Spyware Warrior

[wawadave]

WHY WINDOWS IS A SECURITY NIGHTMARE
Security in all mainstream operating systems is non-existent;
however, things are especially bad for Windows.
http://www.net-security.org/news.php?id=5271

WHAT'S IN A NAME- IDENTITY THEFT
One of the most precious things you own is your good name.
http://www.net-security.org/news.php?id=5277

THE RISING COST OF PROTECTING YOUR IDENTITY
With identity theft rampant, we need to be cautious with our personal
information. But consumer advocates say there's something else we
ought to be vigilant about: expensive services for identity theft
protection.
http://www.net-security.org/news.php?id=5289

RUSSIA - A HAPPY HAVEN FOR HACKERS
For all its disadvantages, the former Soviet Union had one hugely
overlooked advantage: it kept hackers, crackers and virus writers
confined inside the country by restricting their access to the
internet.
http://www.net-security.org/news.php?id=5298

TAIWANESE NABBED FOR CREATING VIRUS USED BY CHINESE HACKERS
A Taiwanese computer engineer was arrested for allegedly designing a
vorm that was used to attack the island's business and government
systems, police said Thursday.
http://www.net-security.org/news.php?id=5310

AUSSIE POLICE TO GAIN ACCESS TO STORED MESSAGES
Australian Attorney General Philip Ruddock has introduced amendments
to federal parliament that would ease police access in the country to
stored voice mails, e-mails and text messages.
http://www.net-security.org/news.php?id=5309

_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

This week's report on viruses and intrusions will
deal with five worms -Sasser.F, Cycle.A, Bagle.AC, Sober.G and Wallon.A-,
and Qhost.gen.

Sasser.F spreads via the Internet by exploiting the LSASS vulnerability. In
the computers it infects, this worm causes a buffer overflow in the
LSASS.EXE program, restarts the computer and displays a message on screen.
Like previous variants of Sasser, variant F spreads automatically across
Windows XP/2000 computers. It also works in the rest of the Windows
operating systems, if the file carrying this worm is run by a malicious
user.

Like the malicious code mentioned above, Cycle.A also spreads via the
Internet by exploiting the LSASS vulnerability and causes affected computers
to restart. It also ends the processes of the Blaster, Sasser.A, Sasser.B,
Sasser.C and Sasser.D worms and launches Denial of Service attacks (DoS)
against several websites when the system date is any other than May 1 to 18,
inclusive.

The third worm in today's report is Bagle.AC, which ends the processes of
several IT security applications, such as antivirus and firewall programs,
and of several worms. It also tries to connect, through port 14441, to
various websites that house a PHP script in order to notify the virus author
that the computer has been infected.

Sober.G is a worm that spreads via e-mail. This message can be written in
English or German, depending on the domain in the user's e-mail address. It
looks for e-mail addresses in files with certain extensions on the affected
computer, and sends itself out to the addresses it finds using its own SMTP
engine.

The fifth worm is Wallon.A, which installs itself on computers by exploiting
the Exploit/MIE.CHM vulnerability. To do this, it uses the following
propagation routine: the user receives an e-mail containing a link to a
certain website, if the user accesses the web page, Wallon.A will be
downloaded to the computer.

Wallon.A collects all of the addresses in the Windows Address Book and sends
them to an e-mail address. This worm also changes the home page of Internet
Explorer and if the Windows Address Book does not contain any addresses, it
displays an error message on screen.

We are going to finish this week's report with Qhost.gen, a generic
detection routine for HOSTS files modified by several malware, including
variants of the Gaobot worm. This file contains a series of lines that are
the first lines used by Windows to translate names to IP addresses (before
other services like WINS or DNS).

The HOSTS files are modified by this malware so that a list of web address
is associated to the IP address 127.0.0.1, making the addresses included in
this list inaccessible. These web pages are usually those of security
software manufacturers, such as anti-malware solutions. For this reason,
users of computers affected by Qhost.gen will not be able to access these
pages and obtain information, update their solution, etc.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The address above may not show up on your screen as a single line.
This would prevent you from using the link to access the web page. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

Financial Firms in Hackers' Crosshairs
IT security attacks on some of the world's leading financial institutions more
than
doubled from last year, according to a new survey from Deloite & Touche.
http://nl.internet.com/ct.html?rtr=on&s=1,xho,1,czah,fjla,9s3s,a9gz
------------------------------------------------------------
2. 'Critical' CVS Heap Overflow Flaw Patched
Security researchers have discovered a heap overflow vulnerability in Concurrent
Versions
System (CVS), the source code maintenance system used to power open-source
software
development projects.
http://nl.internet.com/ct.html?rtr=on&s=1,xho,1,ki6g,7lvh,9s3s,a9gz
------------------------------------------------------------
3. 6/1: Lamud-A Spreads Via Network Shares
Worm_Lamud.A is a worm that spreads via network shares, according to Trend
Micro, which
issued an alert Tuesday.
http://nl.internet.com/ct.html?rtr=on&s=1,xho,1,ajgz,d9b6,9s3s,a9gz
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

Phear of phishing, 05/31/04

Sophisticated e-mail scams are a potential disaster for Internet
commerce.
<http://www.nwfusion.com/research/2004/0531phishing.html?nl>

To catch a phisher, 05/31/04

An Ohio woman was sentenced earlier this year to 46 months in
prison as the apparent ringleader of a phishing scheme. Her
elaborate plan spanned multiple states, taking on many online
identities. In an investigation that lasted more than a year, a
special agent with the FBI laid out the tangled web he had to
cut through to find the phisher.
<http://www.nwfusion.com/research/2004/0531phishingcatch.html?nl>
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

User protection, 05/31/04

Just as important as educating your consumers about phishing is
giving them some tools to protect themselves.
<http://www.nwfusion.com/research/2004/0531phishingside.html?nl>
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

Analyst Digest: Worms carry heavy cost, 06/01/04

European ISPs will have to spend ?123 million ($150 million) on
trying to protect their customers from Internet worms, according
to Sandvine.
http://www.nwfusion.com/news/2004/0601analydiges.html?nl
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

W32.Korgo.F Worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer
Overrun Vulnerability (BID 10108; MS04-011) on TCP port 445. It spreads by scanning randomly chosen IP addresses on MS systems that have not been patched. It also listens on TCP ports 113 and 3067, and could potentially open backdoors on those ports.






Next Steps?

To protect your computer from the recently found Korgo.F worm, you will need an antivirus, firewall, and intrusion detection solutions. Symantec advises home users to use Norton Internet Security to protect their computers. You should keep your subscription current at all times to ensure you have the latest protection updates. These protection updates are delivered automatically via Symantec’s LiveUpdate. We also recommend running Windows Update and installing the latest security patches.



_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

Weekly report on viruses and intrusions -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, June 4, 2004 - In this week's report we are going to look at six
worms -Plexus.A, Cult.J and four variants of Korgo-, and at Protoride.gen.

Plexus.A spreads via the Internet by exploiting the RPC DCOM and LSASS
vulnerabilities -in the computers that have not been patched- and sending
itself out to the addresses it finds on the local machine and in mapped
drives.

Plexus.A overwrites the host file, preventing the computer from connecting
to certain web addresses of an antivirus company, and therefore, the PC will
not be able to update the protection installed. Plexus.A obtains the shared
directory for KaZaA and copies itself to it, and also creates copies of
itself in the shared folders in the network.

Cult.J spreads via e-mail in a message with the subject: 'Hello, I sent you
a beautiful love card. ^_*' and an attached file called:
'BEAUTIFULLOVE.PIF'. When this file is run, the worm sends a copy of itself
to a series of addresses using its own SMTP engine.

Cult.J goes memory resident and tries to connect to an IRC channel. If it
manages to establish a connection, this malicious code will give an attacker
remote access to the affected computer, allowing the attacker to carry out
the following actions, among others:

- Attacks through IRC.

- Send out confidential and system information.

- Download and run files.

- Send worms to other IRC channels.

Protoride.gen is a generic detection routine for the variants of the
Protoride worm, which could emerge in the future. The malicious code in this
family have the following characteristics:

- They spread across computer networks by copying themselves to the network
resources they manage to access.

- They connect to an IRC channel through port 6667 and wait for a hacker to
send remote control commands (to download and run files, hide active
processes, uninstall themselves, etc.).

- They modify a Windows Registry entry, preventing EXE files from running.
As a result, certain application will not work.

The next worms in today's report are the C, D, E and F variants of Korgo,
which spread via the Internet by exploiting the LSASS vulnerability. All
four variants open port 3067 and listen in on it. They also try to connect
to IRC servers and are designed to prevent the computer from shutting down.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- IRC (Chat IRC): These are written conversations over the Internet in which
files can also be transferred.

- Resident / Resident virus: A program or file is referred to as resident
when it is stored in the computer's memory, continuously monitoring
operations carried out on the system.

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd