Spyware Warrior

wawadave · Posted: Mon Feb 21, 2005 10:21 am Post subject: Virus alerts for week of 2/21/05

- Weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, February 20, 2005 - Two variants of Mydoom -AO and AM-, two variants
of Gaobot -DAC and CYK-, and Bropia.J are the subjects of this week's
report.

Mydoom.AO appeared midweek and has the capacity to spread much more rapidly
and widely than the majority of computer viruses. The reason for this is
that it uses Google, Altavista, Yahoo and Lycos to search for email
addresses to which to send itself. In order to trick users, it sends out
emails that that pass themselves off as mail delivery error messages.

The email messages carrying Mydoom.AO include and attachment -which contains
the worm's code- with one of the following extensions: ZIP, COM, SCR, EXE,
PIF, BAT or CMD. If the user runs the attached file, the worm will create
several copies of itself on the affected computer under the name JAVA.EXE,
and look for email address in the Windows address book, in temporary
Internet files and in files with the certain extensions. Then it selects the
domain names of the addresses it has collected and enters them as a search
term in Google, Altavista, Yahoo and Lycos. Then Mydoom.AO sends itself out
to all the addresses found. This worm also creates several entries in the
Windows Registry in order to ensure that it is run whenever the affected
computer is started up.

The second variant of Mydoom in today's report is AM, which spreads in email
messages with variable characteristics and through the peer-to-peer (P2P)
file sharing programs KaZaA, Morpheus, eDonkey2000, iMesh and LimeWare.

In the computers it infects, Mydoom.AM ends the processes belonging to
certain security tools, such as several antivirus programs and firewalls,
leaving the affected computer vulnerable to the attack of other malware.
This worm also modifies the HOSTS file, in order to prevent access to the
websites of several antivirus companies and ends the processes belonging to
other worms, such as Netsky, Bagle, Sobig and Blaster.

Gaobot.DAC and Gaobot.CYX are two worms that use several means of
propagation, including the follow:

- They make copies of themselves in the shared network resources they manage
to accesses.

- To spread across the Internet, they exploit security flaws, like the LSASS
and RPC DCOM vulnerabilities, for which Microsoft has already released the
patches that fix them.

The DAC and CYX variants of Gaobot have backdoor characteristics that allows
hackers to gain remote control over the affected computer and carry out
actions such as executing commands, downloading and running files, logging
keystrokes, stealing different information from the computer, launching
Distributed Denial of Service (DDoS) attacks, etc.

We are going to finish this week's report with Bropia.J, a worm that spreads
via MSN Messenger. When it is run, this malicious code tries to display an
HTML page that contains a link to a certain web page in order to display an
image. Bropia.J also prevents the user from accessing the Task Manager and
the Windows Registry Editor (REGEDIT.EXE file).

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- DoS / Denial of Service: this is a type of attack, sometimes caused by
viruses, that prevents users from accessing certain services ( in the
operating system, web servers etc.).

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

wawadave · Posted: Mon Feb 21, 2005 10:29 am Post subject:

"Words are loaded pistols."
Jean Paul Sartre (1905-1980); French philosopher and writer.

- Weekly summary -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, February 19, 2005 - This week Oxygen3 24h-365d has reported the news
summarized below, which can be accessed at:
http://www.pandasoftware.com/about/press/oxygen3/oxygen.asp

- Access to files in the mailman list manager (02/14/05).
SecurityTracker has reported an input validation problem in the mailman list
manager that could allow a remote user to access arbitrary files on the
target system. Versions of mailman from 2.1 to 2.1.5, are affected, although
version 2.1.6 is not vulnerable.

- Viruses and famous people: an effective formula for spreading malware
(02/15/05).
Phrases like "Osama Bin Ladin was found hanged" or suggestive file names
like "JENNIFERLOPEZ_NAKED.JPG.vbs" are real examples of attempts to use
social engineering techniques to spread computer malware (computer viruses,
worms, etc.). This strategy is mainly used to spread malicious code that
reach computers in a file attached to email messages. It basically involves
writing something in the message to make the attachment sound attractive to
users, such as saying it contains an application, photographs, etc. If this
text manages to trick the user into running the file, the virus will be
installed on the computer and carry out its malicious actions.

- Online shoppers getting more reluctant (02/16/05).
Reluctance to purchase from online stores is increasing as users become more
aware of the risks, according to a recent survey of more than 1,000 U.S.
consumers carried out by RSA Security, and which is reported in ZDNet. This
study reveals that, last year, one in four online shoppers reduced their
purchases due to growing identity theft concerns.

- Panda Software offers its free PQRemove tool to detect and eliminate
Mydoom.AO from infected computers (02/17/05).
To help all users whose computers have been or could be affected by the
Mydoom.AO worm, Panda Software has made its free PQRemove utility available
to detect and eliminate this malicious code. Mydoom.AO has a far greater
propagation capacity than most computer viruses, as it uses the main
Internet search engines to find email addresses to which to send itself. For
this reason, Panda Software advises users to act with caution and install
effective and updated anti-malware protection.

- Denial of Service in Internet Explorer (02/18/05).
SecurityTracker has reported a Denial of Service vulnerability in Internet
Explorer, which could allow an attacker to crash the browser. The attack can
be carried out through a web page or message containing a malicious link
that, when accessed by the user, will automatically close Internet Explorer
and any sessions that are open.

NOTE: The address above may not show up on your screen as a single line.
This would prevent you from using the link to access the web page. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

wawadave · Posted: Mon Feb 21, 2005 10:32 am Post subject:

NEW MYDOOM CIRCULATING IN THE U.S.
Mydoom-BB is making inroads, but the reason why is leaving some AV vendors baffled.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1059685,00.html?track=NL-102&ad=501378
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

wawadave · Posted: Tue Feb 22, 2005 5:12 pm Post subject:

there starting to pick up somethings going to be happening......

2/22: MyDoom-BF Worm Sends Mass Emails
W32/MyDoom.bf@MM is another variant of the W32/Mydoom worm and is similar to previous
variants.
http://nl.internet.com/ct.html?rtr=on&s=1,1es4,1,6sp3,hic9,9s3s,a9gz
------------------------------------------------------------
3. 2/22: Sdbot-VL Worm Performs Backdoor Functions
W32/Sdbot-VL is a worm with backdoor functionality.
http://nl.internet.com/ct.html?rtr=on&s=1,1es4,1,kvwd,5f54,9s3s,a9gz
------------------------------------------------------------
4. 2/22: Dumaru-Y Detects MIME-Encoded Files
W32.Dumaru.Y@mm!enc is an .enc detection for MIME-encoded files that contain the
W32.Dumaru.Y@mm worm.
http://nl.internet.com/ct.html?rtr=on&s=1,1es4,1,4047,3iv8,9s3s,a9gz
------------------------------------------------------------
5. 2/22: Backdoor.Berbew-Q Steals Passwords
Backdoor.Berbew.Q is a Trojan horse program that steals passwords from a compromised
computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1es4,1,gcn4,92dh,9s3s,a9gz
------------------------------------------------------------
6. 2/22: Trojan.Goldun-C Logs Keystrokes
Trojan.Goldun.C is a Trojan horse program that attempts to log keystrokes and steal
account information entered into forms on the www.e-gold.com domain.
http://nl.internet.com/ct.html?rtr=on&s=1,1es4,1,9hss,f5jy,9s3s,a9gz
------------------------------------------------------------
7. 2/22: Bropia-P Worm Monitors Messenger Activity
Some security vendors have issued alerts for W32/Bropia-P, a worm for the Windows
platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1es4,1,ej0q,8am3,9s3s,a9gz
------------------------------------------------------------
8. 2/21: Bropia-Q Worm Spreads Via IM
Like the earlier Bropia variants, Worm_Bropia-Q is a memory-resident worm that spreads
copies of itself via MSN messenger, a popular instant messaging application, using
attractive file names.
http://nl.internet.com/ct.html?rtr=on&s=1,1es4,1,7qzp,dg87,9s3s,a9gz
------------------------------------------------------------
9. 2/21: Forbot-EG Worm OKs Remote Access
W32/Forbot-EG is a network worm that also contains IRC backdoor Trojan functionality,
allowing unauthorized remote access to the infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1es4,1,8o9l,1o8z,9s3s,a9gz
------------------------------------------------------------
10. 2/21: Derdero-B Worm Uses File Sharing
W32.Derdero.B@mm is a mass-mailing worm that uses its own SMTP engine to send an email to
addresses that it gathers from the Windows Address Book.
http://nl.internet.com/ct.html?rtr=on&s=1,1es4,1,8h0k,c50i,9s3s,a9gz
------------------------------------------------------------
11. 2/21: Derdero-C Worm Gathers Addresses
W32.Derdero.C@mm is a mass-mailing worm that uses its own SMTP engine to send an email to
addresses that it gathers from the Windows Address Book.
http://nl.internet.com/ct.html?rtr=on&s=1,1es4,1,9jdi,jzcy,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

wawadave · Posted: Wed Feb 23, 2005 3:21 pm Post subject:

NEW SOBER WORM MOVING FAST, SECURITY COMPANY WARNS

A new version of the Sober worm wriggled out of its hole early on Monday
and set about quickly attacking computers in Europe and the U.S., a
security services company said. The worm is a mass-mailer, meaning it
spreads itself via e-mail using contacts listed in the address books of
computers it infects.

http://newsletter.infoworld.com/t?ctl=BC6AE5:2F3DA83

======================================================================

CABIR WORM WRIGGLES INTO U.S. MOBILE PHONES

Several months after its first sighting in the Philippines, the Cabir
worm that infects mobile phones running Symbian OS with the Series 60
user interface has surfaced in the U.S.

http://newsletter.infoworld.com/t?ctl=BC6AEA:2F3DA83
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

wawadave · Posted: Thu Feb 24, 2005 9:02 am Post subject:

FBI: We're Not Infecting You
A new version of the Sober worm is believed to be behind e-mails that supposedly come
from G-man servers.
http://nl.internet.com/ct.html?rtr=on&s=1,1ewk,1,39xt,29nl,9s3s,a9gz

2/23: Anicmoo-B a Downloader Trojan
Trojan.Anicmoo.B is a downloader Trojan that exploits the Windows User32.DLL ANI File
Header Handling Stack-Based Buffer Overflow Vulnerability (as described in the Microsoft
Security Bulletin MS05-002).
http://nl.internet.com/ct.html?rtr=on&s=1,1ewk,1,m4b5,hbp,9s3s,a9gz
------------------------------------------------------------
9. 2/23: Sumina Trojan Drops Malicious Files
Download.Sumina is a Trojan horse program that downloads malicious files from a
predefined Web site and injects malicious code into clean processes.
http://nl.internet.com/ct.html?rtr=on&s=1,1ewk,1,h3uk,bfcw,9s3s,a9gz
------------------------------------------------------------
10. 2/23: Dremn Trojan Logs Keystrokes, Steals Info
Trojan.Dremn is a Trojan horse program that attempts to log keystrokes and steal
information.
http://nl.internet.com/ct.html?rtr=on&s=1,1ewk,1,ayci,1ixc,9s3s,a9gz
------------------------------------------------------------
11. 2/23: Bobaxx-A Worm Exploits LSASS Flaw
Worm_Bobaxx.A is known to exploit the Windows LSASS vulnerability, which is a buffer
overrun that allows remote code execution and enables an attacker to gain full control of
the affected system.
http://nl.internet.com/ct.html?rtr=on&s=1,1ewk,1,7pqf,9uyv,9s3s,a9gz
------------------------------------------------------------
12. 2/23: Worm_Ahker-E Spreads Three Ways
Worm_Ahker-E propagates using three techniques to rapidly spread copies of itself to
target victims.
http://nl.internet.com/ct.html?rtr=on&s=1,1ewk,1,dbg3,b5d2,9s3s,a9gz
------------------------------------------------------------
13. 2/23: Sdranck-A a Multi-Component Worm
W32/Sdranck-A is a multi-component network worm that uses a member of the W32/Sdbot
family to spread.
http://nl.internet.com/ct.html?rtr=on&s=1,1ewk,1,5wep,illc,9s3s,a9gz
------------------------------------------------------------
14. 2/23: Stang-A Worm Spreads Via MSN IM
Worm_Stang.A propagates through MSN Instant Messenger.
http://nl.internet.com/ct.html?rtr=on&s=1,1ewk,1,a86m,1ys3,9s3s,a9gz
------------------------------------------------------------
15. 2/23: Assiral Worm Mass-Mails Itself
W32.Assiral@mm is a mass-mailing worm that sends a copy of itself to email addresses
gathered from a compromised computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1ewk,1,gkg4,5scj,9s3s,a9gz
------------------------------------------------------------
16. 2/23: Assiral-A Worm Modifies System Settings
Assiral.A is a worm that modifies the settings of the affected computer: it prevents
users from accessing the Windows Registry Editor, the Run option in the Start menu and
the command line.
http://nl.internet.com/ct.html?rtr=on&s=1,1ewk,1,cdcb,1f5n,9s3s,a9gz
------------------------------------------------------------
17. 2/23: Domwis-G Worm Gives Away Access
W32/Domwis-G is a network worm with backdoor functionality for the Windows platform that
allows a malicious user remote access to an infected computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1ewk,1,ii8e,ddts,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

wawadave · Posted: Thu Feb 24, 2005 7:38 pm Post subject:

. 2/24: Dloader-IE a Windows Trojan
Troj/Dloader-IE is a downloader Trojan for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1f1r,1,4eky,gpj7,9s3s,a9gz
------------------------------------------------------------
5. 2/24: Stang Worm Lowers Security Settings
W32.Stang is a worm that spreads via Microsoft's MSN Messenger instant message program,
and attempts to terminate processes and lower security settings.
http://nl.internet.com/ct.html?rtr=on&s=1,1f1r,1,hx75,7saw,9s3s,a9gz
------------------------------------------------------------
6. 2/24: Agobot-QE a Backdoor Trojan & Worm
W32/Agobot-QE is a backdoor Trojan and worm that spreads to computers protected by weak
passwords.
http://nl.internet.com/ct.html?rtr=on&s=1,1f1r,1,3d11,c350,9s3s,a9gz
------------------------------------------------------------
7. 2/24: Codbot-Gen Worms Have Backdoor
W32/Codbot-Gen detects worms of the W32/Codbot family.
http://nl.internet.com/ct.html?rtr=on&s=1,1f1r,1,4bfp,ii9j,9s3s,a9gz
------------------------------------------------------------
8. 2/24: MyDoom-BD an Email Worm
W32/MyDoom-BD is an email worm for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1f1r,1,ho6n,8cup,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

wawadave · Posted: Fri Feb 25, 2005 2:45 pm Post subject:

2/25: Stang-B Worm Ends Windows Processes
Stang.B is a worm that ends the processes LSASS.EXE and SVCHOST.EXE, which belong to the
Windows operating system.
http://nl.internet.com/ct.html?rtr=on&s=1,1f5b,1,dfht,8l6c,9s3s,a9gz
------------------------------------------------------------
4. 2/25: Kelvir-A an Instant Messaging Worm
W32/Kelvir-A is an instant messaging worm.
http://nl.internet.com/ct.html?rtr=on&s=1,1f5b,1,ad9e,4sda,9s3s,a9gz
------------------------------------------------------------
5. 2/25: Kipis-O Worm Arrives as Attachment
Worm_Kipis.O arrives as an email attachment.
http://nl.internet.com/ct.html?rtr=on&s=1,1f5b,1,cx23,gvhs,9s3s,a9gz
------------------------------------------------------------
6. 2/25: Spybot-KAI Worm Uses File Sharing
W32.Spybot.KAI is a worm that propagates through file sharing networks.
http://nl.internet.com/ct.html?rtr=on&s=1,1f5b,1,43io,le4p,9s3s,a9gz
------------------------------------------------------------
7. 2/25: Looked-C Worm Downloads File
W32.Looked.C is a worm that downloads a remote file and infects .exe files
http://nl.internet.com/ct.html?rtr=on&s=1,1f5b,1,20io,lm5e,9s3s,a9gz
------------------------------------------------------------
8. 2/25: Derdero-E Worm Uses Own Engine
W32.Derdero.E@mm is a mass-mailing worm that uses it own SMTP engine to send an email to
addresses gathered from a compromised computer.
http://nl.internet.com/ct.html?rtr=on&s=1,1f5b,1,c3p8,a2yt,9s3s,a9gz
------------------------------------------------------------
9. 2/25: Randex-CST Worm Targets Passwords
W32.Randex.CST is a network aware worm that spreads to network shares protected by weak
passwords.
http://nl.internet.com/ct.html?rtr=on&s=1,1f5b,1,cnr3,91kj,9s3s,a9gz
------------------------------------------------------------
10. 2/25: Sdbot-VN Worm Has Trojan Functions
W32/Sdbot-VN is a network worm with backdoor Trojan functionality for the Windows
platform.
http://nl.internet.com/ct.html?rtr=on&s=1,1f5b,1,lf6e,6tm9,9s3s,a9gz
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

wawadave · Posted: Sun Feb 27, 2005 7:30 pm Post subject:

Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, February 25, 2005 - This week's report on viruses and intruders will
focus on four worms - the A and B variants of Stang, Assiral.A and Sober.M-.

Stang.A and Stang.B spread through MSN Messenger in messages containing
texts like 'Look At This Hot Naked Girl' and an attached file with names
like 'Hey look at my moms dildo!!.pif'. If this file is run, these worms
send themselves out to all of the contacts in this instant messaging
application and turn off the security programs that could be installed on
the computer, such as the Windows personal firewall.

What's more, Stang.A and Stang.B block the Task Manager and Registry Editor
in this operating system. They also try to end the SVCHOST.EXE and LSASS.EXE
processes, which could cause the computer to automatically shut down.

The third worm in today's report is Assiral.A, which spreads via email in a
message with the text 'Re: LOV YA !' in the subject and an attached file
called 'LOVE_LETTER.TXT.EXE'. When this file is run, the computer will be
infected by Assiral.A, which will then look for email addresses to send
itself to.

Assiral.A carries out many different actions on the computer it infects,
including the following:

- Prevent access to the Windows Registry Editor.

- Hide the Run option in the Start menu.

- Disable the command-line.

- Modify the home page in Internet Explorer.

- Try to end the processes belonging to different antivirus and firewall
applications.

- When it is run, it displays a message on screen which announces its
mission to rid the Internet of the actions of the Bropia worms.

We are going to finish this week's report with Sober.M, a worm that spreads
via email in a message that can be written in English or German. If the mail
domain ends in de, ch, at or li, both the subject and message will be
written in German.

After infecting a computer, Sober.M opens Notepad and displays a text and
then an error message.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- LSASS.EXE: a process corresponding to local security and user
authentication policies. If this process is closed, a countdown message is
displayed and then the computer will be restarted.

- SVCHOST.EXE: a process that handles services run from DLLs (Dynamic Link
Libraries).

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd