From; eSecurity Planet http://nl.internet.com/ct.html?rtr=on&s=1,veu,1,178c,jy6k,1std,6jmd New Variant of Mass-Mailing Worm Discovered April 30, 2004 Some security vendors Friday issued alerts for a new variant of the Misodene email worm. According to McAfee, the variant, W32/Misodene.b@MM is similar to its predecessor, W32Misodene.b@mm, and has the following characteristics: harvests email addresses from the victim machine contains its own SMTP engine to construct outgoing messages email arrives as an attachment Messages are constructed using the virus' own SMTP engine. They bear the following characteristics: From: spoofed (using harvested email addresses) Subject: Qui sabe el Pentagono sobre usted (What the Pentagon knows about you) Body: ?Crees que estas a salvo del Pentagono de los E.U? Mira estos datos y te asombraras. Do you believe you are safe from the Pentagon of the E.U? Just look these data and you will be surprised Password: 123 Attachment: (XLS extensions with several spaces to hide the EXE extension) More information is at this McAfee page. http://vil.nai.com/vil/content/v_124872.htm According to Symantec, W32.Misodene@mm is a mass-mailing worm that sends itself to email addresses found in files on the infected computer. Technical details are at this Symantec page. http://securityresponse.symantec.com/avcenter/venc/data/w32.misodene@xxxxxxx# technicaldetails Worm Tries to Spread to Remote Network Shares W32/Sdbot-HX is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process. W32/Sdbot-HX copies itself to the Windows system folder as DLL6DSYS.EXE and creates entries in the registry at the following locations to run itself on system startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices HKCU\Software\Microsoft\Windows\CurrentVersion\Run More information is at this Sophos page. http://www.sophos.com/virusinfo/analyses/w32sdbothx.html Trojan Allows Hacker Control Through IRC Backdoor.Sdbot.Z is a Trojan horse that can be controlled using IRC. The existence of the file wupdated.exe is an indication of a possible infection. Technical details are at this Symantec page. http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbotz.html# technicaldetails Trojan Exploits IE Vulnerability Sophos issued an alert for Troj/Psyme-U is a HTML based script that exploits the ADODB stream vulnerability associated with Microsoft Internet Explorer to download and run executables. For more information, see the Microsoft security bulletin MS04-013 here. http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx --Compiled by Esther Shein ~ esecurityplanet _______________________________________________________ *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member