Spyware Warrior

[wawadave]

Seasons Greetings from Virus Alerts to all our subscribers.

**********************************************************************

- Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, December 24 2004 - Today's report deals with three worms -Santy.A,
which started to spread rapidly at the beginning of the week, Mugly.C and
Gaobot.CDO-, the Constructor/Mastof virus, and a Trojan called Mastof.A.

Santy.A is a worm that uses the viewtopic.php vulnerability to spread via
the Internet. It affects servers that have versions earlier than 2.0.11 of
the phpBB installed and which have not been updated.

After infecting a computer, Santy.A takes the following action, among
others:

- It uses Google to search for vulnerable computers.

- It overwrites all files with ASP, HTM, PHP, PHTM and SHTM extensions, and
replaces them with HTML code that displays a message.

- It slows down the affected server and Internet access.

The second worm we're looking at today is Mugly.C, which spreads using a
variable email message, with an attachment called ATTACHED.ZIP. This file
contains an executable which is actually the worm itself and will be sent in
an email.

Mugly.C searches through files on the affected machine with the following
extensions: ADB, ASP, DBX, DOC, HTM, HTML, PHP, SHT, TBB, TXT or WAB-,
looking for email addresses to send itself to, unless addresses that contain
text related to an antivirus company. This worm also prevents the user
accessing web pages of certain antivirus companies.

Alter it is run, Mugly.C displays an image on screen, and installs and runs
another worm that Panda Software detects as Gaobot.CDO.worm.

Gaobot.CDO affects computers with Windows 2003/XP/2000/NT operating systems,
by exploiting the LSASS, RPC DCOM and WebDAV vulnerabilities. In order to
spread it makes copies of itself in the shared network resources that it
manages to access. Gaobot.CDO also connects to an IRC Server and awaits
orders.

The next codes we are looking at in today's report are Constructor/Mastof
and Mastof.A, which are closely linked to each other, as the second one is a
Trojan that has been created by the first to steal Yahoo Messenger
passwords.

Mastof.A, and the Trojans generated by Constructor/Mastof, include the
following features: they execute every time the PC is restarted, they stay
resident in the PC and they sent the password they find to a specific Yahoo
address.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The address above may not show up on your screen as a single line.
This would prevent you from using the link to access the web page. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------

this should have gone on the last one but there still relevant!!
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

"The History of the Universe is that of one man alone."
Jorge Luis Borges (1899-1986); Argentine writer.

- Weekly summary -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, December 25 2004 - Over the last five days, Oxygen3 24h-365d has
covered the following news stories -summarized below- and which can be read
in full at: http://www.pandasoftware.com/about/press/oxygen3/oxygen.asp

- Buffer overflow in VERITAS Backup Exec (12/20/04).
Securitytracker has reported a buffer overflow vulnerability in VERITAS
Backup Exec in the processing of registration requests. A remote user could
send a large amount of specially-crafted data, created using a long host
name, in order to run arbitrary code with the privileges of one of the
VERITAS Backup Exec service processes (usually a domain administrative
accounts).

- Vulnerabilities in Windows Media Player (12/21/04).
According to SecurityTracker, two vulnerabilities have been detected in
Microsoft Windows Media Player. One of these could allow an attacker to run
arbitrary code while the second vulnerability could allow a remote user to
call the ActiveX Windows Media Player object to determine whether a certain
file exists on the user's system. These security problems have been resolved
on the recently released version 10 of Windows Media Player.

- Updates for PDF document viewers (12/22/04).
iDefense has warned that xpdf, an open-source application included in
multiple Linux distributions, is affected by a vulnerability that could
allow arbitrary code to be run. All users whose computers might be affected
by this flaw, are advised to install the new version 3.00pl2, or install a
specific patch. Additionally, Adobe has recently published a series of
patches that solve critical vulnerabilities in versions 6.0.0 to 6.0.2 of
Adobe Reader and Acrobat Reader for Windows and Macintosh.

- Virus hall of fame 2004 (12/23/04).
Among the malicious code that has appeared in 2004, Sasser -which has been
the most damaging worm-, caused one of the most serious epidemicas ever. The
most sophisticated was Noomy.A, which built web pages and sent messages to
Chat channels as though it were another user. Amus.A, was the most
talkative, as it used Speech Engine in XP to announce its presence.

- Buffer overflow in the HP-UX FTP daemon (12/24/04).
A remote buffer overflow vulnerability has been detected affecting the FTP
(File Transfer Protocol) daemon included in several versions of
Hewlett-Packard's HP-UX. According to iDefense, the problem stems from when
the daemon is configured -via /etc/inetd.conf-, to log debug information
with the -v switch. This vulnerability could be exploited by an attacker
making a request with an overlong command. As a workaround, it is advisable
not to use the -v switch in the FTP daemon in /etc/inetd.conf. To correct
the problem, HP has released four updates.

NOTE: The address above may not show up on your screen as a single line.
This would prevent you from using the link to access the web page. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

"Nothing fixes a thing so intensely in the memory
as the wish to forget it."
Michel de Montaigne (1533-1592) French essayist.

- Weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, December 26 2004 - Today's report deals with three worms -Santy.A,
which started to spread rapidly at the beginning of the week, Mugly.C and
Gaobot.CDO-, the Constructor/Mastof virus, and a Trojan called Mastof.A.

Santy.A is a worm that uses the viewtopic.php vulnerability to spread via
the Internet. It affects servers that have versions earlier than 2.0.11 of
the phpBB installed and which have not been updated.

After infecting a computer, Santy.A takes the following action, among
others:

- It uses Google to search for vulnerable computers.

- It overwrites all files with ASP, HTM, PHP, PHTM and SHTM extensions, and
replaces them with HTML code that displays a message.

- It slows down the affected server and Internet access.

The second worm we're looking at today is Mugly.C, which spreads using a
variable email message, with an attachment called ATTACHED.ZIP. This file
contains an executable which is actually the worm itself and will be sent in
an email.

Mugly.C searches through files on the affected machine with the following
extensions: ADB, ASP, DBX, DOC, HTM, HTML, PHP, SHT, TBB, TXT or WAB-,
looking for email addresses to send itself to, unless addresses that contain
text related to an antivirus company. This worm also prevents the user
accessing web pages of certain antivirus companies.

Alter it is run, Mugly.C displays an image on screen, and installs and runs
another worm that Panda Software detects as Gaobot.CDO.worm.

Gaobot.CDO affects computers with Windows 2003/XP/2000/NT operating systems,
by exploiting the LSASS, RPC DCOM and WebDAV vulnerabilities. In order to
spread it makes copies of itself in the shared network resources that it
manages to access. Gaobot.CDO also connects to an IRC Server and awaits
orders.

The next codes we are looking at in today's report are Constructor/Mastof
and Mastof.A, which are closely linked to each other, as the second one is a
Trojan that has been created by the first to steal Yahoo Messenger
passwords.

Mastof.A, and the Trojans generated by Constructor/Mastof, include the
following features: they execute every time the PC is restarted, they stay
resident in the PC and they sent the password they find to a specific Yahoo
address.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The address above may not show up on your screen as a single line.
This would prevent you from using the link to access the web page. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

Google Nukes Santy Worm, But Threat Remains
By Ryan Naraine
December 22, 2004

A decision by Google Inc. to block certain search queries has helped thwart the spread of the Santy worm, but the public release of the worm's source code could lead to new attacks, security experts warned on Wednesday.

Google began filtering the worm's queries late Tuesday night, effectively stopping the Santy propagation on vulnerable Web forums running the freely distributed phpBB software.

http://www.eweek.com/article2/0,1759,1744990,00.asp
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

12/27: Troj/Bancos-AS a Password-Stealing Trojan
Troj/Bancos-AS is a password stealing Trojan for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1b07,1,12ps,8nzd,9s3s,a9gz
------------------------------------------------------------
4. 12/27: Agent-ZC Trojan Sends Spam
Troj/Agent-ZC is a Trojan for the Windows platform that can be used for sending
unsolicited commercial email (spam) as a result of instructions downloaded from a
preconfigured website.
http://nl.internet.com/ct.html?rtr=on&s=1,1b07,1,irw8,3ghb,9s3s,a9gz
------------------------------------------------------------
5. 12/27: Trojan.Phel-A Distributed as HTML
Trojan.Phel.A is a Trojan horse program that is distributed as an HTML file, and attempts
to exploit the Microsoft Internet Explorer HTML Help Control Local Zone Security
Restriction Bypass Vulnerability (BID 11467).
http://nl.internet.com/ct.html?rtr=on&s=1,1b07,1,jwr9,je83,9s3s,a9gz
------------------------------------------------------------
6. 12/27: Perl.Santy-C Worm Hits Web Servers
Perl.Santy.C is a worm written in Perl script that attempts to spread to Web servers
running versions of the phpBB 2.x bulletin board software prior to 2.0.11.
http://nl.internet.com/ct.html?rtr=on&s=1,1b07,1,amfs,4q1h,9s3s,a9gz
------------------------------------------------------------
7. 12/27: Santy-B Worm Written in Perl Script
Perl.Santy.B is a worm written in Perl script that attempts to spread to Web servers
running versions of the phpBB 2.x bulletin board software prior to 2.0.11.
http://nl.internet.com/ct.html?rtr=on&s=1,1b07,1,9tw9,kdk2,9s3s,a9gz
------------------------------------------------------------
8. 12/27: HLP_Exploit are .HLP Files
HLP_Exploit.A is Trend Micro's detection for the proof of concept .HLP files that, if
loaded, would cause a buffer overflow on WINHLP32.EXE.
http://nl.internet.com/ct.html?rtr=on&s=1,1b07,1,k66k,31yc,9s3s,a9gz
------------------------------------------------------------
9. 12/27: Loadimg-A Trojan an Icon File
Troj_Loadimg.A is Trend Micro's detection for a proof-of-concept icon file that, if
loaded, could cause a buffer overflow on the USER32 Library.
http://nl.internet.com/ct.html?rtr=on&s=1,1b07,1,evvf,jvpt,9s3s,a9gz
------------------------------------------------------------
10. 12/27: Pe_Stream-A a Direct Infector Virus
Pe_Stream.A is a new generation of Windows virus.
http://nl.internet.com/ct.html?rtr=on&s=1,1b07,1,jwdy,kgg5,9s3s,a9gz
------------------------------------------------------------
11. 12/27: Bkdr_Surila-G a Memory-Resident Worm
Bkdr_Surila.G is a memory-resident backdoor program downloaded into a system by
Worm_Mydoom.S, a mass-mailing worm.
http://nl.internet.com/ct.html?rtr=on&s=1,1b07,1,m2ye,cdpz,9s3s,a9gz
------------------------------------------------------------

*********************************************************************
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

12/28: Perl.Lexac Worm Spreads to Servers
Perl.Lexac is a worm that spreads to Web servers running php scripts that are vulnerable
to a 'File Inclusion Flaw', which results from programming errors.
http://nl.internet.com/ct.html?rtr=on&s=1,1b2d,1,hmon,fkxj,9s3s,a9gz
------------------------------------------------------------
2. 12/28: W97M.Dinela a Macro Virus
W97M.Dinela is a macro virus that attempts to infect the Microsoft Word Normal.dot
template file and active documents.
http://nl.internet.com/ct.html?rtr=on&s=1,1b2d,1,igfh,bi33,9s3s,a9gz
------------------------------------------------------------
3. 12/28: Reper-A Virus Copies to Disks
W32.Reper.A is a virus that copies itself to the disks on a computer between C: and Z: and
adds itself to the autorun.inf file, so that it is started automatically when the disk is
inserted.
http://nl.internet.com/ct.html?rtr=on&s=1,1b2d,1,jg2g,8gqs,9s3s,a9gz
------------------------------------------------------------
4. 12/28: Trojan.Phel-A Exploits HTML Flaw
Trojan.Phel.A is a Trojan horse program, which is distributed as an HTML file, and
attempts to exploit the Microsoft Internet Explorer HTML Help Control Local Zone Security
Restriction Bypass Vulnerability (BID 11467).
http://nl.internet.com/ct.html?rtr=on&s=1,1b2d,1,cm0s,6dog,9s3s,a9gz
------------------------------------------------------------
5. 12/28: HHelp an Exploit for IE Flaw
HHelp is an exploit for a vulnerability in Internet Explorer v6.0 working on Windows XP
computers, even with Service Pack 2 installed.
http://nl.internet.com/ct.html?rtr=on&s=1,1b2d,1,4zxt,k1zq,9s3s,a9gz
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

Santy Worm Moves On
After Google blocks the pest, it targets vulnerabilities in AOL and Yahoo.
http://nl.internet.com/ct.html?rtr=on&s=1,1b59,1,idrr,ce9e,9s3s,a9gz
------------------------------------------------------------
3. Microsoft Chastises Security Groups
The software giant says groups should notify it before going public with flaws.
http://nl.internet.com/ct.html?rtr=on&s=1,1b59,1,dgi3,g0wu,9s3s,a9gz
------------------------------------------------------------
4. 12/29: Symbos_Vlasco-A Infects Cell Phones
Symbos_Vlasco.A is Trojan malware that infects Series 60 mobile phones.
http://nl.internet.com/ct.html?rtr=on&s=1,1b59,1,ax9n,m0n4,9s3s,a9gz
------------------------------------------------------------
5. 12/29: Lifefournow Trojan Tests Network
Backdoor.Lifefournow is a backdoor Trojan horse program that allows a compromised
computer to be used to reveal and test the configuration of a network.
http://nl.internet.com/ct.html?rtr=on&s=1,1b59,1,3fqq,2ov8,9s3s,a9gz
------------------------------------------------------------
6. 12/29: Protoride-B Worm Allows Access
W32.Protoride.B is a worm that spreads through network shares and opens a back door that
allows unauthorized access to a compromised computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1b59,1,libm,13fk,9s3s,a9gz
------------------------------------------------------------
7. 12/29: Perl/Spyski Worm Seeks PHP Servers
The Perl/Spyski.worm detection covers a worm that is based on the idea of the
Perl/Santy.worm virus.
http://nl.internet.com/ct.html?rtr=on&s=1,1b59,1,jofk,5tzx,9s3s,a9gz
------------------------------------------------------------
8. 12/29: Downloader-TO Exploits HTML Flaw
Downloader-TO is a downloader Trojan that is itself download, via an HTA file (named
Microsoft Office.hta and is detected with the current DAT files as VBS/Psyme) that is
believed to be used in conjunction with a recent Microsoft Internet Explorer HTML Help
Control Local Zone Security Restriction Bypass Vulnerability exploit.
http://nl.internet.com/ct.html?rtr=on&s=1,1b59,1,iqio,79l9,9s3s,a9gz
------------------------------------------------------------
9. 12/29: Dedler-H Worm Uses ICQ Functions
W32/Dedler-H is a worm for the Windows platform that attempts to spread using ICQ
functionality.
http://nl.internet.com/ct.html?rtr=on&s=1,1b59,1,ketj,16xd,9s3s,a9gz
------------------------------------------------------------
10. 12/29: Forbot-DH an IRC Backdoor and Worm
W32/Forbot-DH is an IRC backdoor and network worm for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1b59,1,39rv,2e5h,9s3s,a9gz
------------------------------------------------------------

*********************************************************************
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

Trojan Threatens XP
Flaw may leave Windows XP vulnerable to attack.
http://nl.internet.com/ct.html?rtr=on&s=1,1b7t,1,a2t8,m3wa,9s3s,a9gz
------------------------------------------------------------
4. New Cabir Variants are Spreading Fast
Code for virus that hits Symbian-based cell phones released.
http://nl.internet.com/ct.html?rtr=on&s=1,1b7t,1,4oar,lkif,9s3s,a9gz
------------------------------------------------------------
5. 12/30: Generic PWS-B Trojans Steal Passwords
Generic PWS.b is a detection for multiple nondescript password-stealing trojans -
typically one-off creations that have been received by McAfee.
http://nl.internet.com/ct.html?rtr=on&s=1,1b7t,1,6a0k,mc1b,9s3s,a9gz
------------------------------------------------------------
6. 12/30: RAHack Virus Scans IP Addresses
W32/RAHack is a virus that attempts to exploit Radmin software.
http://nl.internet.com/ct.html?rtr=on&s=1,1b7t,1,kyxn,3nxx,9s3s,a9gz
------------------------------------------------------------
7. 12/30: Bancban-AV Trojan Steals Banking Info
Troj/Bancban-AV is a Trojan for the Windows platform that steals confidential information
such as online banking details and sends it to a preconfigured email address.
http://nl.internet.com/ct.html?rtr=on&s=1,1b7t,1,863b,grs9,9s3s,a9gz
------------------------------------------------------------
8. 12/30: Leebad-B Worm Spreads Via Shares
W32/Leebad-B is a worm for the Windows platform that propagates through the available
network shares with the filename system32.exe.
http://nl.internet.com/ct.html?rtr=on&s=1,1b7t,1,2wfr,j6cf,9s3s,a9gz
------------------------------------------------------------
9. 12/30: Chum-A Trojan Uses IRC For Access
Troj/Chum-A is a backdoor Trojan that uses the IRC network to allow an attacker to access
the infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1b7t,1,8a6l,k5mu,9s3s,a9gz
------------------------------------------------------------
10. 12/30: Troj/Agent-FO Downloads Files
Troj/Agent-FO is a Trojan for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1b7t,1,22zs,2882,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

"What saves a man is to take a step. Then another step."
Antoine de Saint-Exupery (1900-1944); French writer.

- Virus yearbook 2004 -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, December 29 2004 - In today's Oxygen3 24h-365d we will look at the
most notable traits of the malicious code that appeared throughout 2004.

- Strings of virus attacks.
The Mydoom.A worm was at the center of the first viral outbreak of the year.
At its peak, it was estimated that one in four emails in circulation carried
the virus. In the wake of this virus, new attacks emerged from other
malicious code -like Doomjuice, Deadhat and Mitglieder-, which exploited
backdoors created by Mydoom.A. This meant that an infection that started
with just one virus led to new attacks from others over several weeks.

- Good guys?
Two variants of the Nachi worm and another called Doomhunter appeared on the
scene under the guise of modern-day cyber-Robin Hoods. They arrived,
supposedly, to free the unfortunate victims of Mydoom, Doomjuice and Blaster
from their suffering. It is true that they did rid infected computers of
these malicious codes, but at the same time they also exploited certain
system vulnerabilities.

- The birth of viral cyber-wars.
In 2004 we have seen the first cyber-war between virus writers. The result
was a stream of variants of Bagle, Netsky and Mydoom each containing
offensive messages in their code directed at their rivals.

- LSASS: the big flaw in 2004.
LSASS, a vulnerability that affects several versions of Windows operating
systems, is no doubt the major security hole in 2004, not least in light of
the fact that the Sasser worm exploited it to install itself and
continuously restart computers. Other malicious code continued the work of
Sasser by exploiting LSASS, such as Korgo, Bobax, Cycle, Kibuv, Plexus...

- Viruses infecting new platforms.
Until now, the sorties of virus creators into new platforms had been timid
attempts that were merely concept trials. However, in 2004 viruses did
appear that really infected 64-bit systems (such as Shruggle.1318) or WinCE
(Duts.1520 and Brador.A), and even cell phones running under Symbian, such
as Toquimos.A, Skulls.A or the Cabir family of worms.

- New virus formats.
On many occasions virus authors have hidden their creations in files
purporting to be images, audio files, etc. It was thought to be impossible,
say, to construct an image file that could infect computers. Nevertheless,
events have shown that this is not the case, thanks to a vulnerability that
allows attackers to create genuine JPEG files which when opened will take
malicious action. Two malicious code soon appeared to take advantage of this
flaw: JPGDownloader and JPGTrojan.

- The smartest ruses.
In 2004, there have been a lot of malicious codes that have successfully
used trick messages to get users to run infected files. Some of the most
frequently employed ruses were texts feigning to be delivery errors (such as
Mydoom.A), or claiming that files had been scanned by an antivirus and were
completely safe (such as Netsky.N, Netsky.O or Mywife.A).

- Tactics to prevent detection.
In 2004, many worms have appered which, by ensuring that they don't send
themselves to certain email addresses, i.e. those related to certain
security or antivirus companies, try to gain precious time to propagate
before the industry can provide users with the corresponding vaccine. On the
other hand, there are more and more malicious codes that try to disable to
security programs installed on the computer. So they don't only try to avoid
being detected, they also aim to leave computers unprotected against future
attacks.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The address above may not show up on your screen as a single line.
This would prevent you from using the link to access the web page. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

"For all numbers are as zero in the presence of flee infinite."
Víctor Hugo (1802-1885); French novelist.

- Weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, January 2 2005 - Spyki.A, the B variant of Santy and HHelp are dealt
with in this last report of 2004.

Spyki.A and Santy.B are two worms that spread via the Internet, exploiting
the Remote URLDecode Input Validation vulnerability, which affects servers
with a version of phpBB prior to 2.0.11 installed.

Once the server is infected and in order to allow remote access to it,
Spyki.A takes the following action:

- Installs several programs that can be controlled via IRC to take malicious
action.

- Opens port TCP 6667, and connects to an IRC Server to receive remote
commands.

- Scans different ports to see if it finds any open.

Santy.B on the other hand takes the following actions, among others:

- Uses Google, America Online or Yahoo searches to find vulnerable
computers.

- Creates scripts -such as BOT.TXT, SSH.A, WORM.TXT or WORM1.TXT-, or
downloads them to install a backdoor and connect to different IRC servers.

- Deletes all files called SSH (with any extension), or whose name begins
with BOT.

We end today's report with HHelp, a generic detection for malicious code
that can Exploit-HelpZonePass, which allows certain security features in
Service Pack 2 for Windows XP to be evaded. Malware that uses this exploit
to spread can be used to execute arbitrary code on affected computers, with
the same permissions as the user that started the session.

HHelp normally affects computers by downloading itself from a malicious web
page.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Exploit: This can be a technique or a program that takes advantage of a
vulnerability or security hole in a certain communication protocol,
operating system, or other IT utility or application.

- Script / Script virus: The term script refers to files or sections of code
written in programming languages like Visual Basic Script (VBScript),
JavaScript, etc.

More technical definitions at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, December 31 2004 - Spyki.A, the B variant of Santy and HHelp are
dealt with in this last report of 2004.

Spyki.A and Santy.B are two worms that spread via the Internet, exploiting
the Remote URLDecode Input Validation vulnerability, which affects servers
with a version of phpBB prior to 2.0.11 installed.

Once the server is infected and in order to allow remote access to it,
Spyki.A takes the following action:

- Installs several programs that can be controlled via IRC to take malicious
action.

- Opens port TCP 6667, and connects to an IRC Server to receive remote
commands.

- Scans different ports to see if it finds any open.

Santy.B on the other hand takes the following actions, among others:

- Uses Google, America Online or Yahoo searches to find vulnerable
computers.

- Creates scripts -such as BOT.TXT, SSH.A, WORM.TXT or WORM1.TXT-, or
downloads them to install a backdoor and connect to different IRC servers.

- Deletes all files called SSH (with any extension), or whose name begins
with BOT.

We end today's report with HHelp, a generic detection for malicious code
that can Exploit-HelpZonePass, which allows certain security features in
Service Pack 2 for Windows XP to be evaded. Malware that uses this exploit
to spread can be used to execute arbitrary code on affected computers, with
the same permissions as the user that started the session.

HHelp normally affects computers by downloading itself from a malicious web
page.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Exploit: This can be a technique or a program that takes advantage of a
vulnerability or security hole in a certain communication protocol,
operating system, or other IT utility or application.

- Script / Script virus: The term script refers to files or sections of code
written in programming languages like Visual Basic Script (VBScript),
JavaScript, etc.

More technical definitions at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd