[virusinfo] Panda Weekly report on viruses and intruders - 3/27/05
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Sun, 27 Mar 2005 18:23:41 -0800
From; Panda Oxygen3:
"Only one passion could drive me away from my habits of study;
but was it not also study?"
Honoré de Balzac (1799-1850), French author.
- Weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)
Madrid, March 27th, 2005 - This week's report on viruses and intruders
looks at two worms (Mydoom.BH and Crowt.B) and a Trojan, Downloader.BHV.
Mydoom.BH is an email worm which can also spread through the KaZaA P2P file
sharing program. Once it has entered a computer and is run, it downloads a
page from a website with code, which is saved to the Windows system
directory as an executable file called TEMP1.EXE. It also displays a screen
referring to an antivirus in order to distract users' attention.
To spread via email it sends itself to all contacts in the Outlook address
book, using its own SMTP engine. The name that appears as the sender of the
email is false and the message includes an attachment with malicious code.
In addition to using email, Mydoom.BH also creates a copy of itself in the
shared KaZaA directory, which it obtains from the Windows registry. This
copy has random file and extension names, selected from a list of names
designed to attract KaZaA users.
Other users of this program could remotely access this shared directory,
and voluntarily download to their computer files created by Mydoom.BH,
thinking that they were actually interesting programs, etc. They would in
fact, be downloading copies of the worm to their computers. When they run
the downloaded file, these other computers would become infected by
Mydoom.BH.
The second worm in this report, Crowt.B, has backdoor functionalities and
sends itself by email using its own SMTP engine. It gets the addresses to
which it sends itself from a list of contacts stored on the user's computer.
It allows remote commands to be executed on the compromised computer and
information to be extracted from it. It also carries an additional danger,
as it acts as a keylogger, recording keystrokes and stealing passwords
entered. In order to conceal itself, Crowt.B, injects its code into other
programs.
Finally, we will look at the Downloader.BHV Trojan. This malicious code
downloads and installs adware programs on the infected computer.
Downloader.BHV needs the intervention of an attacker in order to propagate
and cannot spread by itself automatically. Various propagation channels are
used, including floppy disks, CDs, e-mail messages with attachments,
Internet downloads, FTP file transfers, IRC channels, P2P file-sharing
networks, etc.
When it is run, it downloads from a range of websites 5 executable files
disguised as GIF files, which it runs on the infected system. To prevent
detection, it uses some very basic techniques (some text strings are
composed while the code is running).
For further information about these and other computer threats, visit Panda
Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/
NOTE: The address above may not show up on your screen as a single line.
This would prevent you from using the link to access the web page. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
------------------------------------------------------------
To contact with Panda Software, please visit:
http://www.pandasoftware.com/about/contact/
------------------------------------------------------------
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] Panda Weekly report on viruses and intruders - 3/27/05
