoor.Sdbot.AH a Network-Aware Worm
Backdoor.Sdbot.AH is a network-aware worm with backdoor capabilities that spreads via
network shares and allows a remote attacker to gain unauthorized access to the infected
computer.
http://nl.internet.com/ct.html?rtr=on&s=1,18zd,1,mnn,dt85,9s3s,a9gz
------------------------------------------------------------
9. 11/23: Tasin-B Worm Deletes Several File Types
Tasin.B is a worm that spreads via e-mail in a message with variable characteristics.
http://nl.internet.com/ct.html?rtr=on&s=1,18zd,1,hg57,k0nd,9s3s,a9gz
------------------------------------------------------------
10. 11/23: Tasin-C Worm Spreads Via Email
Tasin.C is a worm that spreads via e-mail in a message with variable characteristics.
http://nl.internet.com/ct.html?rtr=on&s=1,18zd,1,guxj,3mdg,9s3s,a9gz
------------------------------------------------------------
11. 11/23: Yanz-B Worm Written in MSVC
W32/Yanz.b@mm is a mass-mailing worm written in MSVC that contains its own SMTP engine to
construct outgoing messages.
http://nl.internet.com/ct.html?rtr=on&s=1,18zd,1,hy0s,5tic,9s3s,a9gz
------------------------------------------------------------
12. 11/23: BackDoor-CLK Trojan Copies Itself
BackDoor-CLK is a back door Trojan that when executed, copies itself to the %Sysdir%
folder as CSMSS.EXE.
http://nl.internet.com/ct.html?rtr=on&s=1,18zd,1,bure,g78z,9s3s,a9gz
------------------------------------------------------------
13. 11/23: Anzae-A a Spanish Mass-Mail Worm
W32/Anzae-A is a Spanish mass-mailing worm.
http://nl.internet.com/ct.html?rtr=on&s=1,18zd,1,3k43,egut,9s3s,a9gz
------------------------------------------------------------
14. 11/23: Fasvsin-A a Peer-to-Peer Worm
W32/Favsin-A is a peer-to-peer and email worm for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,18zd,1,umu,4amp,9s3s,a9gz
------------------------------------------------------------

*********************************************************************
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

This new virus is nicked named Lazarus, since it comes back from the dead. Since files are still on the computer that area related to the virus, this helps actually resurrect the virus from the dead. How people will delete this virus altogether is the question at hand.

The newest variant in the Sober family of Windows viruses resurrects itself if some of the parts it leaves on infected machines are not deleted. The virus also tries to trick people into opening infected attachments by claiming that the message has been passed as clean by anti-virus scanners. Computer security firms warned people to be suspicious of unsolicited e-mails bearing attachments. The first Sober virus appeared in late October 2003 and was most prevalent in Germany.

http://channels.lockergnome.com/windows/archives/20041122_a_virus_from_the_dead.phtml
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

. 11/24: Anzae-C a Spanish Mass-Mail Worm
W32/Anzae-C is a Spanish mass-mailing worm.
http://nl.internet.com/ct.html?rtr=on&s=1,191s,1,jw75,h5vy,9s3s,a9gz
------------------------------------------------------------
2. 11/23: Tasin-A Worm a 'High-Level Threat'
Security vendor Panda Software has issued a high threat level of Tasin.A, a worm that
spreads via e-mail in a message with variable characteristics.
http://nl.internet.com/ct.html?rtr=on&s=1,191s,1,duqv,9ipr,9s3s,a9gz

. 11/23: Anzae-B Worm Sends Spanish Email
W32/Anzae.B is a mass-mailing worm written in MSVB.
http://nl.internet.com/ct.html?rtr=on&s=1,191s,1,5sg3,hpij,9s3s,a9gz
------------------------------------------------------------
6. 11/23: Agobot-OD Worm Lets Intruders In
W32/Agobot-OD is a network worm that allows unauthorized remote access to the computer
via IRC channels.
http://nl.internet.com/ct.html?rtr=on&s=1,191s,1,gr0j,kjdi,9s3s,a9gz
------------------------------------------------------------
7. 11/23: Backdoor.Jupdate Lets Attacker In
Backdoor.Jupdate is a backdoor program that allows a remote attacker to download and
execute files on an infected machine.
http://nl.internet.com/ct.html?rtr=on&s=1,191s,1,5e0q,1idq,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, November 26 2004 - This week's virus report looks at four worms
-Tasin.A, Tasin.B, Tasin.C and Yanz.B-, and a Trojan called Skulls.A.

The A, B and C variants of Tasin send themselves out via email using their
own SMTP engine and through their own local SMTP server in variable messages
with text in Spanish. The three variants contain code that tries to delete
files with the following extensions: ASM, ASP, BDSPROJ, BMP, CPP, CS,
CSPROJ, CSS, DOC, DPR, FRM, GIF, HTM, HTML, JPEG, JPG, MDB, MP3, NFM, NRG,
PAS, PCX, PDF, PHP, PPT, RC, RC2, REG, RESX, RPT, SLN, TXT, VB, VBP, VBPROJ,
WAV and XLS.

Tasin.B and Tasin.C try to download a DLL from the Internet. They also
create the file "SS.EXE" in the Windows directory. This is a joke that Panda
Software detects as Joke/Beeper.

Apart from these common features there are also a series of differences
between Tasin.A, Tasin.B and Tasin.C. Including the following:

- Tasin.A establishes an HTTP connection with a certain website. After it's
run, several messages appear on screen giving the impression that it's a
game when really they aim to distract users while Tasin.A sends itself out
rapidly via email.

- Tasin.B: displays an error message.

- Once it has infected a PC, Tasin.C opens Internet Explorer and displays an
erotic image of a Spanish celebrity.

The fourth worm that we'll look at today is Yanz.B, which spreads in an
email message written in English with variable characteristics, and also
through P2P file-sharing programs. The email messages and contaminated files
include references to the singer Sun Yan Zi.

Yanz.B creates three JPG files, one of which contains the exploit
MS04-028.gen, which tries to exploit the 'Buffer Overrun in JPEG processing'
vulnerability. If this file is opened using a vulnerable application, a file
-which could be anything including malware- is downloaded from the Internet
and executed.

We end today's report with Skulls.A, a Trojan that has been distributed
through mobile cellphone forums. It affects mobile phones using the Symbian
operating system. Although the initial targets were Nokia 7610 phones, other
devices based on the Symbian operating system can also be affected by
Skulls.A.

To install itself on a cellphone, Skulls.A requires user intervention. To
attract the user's attention this Trojan simulates an installer for themes,
icons, etc. However, when it is installed, it changes all application icons
for skulls.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The address above may not show up on your screen as a single line.
This would prevent you from using the link to access the web page. If this
happens, just use the 'cut' and 'paste'.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

"Remember that lost time does not return."
Thomas a Kempis (1375-1471); German author.

- Weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, November 28 2004 - This week's virus report looks at four worms
-Tasin.A, Tasin.B, Tasin.C and Yanz.B-, and a Trojan called Skulls.A.

The A, B and C variants of Tasin send themselves out via email using their
own SMTP engine and through their own local SMTP server in variable messages
with text in Spanish. The three variants contain code that tries to delete
files with the following extensions: ASM, ASP, BDSPROJ, BMP, CPP, CS,
CSPROJ, CSS, DOC, DPR, FRM, GIF, HTM, HTML, JPEG, JPG, MDB, MP3, NFM, NRG,
PAS, PCX, PDF, PHP, PPT, RC, RC2, REG, RESX, RPT, SLN, TXT, VB, VBP, VBPROJ,
WAV and XLS.

Tasin.B and Tasin.C try to download a DLL from the Internet. They also
create the file "SS.EXE" in the Windows directory. This is a joke that Panda
Software detects as Joke/Beeper.

Apart from these common features there are also a series of differences
between Tasin.A, Tasin.B and Tasin.C. Including the following:

- Tasin.A establishes an HTTP connection with a certain website. After it's
run, several messages appear on screen giving the impression that it's a
game when really they aim to distract users while Tasin.A sends itself out
rapidly via email.

- Tasin.B: displays an error message.

- Once it has infected a PC, Tasin.C opens Internet Explorer and displays an
erotic image of a Spanish celebrity.

The fourth worm that we'll look at today is Yanz.B, which spreads in an
email message written in English with variable characteristics, and also
through P2P file-sharing programs. The email messages and contaminated files
include references to the singer Sun Yan Zi.

Yanz.B creates three JPG files, one of which contains the exploit
MS04-028.gen, which tries to exploit the 'Buffer Overrun in JPEG processing'
vulnerability. If this file is opened using a vulnerable application, a file
-which could be anything including malware- is downloaded from the Internet
and executed.

We end today's report with Skulls.A, a Trojan that has been distributed
through mobile cellphone forums. It affects mobile phones using the Symbian
operating system. Although the initial targets were Nokia 7610 phones, other
devices based on the Symbian operating system can also be affected by
Skulls.A.

To install itself on a cellphone, Skulls.A requires user intervention. To
attract the user's attention this Trojan simulates an installer for themes,
icons, etc. However, when it is installed, it changes all application icons
for skulls.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The address above may not show up on your screen as a single line.
This would prevent you from using the link to access the web page. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd