Spyware Warrior

[wawadave]

11/29: Banker-AG Trojan Steals Bank Info
Troj/Banker-AG is a Trojan for the Windows platform that attempts to steal confidential
information when a user visits banking-related websites.
http://nl.internet.com/ct.html?rtr=on&s=1,195w,1,8z75,2o9m,9s3s,a9gz
------------------------------------------------------------
6. 11/29: Netsky-AE a Mass-Mailing Worm
W32/Netsky-AE is a mass-mailing worm of the Netsky family.
http://nl.internet.com/ct.html?rtr=on&s=1,195w,1,85u,f0l6,9s3s,a9gz
------------------------------------------------------------
7. 11/29: Bancban-AH a Password-Stealing Trojan
Troj/Bancban-AH is a password-stealing Trojan targeted at customers of certain Brazilian
banks.
http://nl.internet.com/ct.html?rtr=on&s=1,195w,1,eume,7qbb,9s3s,a9gz
------------------------------------------------------------
8. 11/29: Sality-H a Prepending Virus
W32/Sality-H is a prepending virus that also acts as a keylogger.
http://nl.internet.com/ct.html?rtr=on&s=1,195w,1,i4na,as0l,9s3s,a9gz
------------------------------------------------------------
9. 11/29: JS/Spawn-C an Encoded Worm
JS/Spawn-C is a version of the JS/Spawn-A worm, which is encoded to prevent detection.
http://nl.internet.com/ct.html?rtr=on&s=1,195w,1,kglx,kimg,9s3s,a9gz
------------------------------------------------------------
10. 11/29: Forbot-CW Worm Exploits Shares
W32/Forbot-CW is a worm that attempts to spread to remote network shares and computers
vulnerable to common exploits.
http://nl.internet.com/ct.html?rtr=on&s=1,195w,1,mdrf,jzsg,9s3s,a9gz
------------------------------------------------------------
11. 11/29: Garroch Worm Mails Itself to Contacts
W32.Garroch@mm is a simple worm that sends itself to all addresses it finds in the
Microsoft Outlook address book.
http://nl.internet.com/ct.html?rtr=on&s=1,195w,1,kw1b,94za,9s3s,a9gz
------------------------------------------------------------
12. 11/29: QLowZones-2 Modifies IE Settings
QLowZones-2 is a detection for multiple Trojans, all of which have the same standard
characteristics, according to McAfee.
http://nl.internet.com/ct.html?rtr=on&s=1,195w,1,lsax,ct0f,9s3s,a9gz
------------------------------------------------------------
13. 11/29: Setclo Worm Copies Itself to Shares
W32.Setclo is a worm that propagates by copying itself to any open network shares it
locates.
http://nl.internet.com/ct.html?rtr=on&s=1,195w,1,i6tl,l6sl,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

11/30: Mugly-A Worm Executes Second Worm
Mugly.A is a worm that drops and executes another worm, detected by Panda Software as
W32/Gaobot.BXG.worm.
http://nl.internet.com/ct.html?rtr=on&s=1,199d,1,3ela,73ch,9s3s,a9gz
------------------------------------------------------------
7. 11/30: Mugly-B Second Variant of the Day
W32/Mugly.b@mm is another variant of the Mugly email worm that was discovered today.
http://nl.internet.com/ct.html?rtr=on&s=1,199d,1,hipl,6yxt,9s3s,a9gz
------------------------------------------------------------
8. 11/30: Jabbit-A Virus Infects HTML Files
Jabbit.A is a virus that infects the HTML files that are located in the directory where
it is run.
http://nl.internet.com/ct.html?rtr=on&s=1,199d,1,7vsi,cikx,9s3s,a9gz
------------------------------------------------------------
9. 11/30: Symb/Cabir-B Worm Targets Cell Phones
Symb/Cabir-B is a worm written specifically for Nokia Series 60 mobile phones running the
Symbian operating system.
http://nl.internet.com/ct.html?rtr=on&s=1,199d,1,fs2d,azot,9s3s,a9gz
------------------------------------------------------------
10. 11/30: SymbOS/Skulls-B is a Trojan
SymbOS/Skulls.b is a trojan that is similar to its predecessor, SymbOS/Skulls.a.
http://nl.internet.com/ct.html?rtr=on&s=1,199d,1,llb1,i5g6,9s3s,a9gz
------------------------------------------------------------
11. 11/30: Dloader-EP a Downloader Trojan
Troj/Dloader-EP is a downloader Trojan.
http://nl.internet.com/ct.html?rtr=on&s=1,199d,1,4lwx,53jm,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

12/1: PWS-Banker.D Trojan Targets E-Gold
PWS-Banker.D is a detection for several password-stealing trojans - typically those
targeted at E-Gold account holders.
http://nl.internet.com/ct.html?rtr=on&s=1,19cp,1,7v0e,c0hq,9s3s,a9gz
------------------------------------------------------------
8. 12/1: Iframebof-b a Malicious HTML File
HTML_Iframebof.B is a malicious HTML file that exploits a known IFRAME vulnerability
affecting Microsoft Internet Explorer and enables the execution of arbitrary codes on
affected machines.
http://nl.internet.com/ct.html?rtr=on&s=1,19cp,1,403g,3yz0,9s3s,a9gz
------------------------------------------------------------
9. 12/1: PWSteal.Tarno-K Trojan Grabs Passwords
PWSteal.Tarno.K is a Trojan horse program that attempts to steal passwords and log
information entered into Web forms.
http://nl.internet.com/ct.html?rtr=on&s=1,19cp,1,clor,l4o1,9s3s,a9gz
------------------------------------------------------------
10. 12/1: Salga-A Worm Uses Outlook Contacts
W32.Salga.A@mm is a mass-mailing worm that uses Microsoft Outlook to send itself to all
the email addresses that it finds in the Outlook Address Book.
http://nl.internet.com/ct.html?rtr=on&s=1,19cp,1,dor3,b64,9s3s,a9gz
------------------------------------------------------------
11. 12/1: pcAudit a Spyware Program
pcAudit is a spyware program, which is developed by a private company in order to test
the security level in a computer.
http://nl.internet.com/ct.html?rtr=on&s=1,19cp,1,39h6,gm4b,9s3s,a9gz
------------------------------------------------------------
12. 12/1: Wurmark-A a VB Mass-Mail Worm
W32/Wurmark-A is a Visual Basic mass-mailing worm.
http://nl.internet.com/ct.html?rtr=on&s=1,19cp,1,e9ow,9743,9s3s,a9gz
------------------------------------------------------------
13. 12/1: Agobot-NX a Backdoor Trojan & Worm
W32/Agobot-NZ is a backdoor Trojan and worm which spreads to computers protected by weak
passwords.
http://nl.internet.com/ct.html?rtr=on&s=1,19cp,1,lzm8,5mis,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

12/2: JS.Kidrash a Java Script Program
JS.Kidrash is a Java Script program that adds random garbage data to .html and .js files.

http://nl.internet.com/ct.html?rtr=on&s=1,19ha,1,e107,5ahy,9s3s,a9gz
------------------------------------------------------------
6. 12/2: Aidid Virus Overwrites A Drive Files
W32.Aidid is a virus that overwrites all files in the A drive with a copy of itself.
http://nl.internet.com/ct.html?rtr=on&s=1,19ha,1,2di5,gcmn,9s3s,a9gz
------------------------------------------------------------
7. 12/2: QLowZones-4 Trojans Attack IE
QLowZones-4 is a detection that covers multiple Trojans, all of which have the same
standard characteristics.
http://nl.internet.com/ct.html?rtr=on&s=1,19ha,1,6vou,ewr4,9s3s,a9gz
------------------------------------------------------------
8. 12/2: Anzae a Mass-Mailing Worm
W32/Anzae.worm.gen is a generic detection for the W32/Anzae.worm family of viruses.
http://nl.internet.com/ct.html?rtr=on&s=1,19ha,1,jdo8,3ywp,9s3s,a9gz
------------------------------------------------------------
9. 12/2: Agobot-OL Worm Targets Passwords
W32/Agobot-OL is a worm with backdoor functionality that spreads to computers protected
by weak passwords.
http://nl.internet.com/ct.html?rtr=on&s=1,19ha,1,g7nn,j1fl,9s3s,a9gz
------------------------------------------------------------
10. 12/2: Agobot-OH Worm Has Backdoor Functions
W32/Agobot-OH is a worm with backdoor functionality that spreads to computers protected
by weak passwords.
http://nl.internet.com/ct.html?rtr=on&s=1,19ha,1,ah1s,694t,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

slow day for viruses. must be waiting for xmass rush

12/3: Rbot-QX a Worm and IRC Trojan
W32/Rbot-QX is a network worm and IRC backdoor Trojan for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,19jc,1,3mvu,b1my,9s3s,a9gz
------------------------------------------------------------
4. 12/3: Atak-D an Email Worm
W32/Atak.d@mm is a worm bears certain characteristics.
http://nl.internet.com/ct.html?rtr=on&s=1,19jc,1,6alo,qf9,9s3s,a9gz
------------------------------------------------------------
5. 12/3: Netsky-Z@mm!enc Detects Netsky
W32.Netsky.Z@mm!enc is an .enc detection for MIME-encoded files that contain the
W32.Netsky.Z@mm worm.
http://nl.internet.com/ct.html?rtr=on&s=1,19jc,1,3za3,7j2m,9s3s,a9gz
------------------------------------------------------------
6. 12/3: Rbot.Add Worm Uses Windows Flaw
Worm_Rbot.Add spreads via network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,19jc,1,6w0l,ebiv,9s3s,a9gz
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, December 3 2004 - This week's report looks at two worms -Mugly.A and
Gaobot.BXG-, a virus called Jabbit.A, the Skulls.B Trojan and an application
called pcAudit.

Mugly.A is a worm that spreads via email in message with variable
characteristics that includes an attachment called ATTACHED.ZIP. This file
in turn contains an executable file, which is actually the worm itself.

In the computer it infects, Mugly.A searches files with the following
extension: ADB, ASP, DBX, DOC, HTM, HTML, PHP, SHT, TBB, TXT o WAB-, looking
for email addresses to which to send itself, unless the addresses contain
text referring to antivirus companies.

After it's run, Mugly.A displays an image on screen, and installs and runs
another worm, which Panda Software detects as Gaobot.BXG, which spreads by
making copies of itself in shared network resources that it manages to
access.

Gaobot.BXG affects computers with Windows 2003/XP/2000/NT, exploiting the
LSASS, RPC DCOM and WebDAV vulnerabilities. It also connects to an IRC
server and awaits orders to carry out malicious action such as obtaining
information from the PC, executing files and carrying out Distributed Denial
of Service attacks (DDoS).

Jabbit.A is a virus that doesn't spread automatically and reaches computers
when it is distributed through any of the usual means (floppies, CD-ROMs,
emails, etc.) in previously infected files. The virus uses 'prepending'
techniques to infect HTML files that are in the directory in which it is
executed. It also creates copies of itself in the Favorites folder and makes
all links in the folder point to the virus, so it is run whenever users
access the links.

After it infects a PC, on the 13th of each month Jabbit.A makes several
messages appear on screen. It then opens the Internet Explorer and displays
a certain web page.

The next malicious code we will look at today is Skulls.B, a Trojan that has
been distributed through cellphone forums and needs user interaction in
order to install itself. It affects mobile phones using the Symbian
operating system. Although the initial targets were Nokia 7610 phones, other
devices based on the Symbian operating system can also be affected.

Skulls.B changes the icons of all the applications on the phone for others
belonging to a certain system application. It also installs files
corresponding to other malware that also affects phones based on Symbian and
detected by Panda Software as Cabir.A.

We end today's report with pcAudit, a program developed by a private company
to check the level of security of the computer. By simulating a hacker
attack, it tries to send data (such as files and folders in the My documents
directory, screenshots, keystrokes, etc.) to a server. If it manages to send
information, the consequences can be serious as it will be transmitted over
the Internet without any kind of encryption.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Freeware: legal software distributed free o charge.

- Prepending: This is a technique used by viruses for infecting files by
adding their code to the beginning of the file. By doing this, these viruses
ensure that they are activated when an infected file is used.

More technical definitions at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

12/9: Setclo-A Worm Carries Executable
W32/Setclo-A is a network worm for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,19z3,1,loa8,5hl6,9s3s,a9gz
------------------------------------------------------------
8. 12/9: Gaobot-BUU a Network-Aware Worm
W32.Gaobot.BUU is a network-aware worm that has backdoor capabilities and can be
controlled through IRC channels.
http://nl.internet.com/ct.html?rtr=on&s=1,19z3,1,lhz2,ccbf,9s3s,a9gz
------------------------------------------------------------
9. 12/9: Maslan-A Worm Gives Attacker Access
Some security vendors have issued alerts for W32.Maslan.A@mm, a worm that uses
mass-mailing, exploits, password-stealer, and rootkit techniques.
http://nl.internet.com/ct.html?rtr=on&s=1,19z3,1,fuxm,be81,9s3s,a9gz
------------------------------------------------------------
10. 12/9: Maslan-C a Mass-Mailing Worm
W32/Maslan.c@MM is a worm that propagates by mass-mailing itself to victims and spreading
to machines via poorly secured shares or unpatched exploits.
http://nl.internet.com/ct.html?rtr=on&s=1,19z3,1,m811,e0hs,9s3s,a9gz
------------------------------------------------------------
11. 12/9: AdClicker-BP a Screensaver App
AdClicker-BP is an application type for 'potentially unwanted programs,' it is not a
virus.
http://nl.internet.com/ct.html?rtr=on&s=1,19z3,1,a68l,d52t,9s3s,a9gz
------------------------------------------------------------
12. 12/9: Anig-C Worm Copies Itself Over Network
32/Anig-C is a worm that can spread by copying itself over network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,19z3,1,l2bb,28g0,9s3s,a9gz
------------------------------------------------------------

*******************************************************************
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

12/10: Bagle-AA an Email-Aware Worm
W32/Bagle-AA is an email aware worm, and a member of the W32/Bagle family of worms.
http://nl.internet.com/ct.html?rtr=on&s=1,1a2q,1,fjtc,l83p,9s3s,a9gz
------------------------------------------------------------
5. 12/10: Bagle-BG Arrives in Zip File
W32/Bagle.bg@MM is a new email worm that arrives by email in a password protected zip
file.
http://nl.internet.com/ct.html?rtr=on&s=1,1a2q,1,f02g,da8e,9s3s,a9gz
------------------------------------------------------------
6. 12/10: Bagle-BF a Mass-Mailing Worm
W32/Bagle.bf@MM is a virus that is simply a repackaging of W32/Bagle.aa@MM.
http://nl.internet.com/ct.html?rtr=on&s=1,1a2q,1,fapx,l4lc,9s3s,a9gz
------------------------------------------------------------
7. 12/10: JS.Speth Worm a Java Script File
JS.Speth.Worm is a Java Script file that copies itself throughout the C drive of the
infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1a2q,1,goo6,8iiy,9s3s,a9gz
------------------------------------------------------------
8. 12/10: Agobot-NX an IRC Trojan & Worm
W32/Agobot-NX is an IRC backdoor Trojan and network worm that is capable of spreading to
computers on the local network protected by weak passwords.
http://nl.internet.com/ct.html?rtr=on&s=1,1a2q,1,574d,jyo8,9s3s,a9gz

slow week so far for viruses!!! lets hope it says that way!!!!
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, December 10 2004 - This week's virus report looks at four worms: Maslam.A, Maslam.B, Atak.D and Atak.E.

Maslam.A and Maslam.B affect computers running Windows 95/98/ME/NT/2000/XP, by exploiting the LSASS vulnerability. They send themselves out via email using their own SMTP engine. Both worms have the following characteristics.

- They monitor Internet Explorer Windows, searching for those containing the following strings: evocash, e-bullion, e-gold, mail, bank, trade or paypal. When they find one, they log all the information entered by the user and sent it to a website.

- They search for files with the extension rar, zip, pif or exe, and which have the following text strings in the path name: distr, download, setup or share, and then replace these files with copies of themselves.

- When they are run they display an error message on screen.

The main difference between the A and B variants of Maslam is the name of the file attached to the message in which they are sent and the text that appears in the subject field of the email.

The other two worms that we are looking at in today's report are the D and E variants of Atak, which spread via email in messages with variable characteristics. The emails include an attachment with the extension bat, com, exe, pif or scr. This file is sometimes compressed in a zip file. Both of these worms also spoof the email address o the sender in order to trick the recipient.

Atak.D and Atak.E also have the following characteristics:

- They use their own SMTP engine to send themselves to address obtained from the computers they infect.

- In the Windows system directory, they create a copy of the worms -in the case of Atak.D this file is called A1G.EXE, and with Atak.E it is called DAPDLL.EXE.

- They edit a registry entry to ensure it is run every time the system is started up.

The main differences between Atak D and E are:

- Atak.D is 12037 bytes when compressed with FSG, while the E variant is 11189 bytes.

- The mutex they create to make sure there is no more than copy of the worm running at a time is different for each worm.

For further information about these and other computer threats, visit Panda Software's Encyclopedia: http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The address above may not show up on your screen as a single line. This would prevent you from using the link to access the web page. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd