[chadfree] virusinfo Digest V3 #295
- From: "Mike" <mikebike@xxxxxxxxx>
- To: Computer_Help_and_Discussion@xxxxxxxxxxxxxxx, chadfree@xxxxxxxxxxxxx
- Date: Tue, 07 Dec 2004 12:33:10 -0800
virusinfo Digest Mon, 06 Dec 2004 Volume: 03 Issue: 295
In This Issue:
[virusinfo] W32/Atak-E
[virusinfo] Weekly report on viruses and intruders - 12/05/
[virusinfo] W32/Rbot-RE
[virusinfo] Troj/Agent-BF
----------------------------------------------------------------------
Date: Sun, 05 Dec 2004 23:35:00 -0800
From: "Mike" <mikebike@xxxxxxxxx>
Subject: [virusinfo] W32/Atak-E
From; Sophos Alert System wrote:
Name: W32/Atak-E
Type: Win32 worm
Date: 6 December 2004
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the February 2005 (3.90) release of Sophos Anti-Virus.
Customers using Enterprise Manager, PureMessage and any of the
Sophos small business solutions will be automatically protected
at their next scheduled update.
At the time of writing, Sophos has received no reports from
users affected by this worm. However, we have issued this
advisory following enquiries to our support department from
customers.
Information about W32/Atak-E can be found at:
http://www.sophos.com/virusinfo/analyses/w32atake.html
W32/Atak-E is a mass-mailing worm.
When run the worm copies itself to the Windows system folder as dapdll.exe.
On W9x systems W32/Atak-E inserts the following line under [windows] class
of the WIN.INI file so as to auto-start on user logon:
load=%SYSTEM%\dapdll.exe
On W2k systems the following registry entry is modified:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
%SYSTEM%\dapdll.exe
W32/Atak-E will harvest email addresses by scanning the logical drives for
files with the following extensions:
LOG, HTML, MSG, EML, MHT, DBX, ASP, PHP, JSP, HTM, TXT
Sent emails can take the following forms:
Subject lines:
Second Match!
Time is running out!
Message body:
Greet to you <inserted name>,
Congratulation! Your account has been upgraded with our new services.
Please visit our website at http://www.<inserted URL> to know about our
features.
Your account info:
--- Email: <inserted email>
--- Password: <inserted password> (temporary password)
Visit our website to get more info at: http://www.<inserted URL>
NOTE: All your account information has been attached as a file and ready to
be printed. Regard,
<inserted URL> Services Team
The attached ZIP has a randomly generated name and contains a copy of the
worm with one of the following extensions:
BAT, PIF, EXE, COM, SCR
This IDE file also includes detection for:
Troj/Cartoor-A
http://www.sophos.com/virusinfo/analyses/trojcartoora.html
Download the IDE file from:
http://www.sophos.com/downloads/ide/atak-e.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
------------------------------
Date: Mon, 06 Dec 2004 08:47:21 -0800
From: "Mike" <mikebike@xxxxxxxxx>
Subject: [virusinfo] Weekly report on viruses and intruders - 12/05/ 04
From; Panda Oxygen3 24h-365d :
"Nothing fixes a thing so intensely in the memory as the wish to forget it."
Michel de Montaigne (1533-1592); French essayist.
- Weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)
Madrid, December 5 2004 - This week's report looks at two worms -Mugly.A and
Gaobot.BXG-, a virus called Jabbit.A, the Skulls.B Trojan and an application
called pcAudit.
Mugly.A is a worm that spreads via email in message with variable
characteristics that includes an attachment called ATTACHED.ZIP. This file
in turn contains an executable file, which is actually the worm itself.
In the computer it infects, Mugly.A searches files with the following
extension: ADB, ASP, DBX, DOC, HTM, HTML, PHP, SHT, TBB, TXT o WAB-, looking
for email addresses to which to send itself, unless the addresses contain
text referring to antivirus companies.
After it's run, Mugly.A displays an image on screen, and installs and runs
another worm, which Panda Software detects as Gaobot.BXG, which spreads by
making copies of itself in shared network resources that it manages to
access.
Gaobot.BXG affects computers with Windows 2003/XP/2000/NT, exploiting the
LSASS, RPC DCOM and WebDAV vulnerabilities. It also connects to an IRC
server and awaits orders to carry out malicious action such as obtaining
information from the PC, executing files and carrying out Distributed Denial
of Service attacks (DDoS).
Jabbit.A is a virus that doesn't spread automatically and reaches computers
when it is distributed through any of the usual means (floppies, CD-ROMs,
emails, etc.) in previously infected files. The virus uses 'prepending'
techniques to infect HTML files that are in the directory in which it is
executed. It also creates copies of itself in the Favorites folder and makes
all links in the folder point to the virus, so it is run whenever users
access the links.
After it infects a PC, on the 13th of each month Jabbit.A makes several
messages appear on screen. It then opens the Internet Explorer and displays
a certain web page.
The next malicious code we will look at today is Skulls.B, a Trojan that has
been distributed through cellphone forums and needs user interaction in
order to install itself. It affects mobile phones using the Symbian
operating system. Although the initial targets were Nokia 7610 phones, other
devices based on the Symbian operating system can also be affected.
Skulls.B changes the icons of all the applications on the phone for others
belonging to a certain system application. It also installs files
corresponding to other malware that also affects phones based on Symbian and
detected by Panda Software as Cabir.A.
We end today's report with pcAudit, a program developed by a private company
to check the level of security of the computer. By simulating a hacker
attack, it tries to send data (such as files and folders in the My documents
directory, screenshots, keystrokes, etc.) to a server. If it manages to send
information, the consequences can be serious as it will be transmitted over
the Internet without any kind of encryption.
For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/
Additional information
- Freeware: legal software distributed free o charge.
- Prepending: This is a technique used by viruses for infecting files by
adding their code to the beginning of the file. By doing this, these viruses
ensure that they are activated when an infected file is used.
More technical definitions at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx
NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
------------------------------------------------------------
To contact with Panda Software, please visit:
http://www.pandasoftware.com/about/contact/
------------------------------------------------------------
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
------------------------------
Date: Mon, 06 Dec 2004 08:49:38 -0800
From: "Mike" <mikebike@xxxxxxxxx>
Subject: [virusinfo] W32/Rbot-RE
From; Sophos Alert System:
Name: W32/Rbot-RE
Type: Win32 worm
Date: 6 December 2004
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the February 2005 (3.90) release of Sophos Anti-Virus.
Customers using Enterprise Manager, PureMessage and any of the
Sophos small business solutions will be automatically protected
at their next scheduled update.
At the time of writing, Sophos has received a small number of
reports of this worm from the wild.
Information about W32/Rbot-RE can be found at:
http://www.sophos.com/virusinfo/analyses/w32rbotre.html
W32/Rbot-RE is an IRC backdoor Trojan and network worm.
W32/Rbot-RE may spread to remote network shares protected by weak passwords
and computers vulnerable to common exploits. The worm also opens up a
backdoor, allowing unauthorised remote access to infected computers via the
IRC network, while running in the background as a service process.
W32/Rbot-RE can receive commands from a remote intruder to delete network
shares, log keypresses, participate in DDoS attacks, scan other computers
for vulnerabilities, steal passwords, steal registration keys for computer
games, create administrator accounts, terminate firewall and anti-virus
processes and capture video from
webcameras attached to the computer.
W32/Rbot-RE copies itself to the Windows system folder and creates the
following registry entries to run automatically on log-on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Secure Messaging System
msnmsgrsrvc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Secure Messaging System
msnmsgrsrvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Secure Messaging System
msnmsgrsrvc.exe
In addition, W32/Rbot-RE also attempts to alter the following registry
entries, if they are not already set:
HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
"N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous
This IDE file also includes detection for:
Troj/Haxdoor-O
http://www.sophos.com/virusinfo/analyses/trojhaxdooro.html
Troj/AxLoad-A
http://www.sophos.com/virusinfo/analyses/trojaxloada.html
VBS/Omen-A
http://www.sophos.com/virusinfo/analyses/vbsomena.html
Troj/Dloader-KS
http://www.sophos.com/virusinfo/analyses/trojdloaderks.html
Download the IDE file from:
http://www.sophos.com/downloads/ide/rbot-re.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
------------------------------
Date: Mon, 06 Dec 2004 14:12:39 -0800
From: "Mike" <mikebike@xxxxxxxxx>
Subject: [virusinfo] Troj/Agent-BF
From; Sophos Alert System
Name: Troj/Agent-BF
Aliases: Trojan-Downloader.Win32.Agent.ea
Type: Trojan
Date: 6 December 2004
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the February 2005 (3.90) release of Sophos Anti-Virus.
Customers using Enterprise Manager, PureMessage and any of the
Sophos small business solutions will be automatically protected
at their next scheduled update.
At the time of writing, Sophos has received a small number of
reports of this Trojan from the wild.
Information about Troj/Agent-BF can be found at:
http://www.sophos.com/virusinfo/analyses/trojagentbf.html
Troj/Agent-BF copies itself to the Windows system with a random filename and
in order to be able to run automatically when a user logs on starts up sets
the following registry entry with the path to the copy:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Troj/Agent-BF also sets following registry entries :
HKLM\Software\Microsoft\Windows\CurrentVersion\
ShellRegId
<random name>
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
<random name>
<random name>.exe
This IDE file also includes detection for:
W32/Sdbot-CAG
http://www.sophos.com/virusinfo/analyses/w32sdbotcag.html
Troj/Banker-BE
http://www.sophos.com/virusinfo/analyses/trojbankerbe.html
Troj/Banker-BF
http://www.sophos.com/virusinfo/analyses/trojbankerbf.html
Troj/Bancos-AO
http://www.sophos.com/virusinfo/analyses/trojbancosao.html
Troj/Wortbot-C
http://www.sophos.com/virusinfo/analyses/trojwortbotc.html
Troj/Istbar-X
http://www.sophos.com/virusinfo/analyses/trojistbarx.html
Download the IDE file from:
http://www.sophos.com/downloads/ide/agent-bf.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
------------------------------
End of virusinfo Digest V3 #295
*******************************
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Was this forwarded to you? Want to subscribe? Send an email
to chadfree-request@xxxxxxxxxxxxx?Subject=subscribe.
For a complete list of email commands for our list send an email
to ecartis@xxxxxxxxxxxxx with a subject line of "info chadfree" without the
quotes.
If you wish to unsubscribe from our list send an email to;
chadfree-request@xxxxxxxxxxxxx?Subject=unsubscribe
To contact the list moderators send an email to
chadfree-moderators@xxxxxxxxxxxxx
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Other related posts:
- » [chadfree] virusinfo Digest V3 #295