Spyware Warrior

[wawadave]

Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, September 10 2004 - Today's report deals with seven worms -four
variants of Mydoom (T, U, V and W), Mywife.D, Mywife.C and Sdbot.AQA- and
two adware programs called Neededware and WUpd.

Mydoom.T, Mydoom.U, Mydoom.V and Mydoom.W spread in emails with variable
characteristics. The 'T' variant also uses the Kazaa P2P program to
propagate, making copies of itself with enticing names in the application's
shared folder.

The U, V and W variants of Mydoom connect to several websites, from which
they try to download a file -a Backdoor Trojan-, and install it on the
computer. Mydoom.T opens the Notepad application and displays garbled text.

The next worms we'll look at in this report are Mywife.D and Mywife.C, which
also spread via email in a message with variable characteristics. Both of
these viruses also share the following features:

- Some seconds after they are run they block the computer, as they consume
all available processor time.

- They delete the files belonging to several antivirus programs, if they are
installed in the same directories as the ones specified in the worms' code.
They also delete entries in the Windows Registry belonging to these
antivirus programs, so these applications will not be run automatically the
next time Windows is started. They also attempt to search and end the
processes belonging to antivirus and computer security programs. This would
leave the affected computer vulnerable to attacks from other malware.

- They also delete the entries belonging to other worms, such as Mydoom.A,
Mimail.T and several variants of Bagle.

- They open Windows Media Player.

The last worm in this report is Sdbot.AQA, which spreads across computer
networks. It does this by checking if the PC it has infected is connected to
a network. If that is the case, it attempts to access and copy itself to
shared resources, by trying typical or simple passwords.

Sdbot.AQA allows hackers to gain remote access to the affected computer in
order to carry out actions that compromise user confidentiality or prevent
the computer from working properly. Sdbot.AQA uses its own IRC client in
order to join an IRC channel and accept remote control commands, such as
launching Denial of Service (DoS) attacks against websites. It can also
download and run files on the affected computer.

Today's report ends with Neededware and WUpd, two adware programs that allow
programs to be downloaded and run without users' consent. It is easy to tell
whether these programs are on your computer, as they display advertising
messages. WUpd also monitors users' Internet activity, and uses the results
to determine which adverts are displayed.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Backdoor Trojan: This is a program that enters the computer and creates a
backdoor through which it is possible to control the affected system without
the user realizing.

- Denial of service (DoS): This is a type of attack, sometimes caused by
viruses, that prevents users from accessing certain services (in the
operating system, web servers etc.).

More technical definitions at:
http://www.pandasoftware.com/virus_info/glossary/

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.


------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

3. 9/13: Amus-A Worm Spreads Via Email
W32/Amus.a@MM is a worm that spreads by email using the MAPI/Outlook.
http://nl.internet.com/ct.html?rtr=on&s=1,145x,1,30bt,ejyy,9s3s,a9gz
------------------------------------------------------------
4. 9/13: Alizado Worm Has Several Characteristics
W32/Alizado.worm has several characteristics.
http://nl.internet.com/ct.html?rtr=on&s=1,145x,1,lqci,2sjh,9s3s,a9gz
------------------------------------------------------------
5. 9/13: Spybot-DNC a Remotely Controlled Worm
W32.Spybot.DNC is a worm that may be remotely controlled via IRC channels.
http://nl.internet.com/ct.html?rtr=on&s=1,145x,1,j09q,9woh,9s3s,a9gz
------------------------------------------------------------
6. 9/13: Spybot-DNB Worm Remotely Controlled
W32.Spybot.DNB is a worm that may be remotely controlled via IRC channels.
http://nl.internet.com/ct.html?rtr=on&s=1,145x,1,1g7e,2aaj,9s3s,a9gz
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

1. 9/14: Mydoom-Z Worm is UPX Packed
W32/Mydoom.z@MM is a new variant of the Mydoom family of worms and is UPX
packed.
http://nl.internet.com/ct.html?rtr=on&s=1,14a4,1,bch3,9kk7,9s3s,a9gz

6. 9/14: Forbot-V Worm Has Backdoor
W32/Forbot-V is a network worm with IRC backdoor functionality.
http://nl.internet.com/ct.html?rtr=on&s=1,14a4,1,etqr,hkum,9s3s,a9gz
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

5. 9/15: Forbot-W Worm Spreads to Remote Shares
W32/Forbot-W is a worm that attempts to spread to remote network shares.
http://nl.internet.com/ct.html?rtr=on&s=1,14e7,1,dyb7,2gw4,9s3s,a9gz
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

9/16: Evaman-D Worm Kills Active Processes
Evaman.D is a worm that checks every 5 seconds if processes containing certain
text
strings are active in memory, and ends them.
http://nl.internet.com/ct.html?rtr=on&s=1,14ga,1,gez7,8zf3,9s3s,a9gz
------------------------------------------------------------
5. 9/16: Lovgate-X Worm Has Backdoor
W32/Lovgate-X is a worm with the backdoor functionality that spreads via email,
network
shares with weak passwords and filesharing networks.
http://nl.internet.com/ct.html?rtr=on&s=1,14ga,1,90h7,e0f2,9s3s,a9gz
------------------------------------------------------------
6. 9/16: Mydoom-V an Email Worm
W32/MyDoom-V is an email worm for the Windows platform.
http://nl.internet.com/ct.html?rtr=on&s=1,14ga,1,4nn6,9x2f,9s3s,a9gz
------------------------------------------------------------
7. 9/16: Sdbot-PG Worm Has Backdoor Abilities
W32/Sdbot-PG is a worm with IRC backdoor functionality.
http://nl.internet.com/ct.html?rtr=on&s=1,14ga,1,9850,4i4w,9s3s,a9gz
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

Worm speaks to Windows users
A worm that contains an embedded audio message has been bending the ears of Windows users

The Amus worm, which may be Turkish, uses the Windows Speech Engine, embedded on Windows XP, to play the following message:

"How are you. I am back. My name is Mr. Hamsi. I am seeing you. Haaaaaaaa. You must come to Turkey. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule gule."

"Gule gule" means "bye-bye" in Turkish.
http://news.com.com/Worm+speaks+to+Windows+users/2100-7349_3-5363988.html?tag=st.rc.targ_mb
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

3. 9/17: Pahac Worm Downloaded by Trojan
W32/Pahac@MM is a mass-mailing worm that is downloaded and executed by the
Downloader-PU
trojan.
http://nl.internet.com/ct.html?rtr=on&s=1,14k1,1,fhtn,70go,9s3s,a9gz
------------------------------------------------------------
4. 9/17: Trojan Targets Polish Site
Downloader-PU is a Trojan that connects to a Polish website to download and
execute the
W32/Pahac@MM virus.
http://nl.internet.com/ct.html?rtr=on&s=1,14k1,1,5z5k,esdx,9s3s,a9gz
------------------------------------------------------------
5. 9/17: Squirrel-A An Appending Virus
W32/Squirrel-A is an appending virus.
http://nl.internet.com/ct.html?rtr=on&s=1,14k1,1,g19y,mgtr,9s3s,a9gz
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[wawadave]

hello
my norton av updated 4 times in the last 24 hours. any one manually updateing any type of av should check the updates!!!
some real nastys out there!!!!
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd