[virusinfo] Worm Ends Antivirus Programs, Firewall Processes

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Mon, 19 Apr 2004 17:28:29 -0700

From; eSecurity Planet
http://www.esecurityplanet.com/alerts/article.php/3342171

 Worm Ends Antivirus Programs, Firewall Processes
Zafi.A is a new worm that ends processes belonging to antivirus programs and
firewalls, among others, according to various security vendors that issued
alerts Monday. This leaves the affected computer vulnerable to the attack of
other malware. 

More specifically, according to Panda Software, it ends the following
processes:

dfw.exe, fsav32.exe, fsbwsys.exe, fsgk32.exe, fsm32.exe, fssm32.exe,
fvprotect.exe, mcagent.exe, navapw32.exe, navdx.exe, navstub.exe,
navw32.exe, nc2000.exe, ndd32.exe, netarmor.exe, netinfo.exe, netmon.exe,
nmain.exe, nprotect.exe, ntvdm.exe, ostronet.exe, outpost.exe, pccguide.exe,
pcciomon.exe, regedit.exe, regedit32.exe, taskmgr.exe, tnbutil.exe,
vbcons.exe, vbsntw.exe, vbust.exe, vsmain.exe, vsmon.exe, vsstat.exe,
winlogon.exe and zonalarm.exe.

Zafi.A spreads via e-mail. It follows the routine below:

It reaches the computer in an e-mail message with variable characteristics,
written in Hungarian. The message includes an attachment with a variable
file name, but which always has a ZIP extension. The computer is affected
when the attached file is run. Zafi.A searches for e-mail addresses in files
with the following extensions: ADB, ASP, DBX, EML, HTM, MBX, PHP, PMR, SHT,
TBB, TXT and WAB.

The worm sends itself out to all the addresses it has gathered, using its
own SMTP engine. However, Zafi.A does not send itself to e-mail addresses
that contain any of the following text strings: anti, avp, f-prot, gov,
hotmail, microsoft, norton, panda, trendmicro and vir. 

For more information visit Panda Software here.
http://www.pandasoftware.com/virus_info/encyclopedia/results.aspx


Trojan, Worm Targets Systems With Weak Passwords to Spread

W32/Sdbot-CP is an IRC backdoor Trojan and network worm. It spreads to other
computers on the local network protected by weak passwords. 

When first run W32/Sdbot-CP copies itself to the Windows System folder as
csrs32.exe and creates the following registry entries, so that csrs32.exe is
run automatically each time Windows is started: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ System32-Driver =
csrs32.exe 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ System32-Driver
= csrs32.exe 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ System32-Driver =
csrs32.exe 

The Trojan sets the following registry entry, in order to disable the use of
certain system programs such as Regedit.exe:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
System\DisableRegistryTools = 1 

More information is at this Sophos page.
http://www.sophos.com/virusinfo/analyses/w32sdbotcp.html



Trojan, Worm Tries to Connect to IRC Server

W32/Agobot-GP is an IRC backdoor Trojan and network worm. It is capable of
spreading to computers on the local network protected by weak passwords. 

When first run W32/Agobot-GP copies itself to the Windows system folder as
csrss32.exe and creates the following registry entries to run itself on
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Updater Service Process
= csrss32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ Updater Service
Process = csrss32.exe 

Each time W32/Agobot-GP is run it attempts to connect to a remote IRC server
and join a specific channel. W32/Agobot-GP then runs continuously in the
background, allowing a remote intruder to access and control the computer
via IRC channels.

Find out more at this Sophos page.
http://www.sophos.com/virusinfo/analyses/w32agobotgp.html


Mass-Mailing Worm Looks for Email Addresses 

W32.Erkez.A@mm is a mass-mailing worm that sends itself to emails addresses
found on the infected computer. Technical details are at this Symantec page.
http://securityresponse.symantec.com/avcenter/venc/data/w32.erkez.a@xxxxxxx#t
echnicaldetails


Worm Exploits Network Vulnerabilities to Spread

Worm_Sdbot.JS is a worm that exploits certain vulnerabilities to propagate
across networks. It takes advantage of the following Windows
vulnerabilities:


Remote Procedure Call (RPC) Distributed Component Object Model (DCOM)
vulnerability 
IIS5/WEBDAV Buffer Overflow vulnerability 
RPC Locator Vulnerability For more information about these Windows
vulnerabilities, please refer to the following Microsoft Web pages:
Microsoft Security Bulletin MS03-026 
Microsoft Security Bulletin MS03-001 
Microsoft Security Bulletin MS03-007

It attempts to log on to systems using a list of user names and passwords.
This worm then drops a copy of itself in accessed machines.

This worm steals CD keys of certain game applications, then sends gathered
data to a remote user via mIRC, a chat application. It also has backdoor
capabilities and may execute remote commands in the host machine. 

This worm is written using Visual C++ and runs on Windows NT, 2000 and XP.
Technical details are at this Trend Micro page.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.JS
&VSect=T
--Compiled by Esther Shein 


Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Worm Ends Antivirus Programs, Firewall Processes

1. Home
2. virusinfo
3. Archive
4. 04-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---