Spyware Warrior

[wawadave]

MSN MESSENGER WORM RAISED TO MEDIUM THREAT

Security experts have raised the warning level on a worm that spreads via
Microsoft's MSN Messenger, in an effort to slow its crawl through
Taiwan, Korea, China, and the U.S.

http://newsletter.infoworld.com/t?ctl=B7138B:2F3DA83
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

The greatest ideas are the simplest."
William Golding (1911 - 1993) English novelist.

- Weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, February 6, 2005 - This week's report on viruses and intruders will
focus on the worms Sober.J, Bropia.E and Gaobot.CTX, and the Trojans
Locknut.A and Downloader.ALQ.

Sober.J is a new variant of the Sober family of worms that is very similar
to its predecessors. It spreads via email in an attachment to an email
message that could be written in English or German, depending on the domain
of the recipient's address of the message. What's more, the address of the
sender of the message is spoofed.

If the user runs the attachment, Sober.J looks for email addresses in the
files with certain extensions in the affected computer and sends itself out
to them using its own SMTP engine. This worm also tries to carry out other
actions like accessing the POP3 mail accounts of a well-known German
Internet service provider, downloading malware updates from the Internet or
restoring Windows Registry entries modified by other malicious code.

Bropia.E and Gaobot.CTX are two worms that spread together. Bropia.E sends
itself out using the instant messaging program MSN Messenger disguised as an
image file with a variable name taken from a long of options and a .pif or
.scr extension. Some examples of the name of this file are:
bedroom-thongs.pif, LMAO.pif or LOL.scr. If the user runs the file, it
displays a curious image of a roast chicken on screen. However, this image
is just a cover up to hide the real actions carried out by the worm. This
malicious code sends itself out to all the contacts in MSN Messenger and
creates various files on the computer, including a file called winhost.exe,
which actually contains the Gaobot.CTX worm.

Gaobot.CTX carries out the actions that pose the biggest threat to the
integrity of the computer, as it connects to IRC channels and waits for
commands from a remote user. This allows a hacker to download all kinds of
files to the affected computer: spyware, adware, other viruses, etc.

Locknut.A is a Trojan that only affects cellular phones that use the
operating system Symbian 7.0S or later. This malicious code tries to trick
the user into running it by passing itself off as a patch for the cellphone.
Once it is run, Locknut.A replaces the operating system components, which
prevents some applications from being run and blocks the phone. Some
variants of Locknut.A also install a copy of Cabir.A, another worm that
targets mobile devices which appeared last year.

Finally, Downloader.ALQ is a new member of the huge family of Downloader
Trojans. Like the rest of the variants, this malicious code is designed to
download and run all types of malicious code on the system, mainly spyware.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Windows Registry: This is a file that stores all configuration and
installation information of programs installed, including information about
the Windows operating system.

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

2/7: Traxg-C is a Mass-Mailing Worm
The Traxg-C worm sends itself out to addresses found on the infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1dox,1,3hpp,5map,9s3s,a9gz
------------------------------------------------------------
6. 2/7: LegMir-Z Virus Downloads Code
The LegMir-Z virus, which has gained a medium-threat level, reduces system security.
http://nl.internet.com/ct.html?rtr=on&s=1,1dox,1,9hn7,k4lk,9s3s,a9gz
------------------------------------------------------------
7. 2/7: Baley-A Trojan Steals Information
The Baley-A Trojan uses a chat service to steal other users' passwords.
http://nl.internet.com/ct.html?rtr=on&s=1,1dox,1,9tps,fkon,9s3s,a9gz
------------------------------------------------------------
8. 2/7: Bropia-F Worm Uses MSN Messenger
The Bropia-F worm monitors the status of MSN Messenger and sends itself to the user's
Messenger contacts.
http://nl.internet.com/ct.html?rtr=on&s=1,1dox,1,8wnq,m79h,9s3s,a9gz
------------------------------------------------------------
9. 2/7: Rbot-VM Worm Records Keystrokes
The Rbot-VM worm not only records keystrokes, but lowers system security at the same
time.
http://nl.internet.com/ct.html?rtr=on&s=1,1dox,1,hbuy,if0j,9s3s,a9gz
------------------------------------------------------------
10. 2/7: Agobot-PI Worm Changes Data
Sophos Inc. is updating its alert on the Agobot-PI worm, which is getting a medium-threat
rating.
http://nl.internet.com/ct.html?rtr=on&s=1,1dox,1,2fh6,hrq7,9s3s,a9gz
------------------------------------------------------------

*********************************************************************
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

viruses are picking up again!!

2/8: Rbot-VO Worm Has Backdoor Functions
W32/Rbot-VO is a worm with backdoor Trojan functionality.
http://nl.internet.com/ct.html?rtr=on&s=1,1dsi,1,5tj6,m56d,9s3s,a9gz
------------------------------------------------------------
5. 2/8: Chimo-A a Windows Trojan
Troj/Chimo-A is a Trojan for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1dsi,1,k840,e4i8,9s3s,a9gz
------------------------------------------------------------
6. 2/8: Rbot-ALJ a Memory-Resident Worm
Worm_Rbot.ALJ is a memory-resident worm that may arrive from network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,1dsi,1,8q45,cak3,9s3s,a9gz
------------------------------------------------------------
7. 2/8: Wallz Worm Exploits LSAS Flaw
W32.Wallz is a worm that attempts to exploit the Microsoft Windows Local Security
Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin
MS04-011).
http://nl.internet.com/ct.html?rtr=on&s=1,1dsi,1,ffo9,izyp,9s3s,a9gz
------------------------------------------------------------
8. 2/8: Bropia-L Worm Spreads Via MSN Messenger
W32.Bropia.L is a worm that propagates using MSN Messenger and drops a variant of
W32.Spybot.Worm.
http://nl.internet.com/ct.html?rtr=on&s=1,1dsi,1,6p5t,iohx,9s3s,a9gz
------------------------------------------------------------
9. 2/8: MyDoom-AR Worm Uses Own SMTP Engine
W32.Mydoom.AR@mm is a mass-mailing worm that that uses its own SMTP engine to send itself
to the email addresses that it finds on an infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1dsi,1,f70f,cyri,9s3s,a9gz
------------------------------------------------------------
10. 2/8: Agobot-PN Worm Spreads to Network Shares
W32/Agobot-PN is a worm that attempts to spread to remote network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,1dsi,1,7wx2,61wq,9s3s,a9gz
------------------------------------------------------------
11. 2/8: Sober-J Worm Harvest Email Addresses
W32/Sober-J is a variant of the W32/Sober mass-mailing worm family for the Windows
platform that harvests email addresses from the infected computer's hard drive.
http://nl.internet.com/ct.html?rtr=on&s=1,1dsi,1,ly1x,etjg,9s3s,a9gz
------------------------------------------------------------
12. 2/8: Rbot-UC Worm/Trojan Spreads Many Ways
W32/Rbot-UC is a network worm and IRC backdoor Trojan for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1dsi,1,8cjz,998p,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

2/9: Worm_Sdbot-Any Uses Network Shares
Worm_Sdbot.Any is a memory-resident worm that may arrive on a system as a dropped file of
WORM_BROPIA.I.
http://nl.internet.com/ct.html?rtr=on&s=1,1dw9,1,8gxt,j713,9s3s,a9gz
------------------------------------------------------------
8. 2/9: Bropia-I Worm Drops Other Malware
Like the earlier BROPIA variants, Worm_Bropia.I is a memory-resident worm that spreads
copies of itself via MSN Messenger, a popular chat application.
http://nl.internet.com/ct.html?rtr=on&s=1,1dw9,1,f1tf,blwf,9s3s,a9gz
------------------------------------------------------------
9. 2/9: Bropia-J Worm Drops Itself in Folder
Worm_Bropia.J is a memory-resident worm that propagates via Microsoft Network (MSN)
messenger.
http://nl.internet.com/ct.html?rtr=on&s=1,1dw9,1,m6b4,c9z,9s3s,a9gz
------------------------------------------------------------
10. 2/9: Worm_Bropia-H Hits Via MSN Messenger
Worm_Bropia.H is a memory-resident worm that arrives via Microsoft Network (MSN)
Messenger.
http://nl.internet.com/ct.html?rtr=on&s=1,1dw9,1,2s1t,k3uk,9s3s,a9gz
------------------------------------------------------------
11. 2/9: Bloodhound.Exploit.25 Detection for XP Flaw
Bloodhound.Exploit.25 is a heuristic detection for the Microsoft Office XP HTML Link
Processing Remote Buffer Overflow Vulnerability (which is described in Microsoft Security
Bulletin MS05-005).
http://nl.internet.com/ct.html?rtr=on&s=1,1dw9,1,h8m6,6dwc,9s3s,a9gz
------------------------------------------------------------
12. 2/9: MyDoom-AK Worm Turns Off Security
Mydoom.AK is a worm that ends processes belonging to several antivirus programs,
firewalls and other security tools.
http://nl.internet.com/ct.html?rtr=on&s=1,1dw9,1,iaw8,hp35,9s3s,a9gz
------------------------------------------------------------
13. 2/9: MyDoom-AR Mass-Mailing, P2P Worm
Several security vendors have issued alerts for W32/MyDoom-AR, a mass-mailing and
peer-to-peer worm that emails itself as an attachment to addresses found on the infected
computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1dw9,1,cqux,g6i6,9s3s,a9gz
------------------------------------------------------------
14. 2/9: Rbot-ALO Worm and Trojan for Windows
W32/Rbot-ALO is a network worm and IRC backdoor Trojan for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1dw9,1,ge3d,1c5h,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

2/10: Sdbot-UW Worm Targets Weak Passwords
W32/Sdbot-UW is a worm with backdoor Trojan functionality.
http://nl.internet.com/ct.html?rtr=on&s=1,1dzs,1,bl4i,95au,9s3s,a9gz
------------------------------------------------------------
5. 2/10: Kipis-J Worm Uses Own SMTP Engine
W32.Kipis.J@mm is a mass-mailing worm that that uses its own SMTP engine to send itself
to the email addresses that it finds on an infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1dzs,1,f28e,avqr,9s3s,a9gz
------------------------------------------------------------
6. 2/10: Trojan.Eneles a Trojan Horse
Trojan.Eneles is a Trojan horse program that continuously displays a message box and
copies itself to the A drive.
http://nl.internet.com/ct.html?rtr=on&s=1,1dzs,1,7slr,83kt,9s3s,a9gz
------------------------------------------------------------
7. 2/10: Backdoor.Netshadow a Backdoor Program
Backdoor.Netshadow is a back door program that allows a remote attacker to take control
of the compromised computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1dzs,1,dclk,5434,9s3s,a9gz
------------------------------------------------------------
8. 2/10: Mydoom-AS a Mass-Mailing Worm
W32.Mydoom.AS@mm is a mass-mailing worm that uses its own SMTP engine to send itself to
the email addresses that it finds on the compromised computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1dzs,1,cpu1,ej3f,9s3s,a9gz
------------------------------------------------------------
9. 2/10: PWSteal.Bankas.A a Password-Stealing Trojan
PWSteal.Bankash.A is a password-stealing Trojan horse that attempts to log usernames and
passwords from certain financial Web sites.
http://nl.internet.com/ct.html?rtr=on&s=1,1dzs,1,fhmc,lfv7,9s3s,a9gz
------------------------------------------------------------
10. 2/10: Rbot-VQ Worm/Trojan Spreads Many Ways
W32/Rbot-VQ is a network worm and IRC backdoor Trojan for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1dzs,1,aa7u,jlot,9s3s,a9gz
------------------------------------------------------------
11. 2/10: Agobot-PQ Worm Has Backdoor Functions
W32/Agobot-PQ is a network worm with backdoor functionality for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1dzs,1,8cak,7bi7,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, February 11, 2005 - This week's report looks at four vulnerabilities
and a worm called Mydoom.AK.

First we will take a look at the main characteristics of the four security
problems, for which Microsoft has released patches. Users of affected
systems are advised to install the patches.

- Server Message Block -SMB- problem. This affects Windows 2000, Windows XP
and Windows Server 2003 and allows code to be executed. Ways of exploiting
it include creating special network packets and sending them to a vulnerable
computer, generating an email message with a link to a web page and using a
program that passes parameters to the vulnerable SMB component.

- License Logging vulnerability. This affects Windows NT Server 4.0 (SP6a
and Terminal Server Edition SP6), Windows 2000 Server SP4 and SP3 and
Windows Server 2003. It could permit remote execution of code and could be
exploited through a specially crafted network packet sent to the vulnerable
computer.

If a hacker successfully exploited this problem he could take control of the
computer with the same privileges as the user that started the session. If
the user had administrator rights, the hacker could take control of the
entire system (and therefore create, modify or delete files; install
programs; create new user accounts, etc.). In computers with Windows 2003
Server it could allow a denial of service attack (DoS).

- Security problem in the processing of PNG (Portable Network Graphic)
files. This affects applications such as Windows Media Player 9.0 (when run
on Windows 2000, Windows XP Service Pack 1 and Windows Server 2003),
Microsoft Windows Messenger version 5.0, Microsoft MSN Messenger 6.1 and
Microsoft MSN Messenger 6.2. It could be used by viruses to rapidly infect
computers via malformed real PNG images which, when processed by one of the
affected products, could cause the computer to crash.

- Vulnerability in Microsoft Office XP. This affects Office XP, Word 2002,
PowerPoint 2002, Project 2002, Visio 2002, Works 2002, Works 2003 and Works
2004. This could allow a buffer overflow, which if exploited by a hacker,
could give control over the computer with the same privileges as the user
that started the session.

Mydoom.AK, is a worm with variable characteristics that spreads via email.
The subject field sometimes includes messages referring to Valentine's Day,
such as "Happy Valentine's day".

Mydoom.AK terminates active processes belonging to certain antivirus
products, firewalls and other security programs. For this reason, this worm
can leave computers vulnerable to attack from other malware.

Mydoom.AK searches for email addresses in the affected computer in files
with the following extensions: ADB, ASP, DBX, DOC, EML, FPT, HTM, HTML, INB,
MBX, OFT, PAB, PHP, PL, PMR, SHT, TBB, TXT, UIN and XLS-. It then sends
itself out to them -other than those that contain certain text strings-,
using its own SMTP engine.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- String: A sequence of characters (letters, numbers, punctuation marks
etc.).

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd