From; Panda Oxygen3: "Wisdom lies neither in fixity nor in change, but in the dialectic between the two." Octavio Paz (1914); Mexican writer. - Weekly report on viruses and intruders - Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com) Madrid, March 13, 2005 - Four worms -the B and C variants of Kelvir, Fatso.A and Sober.O-, and two Trojans -Ruzes.A and Downloader.BBN- will be described in this week's report on viruses and intruders. The first three worms -Kelvir.B, Kelvir.C and Fatso.A- in today's report are designed to spread rapidly via the application MSN Messenger. These worms reach computers in a message that includes a link to an Internet address. If the user access this link, files containing the code of these worms will be downloaded and installed on the computer. Kelvir.B and Kelvir.C carry out various actions in the computers that they infect, including the following: - Send messages to the entries in the contacts in MSN Messenger. - Download several variants of the Gaobot or Sdbot Trojans from a web page, which allow a hacker to gain remote control of the affected computer through IRC chat channels. Fatso.A spreads through the instant messaging application MSN Messenger and via peer-to-peer (P2P) file sharing programs. When it infects a computer, it ends the processes belonging to various security tools, such as antivirus programs and firewalls, leaving the computer vulnerable to other malware. Fatso.A also modifies the system configuration so that it is automatically copied to all the CD-ROMs recorded on the computer. A curious detail about Fatso.A is that it continues the cyber-war between virus authors that started with the appearance of the Assiral.A worm, and which displayed a text attacking the Bropia worms. In response, Fatso.A creates a file called "Message to n00b LARISSA.txt" on affected systems, which contains an unfriendly message for the author of Assiral, signed by someone called Skydevil. The fourth worm in today's report is Sober.O, which spreads via email in a message that can be written in German -if the extension of the mail domain is one of the following: de (German), ch (Switzerland), at (Austria) or li (Liechtenstein)-, or in English. When it infects a computer, Sober.O looks for email addresses in files with certain extensions. Then, Sober.O sends itself out using its own SMTP engine. What's more, when it is run, Sober.O opens Notepad and displays a text on screen. The first of the two Trojans in today's report is Ruzes.A, which collects email address from the files it finds on the affected computer with certain extensions. Then, it sends these addresses to an Internet address. Ruzes.A is being downloaded by Downloader.BBN, another Trojan that appeared recently, which is very similar to the other variants in the family it belongs to. For further information about these and other computer threats, visit Panda Software's Encyclopedia: http://www.pandasoftware.com/virus_info/encyclopedia/ NOTE: The address above may not show up on your screen as a single line. This would prevent you from using the link to access the web page. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL. ------------------------------------------------------------ To contact with Panda Software, please visit: http://www.pandasoftware.com/about/contact/ ------------------------------------------------------------ *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member