[virusinfo] New Variant of Mass-Mailing Worm Discovered

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Fri, 30 Apr 2004 21:24:06 -0700

From; eSecurity Planet

http://nl.internet.com/ct.html?rtr=on&s=1,veu,1,178c,jy6k,1std,6jmd
New Variant of Mass-Mailing Worm Discovered April 30, 2004


Some security vendors Friday issued alerts for a new variant of the Misodene
email worm. 

According to McAfee, the variant, W32/Misodene.b@MM is similar to its
predecessor, W32Misodene.b@mm, and has the following characteristics:


harvests email addresses from the victim machine 
contains its own SMTP engine to construct outgoing messages 
email arrives as an attachment Messages are constructed using the virus' own
SMTP engine. They bear the following characteristics:
From: spoofed (using harvested email addresses)
Subject: Qui sabe el Pentagono sobre usted (What the Pentagon knows about
you)
Body: ?Crees que estas a salvo del Pentagono de los E.U?
Mira estos datos y te asombraras.
Do you believe you are safe from the Pentagon of the E.U?
Just look these data and you will be surprised
Password: 123
Attachment: (XLS extensions with several spaces to hide the EXE extension)

More information is at this McAfee page.
http://vil.nai.com/vil/content/v_124872.htm


According to Symantec, 
W32.Misodene@mm is a mass-mailing worm that sends itself to email addresses
found in files on the infected computer. 

Technical details are at this Symantec page.
http://securityresponse.symantec.com/avcenter/venc/data/w32.misodene@xxxxxxx#
technicaldetails


Worm Tries to Spread to Remote Network Shares

W32/Sdbot-HX is a worm which attempts to spread to remote network shares. It
also contains backdoor Trojan functionality, allowing unauthorised remote
access to the infected computer via IRC channels while running in the
background as a service process. 

W32/Sdbot-HX copies itself to the Windows system folder as DLL6DSYS.EXE and
creates entries in the registry at the following locations to run itself on
system startup: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run 

More information is at this Sophos page.
http://www.sophos.com/virusinfo/analyses/w32sdbothx.html

Trojan Allows Hacker Control Through IRC

Backdoor.Sdbot.Z is a Trojan horse that can be controlled using IRC. The
existence of the file wupdated.exe is an indication of a possible infection.

Technical details are at this Symantec page.
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbotz.html#
technicaldetails


Trojan Exploits IE Vulnerability

Sophos issued an alert for Troj/Psyme-U is a HTML based script that exploits
the ADODB stream vulnerability associated with Microsoft Internet Explorer
to download and run executables.

For more information, see the Microsoft security bulletin MS04-013 here.
http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx

--Compiled by Esther Shein ~ esecurityplanet 
_______________________________________________________

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] New Variant of Mass-Mailing Worm Discovered

1. Home
2. virusinfo
3. Archive
4. 04-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---