Spyware Warrior

[wawadave]

"The direction in which education starts a man
will determine his future life."
Plato (427 BC-347 BC); Greek philosopher.

- Weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, February 13 2005 - This week's report looks at four vulnerabilities
and a worm called Mydoom.AK.

First we will take a look at the main characteristics of the four security
problems, for which Microsoft has released patches. Users of affected
systems are advised to install the patches.

- Server Message Block -SMB- problem. This affects Windows 2000, Windows XP
and Windows Server 2003 and allows code to be executed. Ways of exploiting
it include creating special network packets and sending them to a vulnerable
computer, generating an email message with a link to a web page and using a
program that passes parameters to the vulnerable SMB component.

- License Logging vulnerability. This affects Windows NT Server 4.0 (SP6a
and Terminal Server Edition SP6), Windows 2000 Server SP4 and SP3 and
Windows Server 2003. It could permit remote execution of code and could be
exploited through a specially crafted network packet sent to the vulnerable
computer.

If a hacker successfully exploited this problem he could take control of the
computer with the same privileges as the user that started the session. If
the user had administrator rights, the hacker could take control of the
entire system (and therefore create, modify or delete files; install
programs; create new user accounts, etc.). In computers with Windows 2003
Server it could allow a denial of service attack (DoS).

- Security problem in the processing of PNG (Portable Network Graphic)
files. This affects applications such as Windows Media Player 9.0 (when run
on Windows 2000, Windows XP Service Pack 1 and Windows Server 2003),
Microsoft Windows Messenger version 5.0, Microsoft MSN Messenger 6.1 and
Microsoft MSN Messenger 6.2. It could be used by viruses to rapidly infect
computers via malformed real PNG images which, when processed by one of the
affected products, could cause the computer to crash.

- Vulnerability in Microsoft Office XP. This affects Office XP, Word 2002,
PowerPoint 2002, Project 2002, Visio 2002, Works 2002, Works 2003 and Works
2004. This could allow a buffer overflow, which if exploited by a hacker,
could give control over the computer with the same privileges as the user
that started the session.

Mydoom.AK, is a worm with variable characteristics that spreads via email.
The subject field sometimes includes messages referring to Valentine's Day,
such as "Happy Valentine's day".

Mydoom.AK terminates active processes belonging to certain antivirus
products, firewalls and other security programs. For this reason, this worm
can leave computers vulnerable to attack from other malware.

Mydoom.AK searches for email addresses in the affected computer in files
with the following extensions: ADB, ASP, DBX, DOC, EML, FPT, HTM, HTML, INB,
MBX, OFT, PAB, PHP, PL, PMR, SHT, TBB, TXT, UIN and XLS-. It then sends
itself out to them -other than those that contain certain text strings-,
using its own SMTP engine.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- String: A sequence of characters (letters, numbers, punctuation marks
etc.).

More technical definitions at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

1. 2/14: Banker-EY Trojan Steals Web Information
Trojan_Banker.EY attempts to steal Internet banking account information, such as user
names and passwords.
http://nl.internet.com/ct.html?rtr=on&s=1,1e76,1,etco,2ajc,9s3s,a9gz
------------------------------------------------------------
2. 2/14: VBS/Mcon-G Worm Spreads Via Shares, IRC
VBS/Mcon-G is a worm that spreads via network shares and IRC channels.
http://nl.internet.com/ct.html?rtr=on&s=1,1e76,1,2a7l,fdbz,9s3s,a9gz
------------------------------------------------------------
3. 2/14: Bropia-N Worm Spreads Via MSN IM
Trend Micro has received several reports of Worm_Bropia.N, a new worm spreading via
instant messenger.
http://nl.internet.com/ct.html?rtr=on&s=1,1e76,1,fjc7,3m3p,9s3s,a9gz
------------------------------------------------------------
4. 2/14: Dopbot-A Worm A Acts as IRC Bot
Worm_Dopbot.A is the first variant of the WORM_DOPBOT family.
http://nl.internet.com/ct.html?rtr=on&s=1,1e76,1,8czc,7f4w,9s3s,a9gz
------------------------------------------------------------
5. 2/14: Aimdes-A Worm Spreads Via AOL IM
W32.Aimdes.A@mm is a simple worm that propagates via AOL Instant Messenger and email.
http://nl.internet.com/ct.html?rtr=on&s=1,1e76,1,8who,ey7a,9s3s,a9gz
------------------------------------------------------------
6. 2/14: PWSteal.Bancos-O Trojan Logs Keystrokes
PWSteal.Bancos.O is a Trojan horse program that logs keystrokes and steals information
entered into certain banking Web sites.
http://nl.internet.com/ct.html?rtr=on&s=1,1e76,1,bfuk,8vr0,9s3s,a9gz
------------------------------------------------------------
7. 2/14: PWSteal.Bancos-P Trojan Steals Bank Info
PWSteal.Bancos.P is a Trojan horse program that logs keystrokes and steals information
entered into certain banking Web sites.
http://nl.internet.com/ct.html?rtr=on&s=1,1e76,1,3kz,kekb,9s3s,a9gz
------------------------------------------------------------
8. 2/14: Troj/LowZone-O Changes Browser Settings
Troj/LowZone-O is a Trojan that changes browser security settings and connects to
pre-determined websites.
http://nl.internet.com/ct.html?rtr=on&s=1,1e76,1,2rh3,hga3,9s3s,a9gz
------------------------------------------------------------
9. 2/14: Sdbot-UZ Worm Has Backdoor Functions
W32/Sdbot-UZ is a network worm with backdoor Trojan functionality for the Windows
platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1e76,1,m0ld,4v6x,9s3s,a9gz
------------------------------------------------------------
10. Sun Seeks Secure Collaboration
The company hunkers down on securing the e-mail, instant messaging and calendaring tools
in its collaboration suite.
http://nl.internet.com/ct.html?rtr=on&s=1,1e76,1,4z7h,dxuc,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

2/15: Gaobot-CYX Worm Has Backdoor Traits
Gaobot.CYX is a worm with backdoor characteristics that belongs to the Gaobot worm
family.
http://nl.internet.com/ct.html?rtr=on&s=1,1eax,1,lsne,bhk,9s3s,a9gz
------------------------------------------------------------
4. 2/15: Codbot-B Backdoor Spreads Via Shares
W32/Codbot-B is a backdoor that contains functionality to spread via network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,1eax,1,kz4t,pdc,9s3s,a9gz
------------------------------------------------------------
5. 2/15: W97M.Lebani Virus Infects Word Docs
W97M.Lebani is a macro virus that infects Microsoft Word documents and the MS Word global
template.
http://nl.internet.com/ct.html?rtr=on&s=1,1eax,1,1j2s,gmif,9s3s,a9gz
------------------------------------------------------------
6. 2/15: Trojan.Rplay-A Downloads Remote File
Trojan.Rplay.A is a Trojan horse that downloads a remote file and lowers security
settings on a compromised computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1eax,1,g50e,fjke,9s3s,a9gz
------------------------------------------------------------
7. 2/15: W97M-MJ Macro Worm Uses mIRC
W97M.MJ is a macro worm that attempts to spread using mIRC, the Windows Internet Relay
Chat (IRC) client.
http://nl.internet.com/ct.html?rtr=on&s=1,1eax,1,btgg,gzmg,9s3s,a9gz
------------------------------------------------------------
8. 2/15: Randex-COX a Network-Aware Worm
W32.Randex.COX is a network-aware worm that spreads to network shares protected by weak
passwords.
http://nl.internet.com/ct.html?rtr=on&s=1,1eax,1,kuic,euum,9s3s,a9gz
------------------------------------------------------------
9. 2/15: Trojan.KillAVE-E Installs BHO
Trojan.KillAV.E is a Trojan horse that installs a Browser Helper Object (BHO) and
disables security software.
http://nl.internet.com/ct.html?rtr=on&s=1,1eax,1,jlc1,i1s1,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

2/16: Trojan.Anicmoo Exploits Windows Flaw
Trojan.Anicmoo is a downloader Trojan that exploits the Windows User32.DLL ANI File
Header Handling Stack-Based Buffer Overflow Vulnerability (as described in the Microsoft
Security Bulletin MS05-002).
http://nl.internet.com/ct.html?rtr=on&s=1,1ef3,1,8uny,lekb,9s3s,a9gz
------------------------------------------------------------
3. 2/16: Backdoor.Wortbot Allows Remote Access
Backdoor.Wortbot is a Trojan horse program that opens a back door and allows unauthorized
remote access to a compromised computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1ef3,1,94hp,borc,9s3s,a9gz
------------------------------------------------------------
4. 2/16: Ahker-D Worm Uses MAPI to Send Itself
W32.Ahker.D@mm is a mass-mailing worm that uses MAPI to send a copy of itself to email
addresses gathered from the compromised computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1ef3,1,59ux,hxqv,9s3s,a9gz
------------------------------------------------------------
5. 2/16: Lineage-D a Password-Stealing Trojan
Troj/Lineage-D is a password-stealing Trojan for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1ef3,1,easa,2wye,9s3s,a9gz
------------------------------------------------------------
6. Microsoft May Bundle Up Protection
Redmond may be tying its existing security applications together.
http://nl.internet.com/ct.html?rtr=on&s=1,1ef3,1,36yb,ibhn,9s3s,a9gz
------------------------------------------------------------
7. 2/16: Worm_Aimdes-B Sends File To IM Users
Similar to its predecessor, Worm_Aimdes.A, Worm_Aimdes.B propagates via AOL Instant
Messenger (AIM).
http://nl.internet.com/ct.html?rtr=on&s=1,1ef3,1,a9cp,d0vu,9s3s,a9gz
------------------------------------------------------------
8. 2/16: Worm_Aimdes-C Spreads Via AIM
Like its predecessors, Worm_Aimdes.C is a new variant of the Aimdes family that
propagates via AOL Instant Messenger (AIM).
http://nl.internet.com/ct.html?rtr=on&s=1,1ef3,1,m3rz,1pit,9s3s,a9gz
------------------------------------------------------------
9. 2/16: Tabela-A Trojan Grabs Email Addresses
Trojan.Tabela.A is a Trojan that steals email addresses from the infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1ef3,1,z1e,2m2t,9s3s,a9gz
------------------------------------------------------------
10. 2/16: Spyboter-A Trojan Opens Back Door
Backdoor.Spyboter.A is a Trojan horse program that opens a back door on the compromised
computer and may be remotely controlled via IRC channels.
http://nl.internet.com/ct.html?rtr=on&s=1,1ef3,1,4bq7,9j0v,9s3s,a9gz
------------------------------------------------------------
11. 2/16: Spybot-JPB Worm Has DoS Ability
W32.Spybot.JPB is a network-aware worm that has distributed denial of service and back
door capabilities.
http://nl.internet.com/ct.html?rtr=on&s=1,1ef3,1,jamp,eqad,9s3s,a9gz
------------------------------------------------------------
12. 2/16: Codbot-C a Backdoor Trojan
W32/Codbot-C is a backdoor Trojan containing functionality to spread via network shares.

http://nl.internet.com/ct.html?rtr=on&s=1,1ef3,1,1vd3,duij,9s3s,a9gz
------------------------------------------------------------
13. 2/16: PurScan-V Trojan Downloads Adware
Troj/PurScan-V is a downloader for an advertising-related application.
http://nl.internet.com/ct.html?rtr=on&s=1,1ef3,1,ci97,48a5,9s3s,a9gz
------------------------------------------------------------
14. 2/16: Forbot-EC Worm OKs Remote Access
W32/Forbot-EC is a network worm with backdoor functionality for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1ef3,1,is3k,7sr1,9s3s,a9gz
------------------------------------------------------------
15. Cisco Adapts Its Defenses to New Threats
The company launches the next phase of its Self-Defending Network initiative with support
from recent acquisitions.
http://nl.internet.com/ct.html?rtr=on&s=1,1ef3,1,bt6q,6uby,9s3s,a9gz
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

viruses are picking up speed!!! norton just updated again!!!


1. MyDoom Back For More
The MyDoom virus is on the prowl again in a medium way.
http://nl.internet.com/ct.html?rtr=on&s=1,1ekb,1,4alj,abhb,9s3s,a9gz
------------------------------------------------------------
2. 2/17: Derdero-A Worm Grabs Email Addresses
W32.Derdero.A@mm is a mass-mailing worm that uses it own SMTP engine to send email to
addresses that it retrieves from the Windows Address Book.
http://nl.internet.com/ct.html?rtr=on&s=1,1ekb,1,2yb0,g72c,9s3s,a9gz
------------------------------------------------------------
3. 2/17: Bkdr_Surila-O a Backdoor Program
Bkdr_Surila.O is a memory-resident backdoor program that may arrive on a system as a
downloaded file of Worm_MyDoom.BB.
http://nl.internet.com/ct.html?rtr=on&s=1,1ekb,1,jz4,9jm7,9s3s,a9gz
------------------------------------------------------------
4. 2/17: Sdbot-SB Worm Has Backdoor Component
W32/Sdbot-SB is a member of the W32/Sdbot family of worms with a backdoor component.
http://nl.internet.com/ct.html?rtr=on&s=1,1ekb,1,ef6a,4m1n,9s3s,a9gz
------------------------------------------------------------
5. 2/17: MyDoom-AU Worm Spreads Via Email
Similar to earlier MyDoom variants, Worm_MyDoom.AU propagates via email messages.
http://nl.internet.com/ct.html?rtr=on&s=1,1ekb,1,k9kt,38mu,9s3s,a9gz
------------------------------------------------------------
6. 2/17: MyDoom-AX Worm Uses Own SMTP Engine
W32.Mydoom.AX@mm is a mass-mailing worm that uses it own SMTP engine to send email to
addresses that it retrieves from the Windows Address Book on the infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1ekb,1,echl,c8fn,9s3s,a9gz
------------------------------------------------------------
7. 2/17: MyDoom-AO Worm Targets Win 2003/XP/2000/NT
Security vendor Panda Software has issued a high threat alert for MyDoom.AO, a worm that
affects Windows 2003/XP/2000/NT computers only.
http://nl.internet.com/ct.html?rtr=on&s=1,1ekb,1,2j05,hwzb,9s3s,a9gz
------------------------------------------------------------
8. 2/17: MyDoom-BB Worm Downloads Trojan
W32/Mydoom.bb@mm is a variant W32/Mydoom of the Mydoom family of worms.
http://nl.internet.com/ct.html?rtr=on&s=1,1ekb,1,5x2x,fwdf,9s3s,a9gz
------------------------------------------------------------
9. 2/17: Rbot-WB Worm Has Trojan Functions
W32/Rbot-WB is a worm with backdoor Trojan functionality.
http://nl.internet.com/ct.html?rtr=on&s=1,1ekb,1,a1z6,ks0c,9s3s,a9gz
------------------------------------------------------------
10. 2/17: MyDoom-O an Email Worm
W32/MyDoom-O is an email worm.
http://nl.internet.com/ct.html?rtr=on&s=1,1ekb,1,j7vf,687y,9s3s,a9gz
------------------------------------------------------------
11. 2/17: Sdbot-VH Worm Targets Weak Passwords
W32/Sdbot-VH is a network worm with backdoor functionality for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1ekb,1,5nx6,a6xb,9s3s,a9gz
------------------------------------------------------------
12. 2/17: Poebot-A Worm Has Backdoor Functions
W32/Poebot-A is a network worm with backdoor Trojan functionality for the Windows
platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1ekb,1,ey17,lafg,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

ORANGE ALERT: Mydoom.AO -

- Panda Software offers its free PQRemove tool
to detect and eliminate Mydoom.AO from infected computers -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, February 17, 2005 - To help all users whose computers have been or
could be affected by the Mydoom.AO worm, Panda Software has made its free
PQRemove utility available to detect and eliminate this malicious code. This
tool can be downloaded from: http://www.pandasoftware.com/download/utilities

Panda Software also recommends that users treat emails received with caution
and install a reliable and updated anti-malware solution. Panda Software
clients that already have TruPrevent (TM) Technologies to protect against
unknown viruses and intruders, have had preventive protection against
Mydoom.AO from the moment it first appeared as they are able to detect and
block this threat without needing to have identified it previously (more
information about the new TruPrevent(TM) Technologies at
http://www.pandasoftware.com/truprevent).

Mydoom.AO has a far greater propagation capacity than most computer viruses,
as it uses the main Internet search engines to find email addresses to which
to send itself. Once it has infected a computer, it searches for email
addresses in the Windows address book, Internet temporary files, and in
files on the computer with certain extensions. Then it selects domain names
from the addresses it has collected and uses them to search in Google,
Altavista, Yahoo and Lycos for other addresses to which to send itself. For
example, if in the computer it finds the address 'abc@xyz.com', the worm
searches for the term 'xyz.com'. so that it can find other addresses on the
same domain.

Mydoom.AO also avoids the tactics that users employ to prevent their
Internet addresses from being used by spammers to send unwanted mail, for
example by replacing @ with (at).

Luis Corrons, director of PandaLabs, explains: "This worm is perfectly
designed to spread itself massively and rapidly. The creator has designed it
to magnify the infection capacity using Internet search engines. In this
way, even if the malicious code didn't cause a high number of infections, it
can ensure that there are many infected messages in circulation. This
increases the chance of a computer, especially one without protection,
becoming infected".

Given the likelihood of incidents involving Mydoom.AO, Panda Software
advises users to act with caution and update their antivirus software. Panda
Software clients already have the corresponding updates to detect and
disinfect this new malicious code.

Panda Software's clients can already access the updates for installing the
new TruPrevent(TM) Technologies along with their antivirus protection,
providing a preventive layer of protection against new malicious code. For
users with a different antivirus program installed, Panda TruPrevent(TM)
Personal is the perfect solution, as it is both compatible with and
complements these products, providing a second layer of preventive
protection that acts while the new virus is still being studied and the
corresponding update is incorporated into traditional antivirus programs,
decreasing the risk of infection. More information about TruPrevent(TM)
Technologies at http://www.pandasoftware.com/truprevent.

In addition, users can scan their computers online for free with Panda
ActiveScan, available at http://www.pandasoftware.com/

More information about Mydoom.AO is available from Panda Software's Virus
Encyclopedia, at http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

VIRUS ALERTS:

During the last week, Secunia issued 2 MEDIUM RISK virus alerts.
Please refer to the grouped virus profile below for more information:

Mydoom.AS - MEDIUM RISK Virus Alert - 2005-02-17 09:25 GMT+1
http://secunia.com/virus_information/15293/mydoom.as/

Mydoom.bb - MEDIUM RISK Virus Alert - 2005-02-17 03:19 GMT+1
http://secunia.com/virus_information/15463/mydoom.bb/
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

MyDoom Back For More
The MyDoom virus is on the prowl again in a medium way.
http://nl.internet.com/ct.html?rtr=on&s=1,1end,1,4alj,abhb,9s3s,a9gz
------------------------------------------------------------
6. 2/18: Bropia-R Worm Displays Pornography
Worm_Bropia.R, like the earlier Bropia variants, spreads copies of itself via MSN
messenger, a popular instant messaging application.
http://nl.internet.com/ct.html?rtr=on&s=1,1end,1,5wni,9fk3,9s3s,a9gz
------------------------------------------------------------
7. 2/18: Assiral-A Worm Sends ''Love Letter''
W32/Assiral-A is a mass mailing worm that attempts to spread itself by sending emails
with certain characteristics to addresses found in the victim's address book.
http://nl.internet.com/ct.html?rtr=on&s=1,1end,1,gmhu,ft0j,9s3s,a9gz
------------------------------------------------------------
8. 2/18: PE_Deadcode-A Infects All .EXE Files
PE_Deadcode.A infects all .EXE files (executable file) in the same folder where it has
been executed in.
http://nl.internet.com/ct.html?rtr=on&s=1,1end,1,9o37,krin,9s3s,a9gz
------------------------------------------------------------
9. 2/18: Doxpar Worm Has DoS Capabilities
W32.Doxpar is a network-aware worm that has distributed denial of service and back door
capabilities.
http://nl.internet.com/ct.html?rtr=on&s=1,1end,1,8y4f,e6ve,9s3s,a9gz
------------------------------------------------------------
10. 2/18: Trojan.StartPage-I Changes IE Home Page
Trojan.StartPage.I is a Trojan horse program that attempts to change the Internet
Explorer home page and related registry keys.
http://nl.internet.com/ct.html?rtr=on&s=1,1end,1,eado,ckj2,9s3s,a9gz
------------------------------------------------------------
11. 2/18: MyDoom-AS Sends Itself As Attachment
W32/MyDoom-AS is a mass-mailing and peer-to-peer worm that emails itself as an attachment
to addresses found on the infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1end,1,isc1,6yl9,9s3s,a9gz
------------------------------------------------------------
12. 2/18: Poebot-H Worm Hits Remote Shares
W32/Poebot-H is a worm that attempts to spread to remote network shares with weak
passwords.
http://nl.internet.com/ct.html?rtr=on&s=1,1end,1,1tuz,fo1o,9s3s,a9gz
------------------------------------------------------------
13. 2/18: Kipis-I an Email Windows Worm
W32/Kipis-I is an email worm for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1end,1,gjqd,cmi5,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

- ORANGE ALERT: Mydoom.AO -

- Panda Software offers its free PQRemove tool
to detect and eliminate Mydoom.AO from infected computers -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, February 17, 2005 - To help all users whose computers have been or
could be affected by the Mydoom.AO worm, Panda Software has made its free
PQRemove utility available to detect and eliminate this malicious code. This
tool can be downloaded from: http://www.pandasoftware.com/download/utilities

Panda Software also recommends that users treat emails received with caution
and install a reliable and updated anti-malware solution. Panda Software
clients that already have TruPrevent (TM) Technologies to protect against
unknown viruses and intruders, have had preventive protection against
Mydoom.AO from the moment it first appeared as they are able to detect and
block this threat without needing to have identified it previously (more
information about the new TruPrevent(TM) Technologies at
http://www.pandasoftware.com/truprevent).

Mydoom.AO has a far greater propagation capacity than most computer viruses,
as it uses the main Internet search engines to find email addresses to which
to send itself. Once it has infected a computer, it searches for email
addresses in the Windows address book, Internet temporary files, and in
files on the computer with certain extensions. Then it selects domain names
from the addresses it has collected and uses them to search in Google,
Altavista, Yahoo and Lycos for other addresses to which to send itself. For
example, if in the computer it finds the address 'abc@xyz.com', the worm
searches for the term 'xyz.com'. so that it can find other addresses on the
same domain.

Mydoom.AO also avoids the tactics that users employ to prevent their
Internet addresses from being used by spammers to send unwanted mail, for
example by replacing @ with (at).

Luis Corrons, director of PandaLabs, explains: "This worm is perfectly
designed to spread itself massively and rapidly. The creator has designed it
to magnify the infection capacity using Internet search engines. In this
way, even if the malicious code didn't cause a high number of infections, it
can ensure that there are many infected messages in circulation. This
increases the chance of a computer, especially one without protection,
becoming infected".

Given the likelihood of incidents involving Mydoom.AO, Panda Software
advises users to act with caution and update their antivirus software. Panda
Software clients already have the corresponding updates to detect and
disinfect this new malicious code.

Panda Software's clients can already access the updates for installing the
new TruPrevent(TM) Technologies along with their antivirus protection,
providing a preventive layer of protection against new malicious code. For
users with a different antivirus program installed, Panda TruPrevent(TM)
Personal is the perfect solution, as it is both compatible with and
complements these products, providing a second layer of preventive
protection that acts while the new virus is still being studied and the
corresponding update is incorporated into traditional antivirus programs,
decreasing the risk of infection. More information about TruPrevent(TM)
Technologies at http://www.pandasoftware.com/truprevent.

In addition, users can scan their computers online for free with Panda
ActiveScan, available at http://www.pandasoftware.com/

More information about Mydoom.AO is available from Panda Software's Virus
Encyclopedia, at http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, February 18, 2005 - Two variants of Mydoom -AO and AM-, two variants
of Gaobot -DAC and CYK-, and Bropia.J are the subjects of this week's
report.

Mydoom.AO appeared midweek and has the capacity to spread much more rapidly
and widely than the majority of computer viruses. The reason for this is
that it uses Google, Altavista, Yahoo and Lycos to search for email
addresses to which to send itself. In order to trick users, it sends out
emails that that pass themselves off as mail delivery error messages.

The email messages carrying Mydoom.AO include and attachment -which contains
the worm's code- with one of the following extensions: ZIP, COM, SCR, EXE,
PIF, BAT or CMD. If the user runs the attached file, the worm will create
several copies of itself on the affected computer under the name JAVA.EXE,
and look for email address in the Windows address book, in temporary
Internet files and in files with the certain extensions. Then it selects the
domain names of the addresses it has collected and enters them as a search
term in Google, Altavista, Yahoo and Lycos. Then Mydoom.AO sends itself out
to all the addresses found. This worm also creates several entries in the
Windows Registry in order to ensure that it is run whenever the affected
computer is started up.

The second variant of Mydoom in today's report is AM, which spreads in email
messages with variable characteristics and through the peer-to-peer (P2P)
file sharing programs KaZaA, Morpheus, eDonkey2000, iMesh and LimeWare.

In the computers it infects, Mydoom.AM ends the processes belonging to
certain security tools, such as several antivirus programs and firewalls,
leaving the affected computer vulnerable to the attack of other malware.
This worm also modifies the HOSTS file, in order to prevent access to the
websites of several antivirus companies and ends the processes belonging to
other worms, such as Netsky, Bagle, Sobig and Blaster.

Gaobot.DAC and Gaobot.CYX are two worms that use several means of
propagation, including the follow:

- They make copies of themselves in the shared network resources they manage
to accesses.

- To spread across the Internet, they exploit security flaws, like the LSASS
and RPC DCOM vulnerabilities, for which Microsoft has already released the
patches that fix them.

The DAC and CYX variants of Gaobot have backdoor characteristics that allows
hackers to gain remote control over the affected computer and carry out
actions such as executing commands, downloading and running files, logging
keystrokes, stealing different information from the computer, launching
Distributed Denial of Service (DDoS) attacks, etc.

We are going to finish this week's report with Bropia.J, a worm that spreads
via MSN Messenger. When it is run, this malicious code tries to display an
HTML page that contains a link to a certain web page in order to display an
image. Bropia.J also prevents the user from accessing the Task Manager and
the Windows Registry Editor (REGEDIT.EXE file).

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- DoS / Denial of Service: this is a type of attack, sometimes caused by
viruses, that prevents users from accessing certain services ( in the
operating system, web servers etc.).

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd