[virusinfo] Panda Weekly report on viruses and intruders - 03/13/ 05
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Sun, 13 Mar 2005 20:19:50 -0800
From; Panda Oxygen3:
"Wisdom lies neither in fixity nor in change,
but in the dialectic between the two."
Octavio Paz (1914); Mexican writer.
- Weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)
Madrid, March 13, 2005 - Four worms -the B and C variants of Kelvir, Fatso.A
and Sober.O-, and two Trojans -Ruzes.A and Downloader.BBN- will be described
in this week's report on viruses and intruders.
The first three worms -Kelvir.B, Kelvir.C and Fatso.A- in today's report are
designed to spread rapidly via the application MSN Messenger. These worms
reach computers in a message that includes a link to an Internet address. If
the user access this link, files containing the code of these worms will be
downloaded and installed on the computer.
Kelvir.B and Kelvir.C carry out various actions in the computers that they
infect, including the following:
- Send messages to the entries in the contacts in MSN Messenger.
- Download several variants of the Gaobot or Sdbot Trojans from a web page,
which allow a hacker to gain remote control of the affected computer through
IRC chat channels.
Fatso.A spreads through the instant messaging application MSN Messenger and
via peer-to-peer (P2P) file sharing programs. When it infects a computer, it
ends the processes belonging to various security tools, such as antivirus
programs and firewalls, leaving the computer vulnerable to other malware.
Fatso.A also modifies the system configuration so that it is automatically
copied to all the CD-ROMs recorded on the computer.
A curious detail about Fatso.A is that it continues the cyber-war between
virus authors that started with the appearance of the Assiral.A worm, and
which displayed a text attacking the Bropia worms. In response, Fatso.A
creates a file called "Message to n00b LARISSA.txt" on affected systems,
which contains an unfriendly message for the author of Assiral, signed by
someone called Skydevil.
The fourth worm in today's report is Sober.O, which spreads via email in a
message that can be written in German -if the extension of the mail domain
is one of the following: de (German), ch (Switzerland), at (Austria) or li
(Liechtenstein)-, or in English.
When it infects a computer, Sober.O looks for email addresses in files with
certain extensions. Then, Sober.O sends itself out using its own SMTP
engine. What's more, when it is run, Sober.O opens Notepad and displays a
text on screen.
The first of the two Trojans in today's report is Ruzes.A, which collects
email address from the files it finds on the affected computer with certain
extensions. Then, it sends these addresses to an Internet address.
Ruzes.A is being downloaded by Downloader.BBN, another Trojan that appeared
recently, which is very similar to the other variants in the family it
belongs to.
For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/
NOTE: The address above may not show up on your screen as a single line.
This would prevent you from using the link to access the web page. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
------------------------------------------------------------
To contact with Panda Software, please visit:
http://www.pandasoftware.com/about/contact/
------------------------------------------------------------
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] Panda Weekly report on viruses and intruders - 03/13/ 05
