Help with Spyware, Hijacking & Other Internet Nuisances
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Location: Illegitimus non carborundum
|Posted: Sat Feb 14, 2004 5:09 pm Post subject: weeks viruses in review!
|Weekly report on viruses and intrusions -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)
Madrid, February 13, 2004 - Nine worms, a Trojan, a hacking tool and an
adware program are the different types of malicious code included in this
week's report on viruses and intruders.
Seven of these nine worms, which are summarized below, are related to
- DoomHunter.A enters computers through the backdoor opened by Mydoom.A and
Mydoom.B and if it detects these two worms, Blaster or Doomjuice, it
eliminates all trace of them. Furthermore, it tries to open TCP port 3127,
and if it manages to do so, it listens in until a computer infected by
Mydoom.A or Mydoom.B tries to gain access through this port. When this
happens, DoomHunter.A sends a copy of itself to the IP address of the
computer it has detected, runs this file and tries to disinfect Mydoom.A and
- Mitglieder.A also enters systems through the backdoor created by the
Mydoom worms, copying itself in the system under the name system.exe. It is
designed to end the processes of certain applications and it creates an
entry in the Windows registry to ensure it stays on the computer.
- Deadhat.A and Deadhat.B spread through the P2P (peer to peer) file sharing
program SoulSeek and via the Internet. These worms cause boot problems, as
they delete files that are essential for the correct functioning of the
computer, and end processes belonging to certain antivirus and firewall
programs. It also stops the processes belonging to Mydoom.A and Mydoom.B.
Both Deadhat.A and Deadhat.B open TCP port 2766 and connect to an IRC server
where they wait for command controls to perform on the affected computer.
Similarly, they allow files to be downloaded to the computer through a
remote connection. These worms differ in their size and the file they
generate on affected computers.
- Nachi.B only affects computers running Windows XP/2000/NT and spreads to
as many computers as possible by exploiting known vulnerabilities like RPC
DCOM buffer overflow, IIS WebDav and Workstation Service Overflow. It
spreads by attacking computers and exploiting the security flaws mentioned
above to download a copy of itself to the computer. When the system date is
June 1, 2004 or later, this worm deletes itself.
Nachi.B uninstalls Mydoom.A and Mydoom.B by ending their processes and
deleting the corresponding files.
- Doomjuice.A and Doomjuice.B spread via the Internet using the backdoor
opened by Mydoom.A and Mydoom.B in the computers they infect. These worms
launch DDoS (Distributed Denial of Service) attacks against the website w w
Variant B of Doomjuice differs from variant A in its size and compression
format. Similarly, whereas Doomjuice.A drops a file containing the code of
Mydoom.A on affected computers, variant B doesn't.
- Yenik.A spreads via e-mail in a message with variable characteristics and
through peer-to-peer (P2P) file sharing programs. It automatically spreads
via e-mail by sending itself out to all the contacts in Windows Address Book
using its own SMTP engine.
- Dumaru.AA spreads via e-mail in a message that includes a compressed
attachment called DOCUMENT.ZIP. When the compressed file is run, the
computer will be infected by Dumaru.AA.
The Trojan in today's report is StartPage.AV, which changes the home page of
the browser Internet Explorer and its default search options. When it is
run, StartPage.AV goes memory resident and opens an Internet Explorer window
that informs about alleged security dangers and prompts the user to download
a utility. Then, StartPage.AV connects to a website and receives a list of
links, which it adds to the Favorites folder.
Demo-GFI.A is a hacking tool that creates a text file that logs the
following data, among other information, from the computers it infects:
directories and files on the C: drive; domain name, network printers
available, etc. When Demo-GFI.A is run, it opens Notepad and displays the
contents of the log file.
We are going to finish this week's report with BuddyLinks, an adware program
that reaches computers when the user accesses the web pages w w w.wgutv.com
or download.buddylinks.net, and agrees to install an ActiveX control. When
it reaches a computer, it sends a link to the web pages mentioned above to
all the contacts of AOL Instant Messenger and displays a flash game in which
Saddam Hussein and Osama Bin Laden appear.
For further information about these and other computer threats, visit Panda
Software's Virus Encyclopedia at:
NOTE: The address above may not show up on your screen as a single line.
This would prevent you from using the link to access the web page. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
Installing Vista http://tinyurl.com/2l9qyd
||All times are GMT - 8 Hours
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group