From; eSecurity Planet http://www.esecurityplanet.com/alerts/article.php/3342171 Worm Ends Antivirus Programs, Firewall Processes Zafi.A is a new worm that ends processes belonging to antivirus programs and firewalls, among others, according to various security vendors that issued alerts Monday. This leaves the affected computer vulnerable to the attack of other malware. More specifically, according to Panda Software, it ends the following processes: dfw.exe, fsav32.exe, fsbwsys.exe, fsgk32.exe, fsm32.exe, fssm32.exe, fvprotect.exe, mcagent.exe, navapw32.exe, navdx.exe, navstub.exe, navw32.exe, nc2000.exe, ndd32.exe, netarmor.exe, netinfo.exe, netmon.exe, nmain.exe, nprotect.exe, ntvdm.exe, ostronet.exe, outpost.exe, pccguide.exe, pcciomon.exe, regedit.exe, regedit32.exe, taskmgr.exe, tnbutil.exe, vbcons.exe, vbsntw.exe, vbust.exe, vsmain.exe, vsmon.exe, vsstat.exe, winlogon.exe and zonalarm.exe. Zafi.A spreads via e-mail. It follows the routine below: It reaches the computer in an e-mail message with variable characteristics, written in Hungarian. The message includes an attachment with a variable file name, but which always has a ZIP extension. The computer is affected when the attached file is run. Zafi.A searches for e-mail addresses in files with the following extensions: ADB, ASP, DBX, EML, HTM, MBX, PHP, PMR, SHT, TBB, TXT and WAB. The worm sends itself out to all the addresses it has gathered, using its own SMTP engine. However, Zafi.A does not send itself to e-mail addresses that contain any of the following text strings: anti, avp, f-prot, gov, hotmail, microsoft, norton, panda, trendmicro and vir. For more information visit Panda Software here. http://www.pandasoftware.com/virus_info/encyclopedia/results.aspx Trojan, Worm Targets Systems With Weak Passwords to Spread W32/Sdbot-CP is an IRC backdoor Trojan and network worm. It spreads to other computers on the local network protected by weak passwords. When first run W32/Sdbot-CP copies itself to the Windows System folder as csrs32.exe and creates the following registry entries, so that csrs32.exe is run automatically each time Windows is started: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ System32-Driver = csrs32.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ System32-Driver = csrs32.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ System32-Driver = csrs32.exe The Trojan sets the following registry entry, in order to disable the use of certain system programs such as Regedit.exe: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ System\DisableRegistryTools = 1 More information is at this Sophos page. http://www.sophos.com/virusinfo/analyses/w32sdbotcp.html Trojan, Worm Tries to Connect to IRC Server W32/Agobot-GP is an IRC backdoor Trojan and network worm. It is capable of spreading to computers on the local network protected by weak passwords. When first run W32/Agobot-GP copies itself to the Windows system folder as csrss32.exe and creates the following registry entries to run itself on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Updater Service Process = csrss32.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ Updater Service Process = csrss32.exe Each time W32/Agobot-GP is run it attempts to connect to a remote IRC server and join a specific channel. W32/Agobot-GP then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels. Find out more at this Sophos page. http://www.sophos.com/virusinfo/analyses/w32agobotgp.html Mass-Mailing Worm Looks for Email Addresses W32.Erkez.A@mm is a mass-mailing worm that sends itself to emails addresses found on the infected computer. Technical details are at this Symantec page. http://securityresponse.symantec.com/avcenter/venc/data/w32.erkez.a@xxxxxxx#t echnicaldetails Worm Exploits Network Vulnerabilities to Spread Worm_Sdbot.JS is a worm that exploits certain vulnerabilities to propagate across networks. It takes advantage of the following Windows vulnerabilities: Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability IIS5/WEBDAV Buffer Overflow vulnerability RPC Locator Vulnerability For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages: Microsoft Security Bulletin MS03-026 Microsoft Security Bulletin MS03-001 Microsoft Security Bulletin MS03-007 It attempts to log on to systems using a list of user names and passwords. This worm then drops a copy of itself in accessed machines. This worm steals CD keys of certain game applications, then sends gathered data to a remote user via mIRC, a chat application. It also has backdoor capabilities and may execute remote commands in the host machine. This worm is written using Visual C++ and runs on Windows NT, 2000 and XP. Technical details are at this Trend Micro page. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.JS &VSect=T --Compiled by Esther Shein Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member