Spyware Warrior

wawadave · Posted: Mon Jan 31, 2005 7:00 pm Post subject: Virus alerts for week of 1/31/05

1/31: Hebolani Trojan Exploits ANI File Flaw
Backdoor.Hebolani is a Trojan that exploits the Windows User32.DLL ANI File Header
Handling Stack-Based Buffer Overflow Vulnerability (BID 12233).
http://nl.internet.com/ct.html?rtr=on&s=1,1d62,1,2onr,d9th,9s3s,a9gz
------------------------------------------------------------
6. 1/31: Rbot-UW an IRC Trojan and Worm
W32/Rbot-UW is an IRC backdoor Trojan and network worm.
http://nl.internet.com/ct.html?rtr=on&s=1,1d62,1,4zb8,2icl,9s3s,a9gz
------------------------------------------------------------
7. 1/31: Mugly-H Worm Gathers Email Addresses
W32.Mugly.H@mm is a worm that uses its own SMTP engine to spread by sending itself as an
email attachment to addresses gathered from the compromised computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1d62,1,31ot,lzij,9s3s,a9gz
------------------------------------------------------------
8. 1/31: Mugly-I Worm Uses Own SMTP Engine
Worm_Mugly.I arrives and propagates via email.
http://nl.internet.com/ct.html?rtr=on&s=1,1d62,1,jq5l,4cqs,9s3s,a9gz
------------------------------------------------------------
9. 1/31: Worm_Rbot.AKW Spreads Through Shares
Worm_Rbot.AKW mainly propagates through network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,1d62,1,8r98,huy0,9s3s,a9gz
------------------------------------------------------------
10. 1/31: Unfunner-A Worm Moves Via MSN Messenger
W32.Unfunner.A is a worm that propagates using MSN Messenger and undoes the damages done
by W32.Funner.
http://nl.internet.com/ct.html?rtr=on&s=1,1d62,1,eqpm,6w9o,9s3s,a9gz
------------------------------------------------------------
11. 1/31: Cissi-W An IRC Bot Worm
W32.Cissi.W is an IRC bot worm with back door capabilities that propagates through
Windows network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,1d62,1,9utj,7rs1,9s3s,a9gz
------------------------------------------------------------
12. 1/31: Trojan.Regger-A Modifies Settings
Trojan.Regger.A is a trojan program that modifies Windows registry settings to add a
predefined list of domains into Restricted Sites Zone for Internet Explorer.
http://nl.internet.com/ct.html?rtr=on&s=1,1d62,1,15zh,l9og,9s3s,a9gz
------------------------------------------------------------
13. 1/31: Backdoor.Ranky-S Uses Computer As Proxy
Backdoor.Ranky.S is a back door program that allows a compromised computer to be used as
a covert proxy.
http://nl.internet.com/ct.html?rtr=on&s=1,1d62,1,fb94,h2ag,9s3s,a9gz
------------------------------------------------------------
14. 1/31: Sdbot-AO Trojan & Worm Lets Attacker In
Backdoor.Sdbot.AO is a worm with back door capabilities that gives an attacker remote
access to the compromised computer via IRC channels.
http://nl.internet.com/ct.html?rtr=on&s=1,1d62,1,ft74,gv1w,9s3s,a9gz
------------------------------------------------------------
15. 1/31: VBS.Gormlez Worm Sends Copy of Itself
VBS.Gormlez@mm is a mass-mailing worm that sends a copy of itself to all email addresses
in the Windows Address Book and attempts to spread through file-sharing networks.
http://nl.internet.com/ct.html?rtr=on&s=1,1d62,1,7zkh,bpge,9s3s,a9gz
------------------------------------------------------------
16. 1/31: Sober-K Worm Sends German Email
W32/Sober.k@MM is a new variant of the Sober worm and is written in VB.
http://nl.internet.com/ct.html?rtr=on&s=1,1d62,1,136h,h6ic,9s3s,a9gz
------------------------------------------------------------
17. 1/31: Sober-J Worm Email in English or German
W32/Sober-J is a variant of the W32/Sober mass-mailing worm family for the Windows
platform that harvests email addresses from the infected computer's hard drive.
http://nl.internet.com/ct.html?rtr=on&s=1,1d62,1,55fp,9gem,9s3s,a9gz
------------------------------------------------------------
18. 1/31: Vidlo-H Trojan Silently Downloads File
Troj/Vidlo-H is a downloader Trojan that attempts to silently download an executable file
from a remote location via port 80 to the temporary folder and then execute this file.
http://nl.internet.com/ct.html?rtr=on&s=1,1d62,1,bnjz,3cjk,9s3s,a9gz
------------------------------------------------------------
19. 1/31: Goldun-G a Password-Stealing Trojan
Troj/Goldun-G is a password stealing Trojan that steals bank details and sends them to a
remote intruder.
http://nl.internet.com/ct.html?rtr=on&s=1,1d62,1,bnb4,9z91,9s3s,a9gz
------------------------------------------------------------
20. 1/31: Rbot-UU Worm Allows Unauthorized Access
W32/Rbot-UU is a network worm that also contains IRC backdoor functionality, allowing
unauthorized remote access to the infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1d62,1,8w8g,4dji,9s3s,a9gz
------------------------------------------------------------

*********************************************************************
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

wawadave · Posted: Mon Jan 31, 2005 7:04 pm Post subject:

"Laughter is the sun that drives winter from the human face."
Victor Hugo (1802-1885); French novelist.

- Weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, January 30, 2005 - This week's report on viruses and intruders will
focus on the worms Crowt.A, Mydoom.AG, Cisum.A, Bagle.BK and Bagle.BL.

Crowt.A is a worm that spreads via email in messages that contain texts made
up of the headlines on CNN's website. This malicious code is designed to
create a backdoor in affected computers in order to receive commands from
remote attackers. What's more, Crowt.A installs a keylogger that can be used
to steal personal or confidential data, such as passwords entered by the
user to access online banking services.

Crowt.A also deletes the cookies stored on the computer and opens the
Internet browser at a certain website.

Mydoom.AG is a new variant of a worm that, almost a year ago, caused a
worldwide epidemic. This malicious code modifies the HOSTS file so that the
affected user cannot access the websites of certain antivirus manufacturers.
It also ends the processes belonging to different antivirus programs and
spreads via email and peer-to-peer (P2P) file sharing programs.

Cisum.A is a worm whose most distinguishing action is that it insults the
user by displaying a screen with the text 'YOU ARE AN IDIOT' while playing
an MP3 audio file that repeats the same sentence. This malicious code can
only spread automatically across computer networks. If a network user runs
the file carrying Cisum.A, it copies itself under the name ProjectX.exe to
the root directory of the shared networks drives on the computer.

Cisum.A also ends the processes belonging to antivirus programs and other IT
security applications, leaving the computer vulnerable to possible attacks
from other viruses and hackers. What's more, it creates several entries in
the Windows Registry in order to ensure that it is run whenever the affected
computer is started up.

Finally, the BK and BL variants of the notorious Bagle worm reach computers
in email messages in which the address of the sender of the message has been
spoofed, and with a subject selected at random from a list of options. Some
examples of these subjects are: 'Delivery by mail' or 'Delivery service
mail'. The message body contains texts like: 'Before use read the help' or
'Thanks for use of our software'. The names of the files attached to these
messages, which actually contain the code of these worms, are variable but
always have a COM, CPL, EXE or SCR extension. In order to spread via P2P
applications like KaZaA or Morpheus, these worms create copies of themselves
under names like ACDSee 9.exe, Adobe Photoshop 9 full.exe or Ahead Nero
7.exe, to name a few.

If a file carrying any of these worms is run, they automatically send
themselves out to all the email addresses they find in files with certain
extensions stored on the affected computer, using their own SMTP engine.
What's more, these variants of Bagle end the processes running in memory
belonging to various antivirus programs and other security applications.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Backdoor: This is a program that enters the computer and creates a
backdoor through which it is possible to control the affected system without
the user realizing.

- Keylogger: A program that captures and saves a list of all the keys
pressed by the user. This program can publish the list, allowing
third-parties to find out this information -the data typed by the user in
the affected computer (passwords, text written in documents, mail messages,
key combinations, etc.)-.

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

wawadave · Posted: Mon Jan 31, 2005 7:07 pm Post subject:

Free tool for removing the Bagle.BK and Bagle.BL worms -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, January 28, 2005 - Variants BK and BL of the Bagle worm are still
causing incidents in users computers worldwide. In fact, according to data
gathered by the free online antivirus Panda ActiveScan, Bagle.BL is already
one of the most frequently detected viruses and the USA, Spain and Poland
are the most affected countries.

To prevent these worms from continuing to spread, especially through
computers that do not have adequate anti-malware protection installed, Panda
Software has released its free PQRemove utility, which detects and
eliminates Bagle.BK and Bagle.BL from all the computers they may have
infected. This tool can be downloaded from:
http://www.pandasoftware.com/download/utilities?track=17610

Panda Software clients who already have the new TruPrevent Technologies
installed have been protected since these worms first emerged, as these
preventive technologies have been able to detect and block Bagle.BK and
Bagle.BL without needing to be able to identify them first. More information
about the new TruPrevent Technologies at
http://www.pandasoftware.com/truprevent.

Bagle.BK and Bagle.BL reach computers in email messages with spoofed sender
addresses and with subjects chosen at random from a list of options.
Possible subjects include: 'Delivery by mail' or 'Delivery service mail'.
The message text may include phrases like: 'Before use read the help' or
'Thanks for use of our software'. The message attachments, which actually
contain the worms, have variable names, although their extension is always
COM, CPL, EXE or SCR. They can also spread using P2P applications like KaZaA
or Morpheus by creating copies of themselves under names like ACDSee 9.exe
or Adobe Photoshop 9 full.exe.

The most dangerous action that both variants of Bagle take is to end the
processes in memory related to antivirus and security applications, leaving
computers defenseless against possible attacks.

Due to the high possibility of being infected by Bagle.BK and Bagle.BL,
Panda Software advises users to take precautions with any email messages
they receive and to update their antivirus software. Panda Software has made
the corresponding updates available to its clients to detect and disinfect
these new malicious code.

Panda Software clients who already have the new TruPrevent Technologies
installed along with their antivirus have been protected since the worms
first emerged, as these preventive technologies have been able to detect and
block them without needing to be able to identify them first. More
information about the new TruPrevent Technologies at
http://www.pandasoftware.com/truprevent.

Users can also scan and disinfect their computers using Panda ActiveScan,
the free, online scanner available from: www.pandasoftware.com

More information about Bagle.BK and Bagle.BL is available from Panda
Software's Virus Encyclopedia, at
http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

wawadave · Posted: Tue Feb 01, 2005 4:43 pm Post subject:

Zafi-D Worm Tops January Virus Charts
For the second month in a row, the Zafi-D worm took the top spot in the Top 10 ranking of
the worst malware in the Wild.
http://nl.internet.com/ct.html?rtr=on&s=1,1d99,1,80y0,4vth,9s3s,a9gz
------------------------------------------------------------

2/1: Trojan Banito-E Has Keylogging Functions
Troj/Banito-E is a backdoor Trojan with keylogging functionality.
http://nl.internet.com/ct.html?rtr=on&s=1,1d99,1,1pz4,58fn,9s3s,a9gz
------------------------------------------------------------
5. 2/1: Worm_Pinom-C Modifies Windows Registry
Worm_Pinom.C is a new variant of the backdoor detected by Trend Micro as BKDR_IRCBOT.GEN.

http://nl.internet.com/ct.html?rtr=on&s=1,1d99,1,f2ac,czbf,9s3s,a9gz
------------------------------------------------------------
6. 2/1: Symbos_Gavno-A Infects Mobile Devices
Symbos_Gavno.A is Symbian malware that can infect mobile devices running Symbian 7.0
Operating System.
http://nl.internet.com/ct.html?rtr=on&s=1,1d99,1,k6se,lla5,9s3s,a9gz
------------------------------------------------------------
7. 2/1: Symbos_Gavno-B is Symbian Malware
Symbos_Gavno.B is Symbian malware that can infect mobile devices running Symbian 7.0
Operating System and can propagate via Bluetooth.
http://nl.internet.com/ct.html?rtr=on&s=1,1d99,1,jfgv,bx4k,9s3s,a9gz
------------------------------------------------------------
8. 2/1: Mydoom-AO Worm Uses Own SMTP Engine
W32.Mydoom.AO@mm is a mass-mailing worm that uses its own SMTP engine to send itself to
the email addresses that it finds on the compromised computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1d99,1,46dy,e1y,9s3s,a9gz
------------------------------------------------------------
9. 2/1: Bobax-F a Sasser-Like Worm
W32/Bobax-F is a Sasser-like worm that uses the MS04-011 (LSASS.exe) vulnerability to
propagate.
http://nl.internet.com/ct.html?rtr=on&s=1,1d99,1,hld7,2okn,9s3s,a9gz
------------------------------------------------------------
10. 2/1: Agobot-PI Worm Hits Weak Passwords
W32/Agobot-PI is a network worm with backdoor functionality for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1d99,1,4aa4,28nc,9s3s,a9gz
------------------------------------------------------------

*********************************************************************
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

wawadave · Posted: Wed Feb 02, 2005 4:35 pm Post subject:

Zafi-D Worm Tops January Virus Charts
For the second month in a row, the Zafi-D worm took the top spot in the Top 10 ranking of
the worst malware in the Wild.
http://nl.internet.com/ct.html?rtr=on&s=1,1dct,1,80y0,4vth,9s3s,a9gz
------------------------------------------------------------
6. 2/2; Rbot-VD Worm/Trojan Spreading
W32/Rbot-VD is a network worm and IRC backdoor Trojan for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1dct,1,feq4,9bda,9s3s,a9gz
------------------------------------------------------------
7. 2/2; Symbos_Locknut-A Hits Symbian Devices
Some security vendors have issued alerts for Symbos_Locknut.A, Symbian malware that can
infect mobile devices running Symbian OS v7.0s but does not propagate.
http://nl.internet.com/ct.html?rtr=on&s=1,1dct,1,ldx6,fui5,9s3s,a9gz
------------------------------------------------------------
8. 2/2: Symbos_Locknut-B Hits Mobile Devices
Symbos_Locknut.B is Symbian malware that can infect mobile devices running the Symbian
7.0s Operating System and can propagate via Bluetooth.
http://nl.internet.com/ct.html?rtr=on&s=1,1dct,1,cika,8ba6,9s3s,a9gz
------------------------------------------------------------
9. 2/2: SymbOS.Locknut Trojan Crashes Devices
SymbOS.Locknut is a Trojan horse program that uses a vulnerability to cause devices
running Symbian OS v7.0 to crash.
http://nl.internet.com/ct.html?rtr=on&s=1,1dct,1,inh8,juk8,9s3s,a9gz
------------------------------------------------------------
10. 2/2: Steal.Sagic-B Trojan Steals Yahoo Info
PWSteal.Sagic.B is a Trojan horse program that attempts to steal Yahoo! Instant Messenger
passwords and information about the infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1dct,1,l7sn,3tf7,9s3s,a9gz
------------------------------------------------------------
11. 2/2: Sdbot-UN Worm Has Backdoor Functions
W32/Sdbot-UN is a worm with backdoor functionality.
http://nl.internet.com/ct.html?rtr=on&s=1,1dct,1,lxds,kc4z,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

wawadave · Posted: Wed Feb 02, 2005 5:14 pm Post subject:

NEW SOBER VARIANT IN THE WILD | SearchSecurity.com

Several antivirus firms report that a new form of the Sober worm has
hit e-mail streams. The poorly written English might help give it
away.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1048835,00.html?track=NL-102&ad=501304
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

wawadave · Posted: Thu Feb 03, 2005 9:30 pm Post subject:

Virus Poses as Saddam Hussein Death Photos
A worm is quickly spreading in the wild in an email that claims to have attached photos
of Saddam Hussein killed in an escape attempt.
http://nl.internet.com/ct.html?rtr=on&s=1,1dh8,1,2bja,4jqo,9s3s,a9gz
------------------------------------------------------------
2. Virus Sign: Roast Chicken with a Bikini Line
If your MSN Messenger displays a picture of a roast chicken with a bikini tan line, your
computer is infected.
http://nl.internet.com/ct.html?rtr=on&s=1,1dh8,1,hviu,7fk,9s3s,a9gz

Phishers Focusing in on New Targets
No longer satisfied with running banking scams, phishers are focusing their sights on the
health care industry and utilities in their ever-expanding attempts to rip off users.
http://nl.internet.com/ct.html?rtr=on&s=1,1dh8,1,gv6w,lv1h,9s3s,a9gz
------------------------------------------------------------
5. 2/3: Rbot-SQ Worm Has Backdoor Abilities
W32/Rbot-SQ is a member of the W32/Rbot-Fam family of worms for the Windows platform with
backdoor functionality.
http://nl.internet.com/ct.html?rtr=on&s=1,1dh8,1,1uo4,7clb,9s3s,a9gz
------------------------------------------------------------
6. 2/3: Bropia-D An MSN Messenger Worm
W32/Bropia-D is an MSN Messenger worm for the Windows platform that spreads by sending
itself to the MSN Messenger contacts.
http://nl.internet.com/ct.html?rtr=on&s=1,1dh8,1,ahqw,81h1,9s3s,a9gz
------------------------------------------------------------
7. 2/3: Worm_Agobot-AJD Drops Copies of Itself
Worm_Agobot.AJD spreads by dropping copies of itself in several network shared folders,
using cached user names and passwords to gain access.
http://nl.internet.com/ct.html?rtr=on&s=1,1dh8,1,3y3i,dcqn,9s3s,a9gz
------------------------------------------------------------
8. 2/3: Trojan.Comxt-B Downloads Remote Files
Trojan.Comxt.B is a Trojan horse program that downloads remote files.
http://nl.internet.com/ct.html?rtr=on&s=1,1dh8,1,4lth,bcyh,9s3s,a9gz
------------------------------------------------------------
9. 2/3: Worm_Agobot-AJC Copies Itself
Worm_Agobot.AJC is a memory-resident worm that propagates itself via MSN Messenger by
sending a copy of itself using different file names to all available or online contacts.

http://nl.internet.com/ct.html?rtr=on&s=1,1dh8,1,2fyt,md9d,9s3s,a9gz
------------------------------------------------------------
10. 2/3: Bropia-J Worm Drops Spybot Variant
W32.Bropia.J is a worm that propagates using MSN Messenger and drops a variant of
W32.Spybot.Worm.
http://nl.internet.com/ct.html?rtr=on&s=1,1dh8,1,87sw,feij,9s3s,a9gz
------------------------------------------------------------
11. 2/3: Bropia-E Worm Installs Another Worm
Bropia.E is a worm that installs another worm, detected by Panda Software as
W32/Gaobot.CTX.worm, on the affected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1dh8,1,fkfk,csw8,9s3s,a9gz
------------------------------------------------------------
12. 2/3: Bropia-G Worm Uses MSN Messenger
W32/Bropia.worm.g propagates through MSN messenger and drops a variant of
W323/Sdbot.worm.gen.t worm.
http://nl.internet.com/ct.html?rtr=on&s=1,1dh8,1,ko2j,dpzs,9s3s,a9gz
------------------------------------------------------------
13. 2/3: Rbot-VD a Worm and a Trojan
W32/Rbot-VD is a network worm and IRC backdoor Trojan for the Windows platform that
spreads using a variety of techniques.
http://nl.internet.com/ct.html?rtr=on&s=1,1dh8,1,3xx0,fn1u,9s3s,a9gz
------------------------------------------------------------
14. 2/3: Bobax-H a Sasser-Like Worm
W32/Bobax-H is a mass-mailing Sasser-like worm that uses the MS04-011(LSASS.exe)
vulnerability to propagate.
http://nl.internet.com/ct.html?rtr=on&s=1,1dh8,1,3oxy,kaul,9s3s,a9gz
------------------------------------------------------------
15. 2/3: Rbot-VC Worm Gives Remote Access
W32/Rbot-VC is a member of the Rbot family of worms for the Windows platform that also
contain backdoor functionality, allowing unauthorized remote access to the infected
computer via IRC channels while running in the background as a service process.
http://nl.internet.com/ct.html?rtr=on&s=1,1dh8,1,5o86,161u,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

wawadave · Posted: Thu Feb 03, 2005 9:38 pm Post subject:

If your Messenger displays a chicken with a bikini, your PC
has been infected by the new Bropia.E and Gaobot.CTX worms -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, February 3, 2005 - PandaLabs has detected Bropia.E and Gaobot.CTX,
two malicious code that spread together. Bropia.E sends itself out using the
instant messaging program MSN Messenger disguised as an image file with a
variable name taken from a long list of options and a .pif or .scr
extension. Some examples of the name of this file are: bedroom-thongs.pif,
LMAO.pif or LOL.scr.

If the user runs the file, it displays a curious image -a roast chicken with
a bikini- on screen. However, this image is just a cover up to hide the real
actions carried out by the worm. This malicious code sends itself out to all
the contacts in MSN Messenger and creates various files on the computer,
including a file called winhost.exe, which actually contains the Gaobot.CTX
worm.

Gaobot.CTX carries out the actions that pose the biggest threat to the
computer, as it connects to IRC channels and waits for commands from a
remote user. This allows a hacker to download all kinds of files to the
affected computer: spyware, adware, other viruses, etc.

Panda Software clients who already have the new TruPrevent Technologies to
combat unknown viruses and intruders installed have been protected from
these files being downloaded to their computers, as these preventive
technologies have been able to detect and block Gaobot.CTX without needing
to be able to identify it first (more information about the new TruPrevent
Technologies at http://www.pandasoftware.com/truprevent).

"As a rule of thumb, you should never open a file you receive through
instant messaging systems without scanning it first with an updated
antivirus. A growing number of viruses are using these applications to
spread, and their biggest danger lies in the recipient running executable
files without thinking twice, as they are sent from a known address. This
also implies that there is risk of them spreading rapidly via instant
messaging, leaving poorly protected networks vulnerable to becoming infected
in a matter of seconds," warns Luis Corrons, head of PandaLabs.

As Panda Software's international tech support network has already detected
incidents caused by this worm, Panda Software advises users to take
precautions and update their antivirus software. Panda Software has made the
corresponding updates available to its clients to detect and disinfect these
new malicious code.

Panda Software's clients can already access the updates for installing the
new TruPrevent Technologies along with their antivirus protection, providing
a preventive layer of protection against new malicious code. For users with
a different antivirus program installed, Panda TruPrevent Personal is the
perfect solution, as it is both compatible with and complements these
products, providing a second layer of preventive protection that acts while
the new virus is still being studied and the corresponding update is
incorporated into traditional antivirus programs, decreasing the risk of
infection. More information about TruPrevent Technologies at
http://www.pandasoftware.com/truprevent.

In addition, users can scan their computers online for free with Panda
ActiveScan, available at http://www.pandasoftware.com/

More information about Bropia.E and Gaobot.CTX at Panda Software's Virus
Encyclopedia, at http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

wawadave · Posted: Fri Feb 04, 2005 8:16 pm Post subject:

Critical' Patches For Windows, Messenger on Deck
Monthly patch and fixes for February include flaws or vulnerabilities in Windows Media
and Messenger.
http://nl.internet.com/ct.html?rtr=on&s=1,1dky,1,1xtr,83yv,9s3s,a9gz
------------------------------------------------------------
2. Virus Poses as Saddam Hussein Death Photos
A worm is quickly spreading in the wild in an email that claims to have attached photos
of Saddam Hussein killed in an escape attempt.
http://nl.internet.com/ct.html?rtr=on&s=1,1dky,1,2bja,4jqo,9s3s,a9gz
------------------------------------------------------------
3. 2/4: Shine-B Trojan Shuts Down Security
The Shine-B Trojan lowers system security and modifies data on the infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1dky,1,1i6r,8gqo,9s3s,a9gz
------------------------------------------------------------
4. 2/4: Protorid-AB Worm Allows Remote Access
The Protorid-AB worm turns off anti-virus applications and allows remote access to the
infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1dky,1,2ccs,2myi,9s3s,a9gz
------------------------------------------------------------
5. 2/4: Ahker-B Worm Downloads Code
The Ahker-B worm affects Windows sytems, downloading code from the Internet.
http://nl.internet.com/ct.html?rtr=on&s=1,1dky,1,cb5u,la5,9s3s,a9gz
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

wawadave · Posted: Sat Feb 05, 2005 10:00 pm Post subject:

Madrid, February 4, 2005 - This week's report on viruses and intruders will
focus on the worms Sober.J, Bropia.E and Gaobot.CTX, and the Trojans
Locknut.A and Downloader.ALQ.

Sober.J is a new variant of the Sober family of worms that is very similar
to its predecessors. It spreads via email in an attachment to an email
message that could be written in English or German, depending on the domain
of the recipient's address of the message. What's more, the address of the
sender of the message is spoofed.

If the user runs the attachment, Sober.J looks for email addresses in the
files with certain extensions in the affected computer and sends itself out
to them using its own SMTP engine. This worm also tries to carry out other
actions like accessing the POP3 mail accounts of a well-known German
Internet service provider, downloading malware updates from the Internet or
restoring Windows Registry entries modified by other malicious code.

Bropia.E and Gaobot.CTX are two worms that spread together. Bropia.E sends
itself out using the instant messaging program MSN Messenger disguised as an
image file with a variable name taken from a long of options and a .pif or
.scr extension. Some examples of the name of this file are:
bedroom-thongs.pif, LMAO.pif or LOL.scr. If the user runs the file, it
displays a curious image of a roast chicken on screen. However, this image
is just a cover up to hide the real actions carried out by the worm. This
malicious code sends itself out to all the contacts in MSN Messenger and
creates various files on the computer, including a file called winhost.exe,
which actually contains the Gaobot.CTX worm.

Gaobot.CTX carries out the actions that pose the biggest threat to the
integrity of the computer, as it connects to IRC channels and waits for
commands from a remote user. This allows a hacker to download all kinds of
files to the affected computer: spyware, adware, other viruses, etc.

Locknut.A is a Trojan that only affects cellular phones that use the
operating system Symbian 7.0S or later. This malicious code tries to trick
the user into running it by passing itself off as a patch for the cellphone.
Once it is run, Locknut.A replaces the operating system components, which
prevents some applications from being run and blocks the phone. Some
variants of Locknut.A also install a copy of Cabir.A, another worm that
targets mobile devices which appeared last year.

Finally, Downloader.ALQ is a new member of the huge family of Downloader
Trojans. Like the rest of the variants, this malicious code is designed to
download and run all types of malicious code on the system, mainly spyware.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Windows Registry: This is a file that stores all configuration and
installation information of programs installed, including information about
the Windows operating system.

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

wawadave · Posted: Sun Feb 06, 2005 9:31 am Post subject:

"There is a past which is gone forever.
But there is a future which is still our own."
F. W. Robertson (1816-1853); English preacher.

- Top Ten viruses most frequently
detected by Panda ActiveScan in January -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, February 4, 2005 - In January, for the eighth month running, the
Downloader.GK Trojan was the malicious code that caused the most damage to
users' computers, according to data gathered by the free, online antivirus
Panda ActiveScan.

The data collected by this Panda Software solution reveals that last month
Downloader.GK was detected in 8.49 % of computers. Second place in the
ranking is taken by Sdbot.ftp (5.66%), followed by Mhtredir.gen (5.24%). The
veteran Netsky.P worm ranks fourth (4.10%) and fifth place is taken by the
Shinwow.E Trojan (3.70%).

The Trojans HideProc.B (3.39%) and WmvDownloader.A (2.46%) come in sixth and
seventh place in this edition of the Top Ten. These are followed by
Qhost.gen (2.45%) and Gaobot.gen (2.44%), and last place is for Sasser.ftp
(2.37%).

The following conclusions can be drawn from the data collected by Panda
ActiveScan in January:

- Trojans are still extremely active. Continuing the trend that started a
few months ago, this type of malicious code -widely used to commit all types
of cyber-crimes- still occupies the majority of places in the ranking.

- Spyware: a growing threat. Four of the six Trojans that appear in the Top
Ten ranking download and install spyware. These programs collect data, such
as the user's browsing habits, and then sell them to dubious marketing
companies.

- Many users still haven't updated their computers. Half of the malicious
code in the Top Ten exploit software vulnerabilities to spread and infect
computers. It is important to stress that these are vulnerabilities that
were resolved sometime ago, showing that there are still many users that
have not updated their computers. This helps malicious code like Netsky.P,
which exploits the IFrame vulnerability in Microsoft Internet Explorer fixed
years ago, to continue infecting computers.

To help as many users as possible keep their systems virus free, Panda
Software offers Panda ActiveScan, free of charge, at
http://www.pandasoftware.com. Webmasters who would like to include
ActiveScan on their websites can get the HTML code, free of charges, at
http://www.pandasoftware.com/partners/webmasters.

Panda Software also offers users Virus Alerts, an e-bulletin in English and
Spanish that gives immediate warning of the emergence of potentially
dangerous malicious code. To receive Virus Alerts just visit Panda
Software's website (http://www.pandasoftware.com) and complete the
corresponding form in the Virus Alerts section.

For more information about these and other malicious code, visit Panda
Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------

The 5 viruses most frequently detected by Panda ActiveScan, Panda Software's
free online scanner: 1) Downloader.GK; 2) Netsky.P; 3) Mhtredir.gen; 4)
Sdbot.ftp; 5) Zapchst.D.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd