[virusinfo] Panda Software's weekly report on viruses and intruders - 4/17/05
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Sat, 16 Apr 2005 18:53:23 -0700
From; Panda Software's weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.es)
MADRID, April 17 2005 - This week's report on viruses and intruders
includes five vulnerabilities in different Microsoft products and new
variants of the Mytob, Gaobot and Kelvir worms.
The five vulnerabilities have been rated 'critical' and affect not only
Windows operating systems, but also other applications like Internet
Explorer, Exchange Server, MSN Messenger, Word, Works and Office. If the
patches that fix these flaws are not applied, an attacker could gain remote
control of affected systems.
As far as malicious code is concerned, we can highlight the gradual
increase in the number of Mytob worms emerging. The Mytob worms connect to
an IRC server and wait for remote control commands to carry out on the
affected computer, such as deleting, downloading or running files. Some
variants prevent the user from accessing the websites belonging to certain
antivirus and IT security companies. What's more, they spread via email,
through the Internet -by exploiting the LSASS vulnerability- and across
networks protected with weak passwords. However, the proactive TruPreventTM
detection technologies blocked all these variants of the Mytob worm without
needing to be able to identify them first. Therefore, users that have these
technologies installed on their systems have been protected from the very
start.
The appearance of Gaobot.EYP can also be highlighted. This is a worm that
also opens a backdoor, allowing a remote attacker to gain control of
affected computers. The attacker would be able to carry out multiple
actions including running commands, downloading and executing files,
capturing keystrokes, obtaining the characteristics of the computer,
launching distributed denial of service attacks (DDoS), etc.
Gaobot.EYP ends the processes belonging to different security tools, such
as antivirus programs and firewalls, leaving the computer vulnerable to
attack from other malware. What's more, it ends the processes belong to
other worms.
Gaobot.EYP uses a number of methods to spread:
- It copies itself to the shared network resources it manages to access.
- It exploits the following vulnerabilities to spread via the Internet:
LSASS, RPC DCOM, WINS buffer overflow in the workstation service.
- It can get into computers with SQL Server, whose SA (System
Administrator) account has a blank password.
Finally, we will look at Kelvir.L.worm. This worm spreads via MSN Messenger
by sending a message to all the contacts with the text "its you!", which
points to a URL belonging to the hydr0.net domain.
If the user clicks on this link, a compressed, autoexecutable file,
detected as Trj/MultiDropper.ZL, is downloaded and run. This file contains
files called "uncanny.exe" and "advbot.exe", which are copies of
Kelvir.L.worm and Gaobot.EYX.worm, respectively.
More information about these and other threats is available from Panda
Software's encyclopedia at:
http://www.pandasoftware.es/virus_info/enciclopedia/
NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If
this happens, just use the 'cut' and 'paste' options to join the pieces of
the URL.
------------------------------------------------------------
To contact with Panda Software, please visit:
http://www.pandasoftware.com/about/contact/
------------------------------------------------------------
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] Panda Software's weekly report on viruses and intruders - 4/17/05
