From Panda Oxygen3 24h-365d: "For it is far better to know something about everything than to know all about one thing. This universality is the best." Blaise Pascal (1623-1662); French scientist and philosopher. - Weekly report on viruses and intrusions - Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com) Madrid, April 18, 2004 - Today's report focuses on two variants of Netsky -V and U-, and a hacking tool called Hideout.A. Nesky.V spreads via e-mail in a message with variable characteristics that does not include an attached file. Instead, it contains HTML code with an ObjectData exploit. When this code is run, the worm is downloaded. Nesky.V carries out various actions in the computers it infects, including the following: - It creates a backdoor that listens in on TCP ports 5556 and 5557. - From April 22 to 28, 2004 -inclusive- it launches Denial of Service (DoS) attacks against different websites. - It looks for e-mail addresses in the files it finds with the following extensions: ADB, ASP, CFG, CGI, DBX, DHTM, DOC, EML, HTM, HTML, JSP, MBX, MDX, MHT, MMF, MSG, NCH, ODS, OFT, PHP, PL, PPT, RTF, SHT, SHTM, STM, TBB, TXT, UIN, VBS, WAB, WSH, XLS and XML. Then it sends itself out to the addresses it has obtained using its own SMTP engine. - It creates the mutex _-=oOOSOkOyONOeOtOo=-_ in order to avoid being run several times simultaneously. The U variant of Netsky spreads via e-mail in a message with variable characteristics, which always includes an attached file with a PIF extension. It creates a backdoor that listens in on TCP port 6789 and like the variant described above, it sends itself out to the addresses it obtains from the affected computer using its own SMTP engine. Netsky.U creates a mutex to avoid being run several times simultaneously and from April 14 to 23, 2004 -inclusive- it tries to launch Denial of Service (DoS) attacks against different websites. We are going to finish today's report with Hideout.A, a program that is run from the command line. This program allows several actions to be carried out on the services in a remote computer, such as making a list of the services running, displaying information about them or stopping them. For further information about these and other computer threats, visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/ Additional information - Exploit: This can be a technique or a program that takes advantage of a vulnerability or security hole in a certain communication protocol, operating system, or other IT utility or application. - Hacking tool: Program that can be used by a hacker to carry out actions that cause problems for the user of the affected computer (allowing the hacker to control the affected computer, steal confidential information, scan communication ports, etc.). More definitions of virus and antivirus terminology at: http://www.pandasoftware.com/virus_info/glossary/default.aspx NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL. ------------------------------------------------------------ Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member