Tuesday, April 27, 2004


Here's another state-of-the-net virus attack status report:

This week's report on viruses and intrusions
focuses on four variants of Netsky -W, X, Y and Z-, two variants of Mydoom
-I and J-, the Zafi.A worm, Blaster.H, and a spam message designed to
download a Trojan to the computer.

The four new variants of Netsky are very similar to one another. They are
all designed to spread in files attached to e-mail messages with variable

The actions carried out by Netsky.W include deleting entries from the
Windows Registry that are generated when some variants of the Mydoom, Mimail
and Bagle worms attack computers. The X, Y and Z variants try to launch
denial of service attacks against certain web pages.

The I variant of the Mydoom worm spreads via e-mail in a message with
variable characteristics. This worm also launches Distributed Denial of
Service (DDoS) attacks against a web page.

As well as e-mail, Mydoom.J also spreads through the peer-to-peer file
sharing program KaZaA. A characteristic of this worm that can be highlighted
is that it uses a dynamic link library (DLL) which was also used by the
Bugbear.B worm and is detected by Panda Antivirus as Trj/PSW.Bugbear.B.

It is easy to know whether a computer has been infected by either of these
variants of Mydoom, as when they are run, they open Windows Notepad and
display junk data.

Zafi.A is a worm that spreads via e-mail in a message written in Hungarian,
which always has the subject 'kepeslap erkezett!'. This worm ends the
processes belonging to antivirus and firewall programs, among others,
leaving the computer vulnerable to attack from other types of malware.

Zafi.A stops spreading on May 1, 2004 and from this date on, it displays a
window on screen with a political message.

Like its predecessors, Blaster.H exploits a Windows vulnerability known as
'Buffer Overrun In RPC Interface' discovered last July. This worm can get
into computers that have not been correctly patched directly through the

When Blaster.H reaches a computer, it creates a backdoor in one of the
communications ports, which it uses to carry out a large number of actions.

Finally, this week a spam message has been detected which tries to get
recipients to visit an advertising page and which also downloads a Trojan to
users computers.

The characteristics of the message are:

Sender: the name of the sender is variable, although it tries to make
recipients think it has been sent by the BBC or CNN.

Subject: "Osama Bin Laden Captured",

Message text: "Hey, Just got this from CNN, Osama Bin Laden has been
captured! Goto the link below to view the pics and to download the video if
you so wish: (Internet address) "Murderous coward he is". God bless

The address indicated in the message takes users to what appears to be an
advertising page. However, the page actually contains code that exploits a
vulnerability (detected by Panda antivirus as Exploit/MIE.CHM). This code
downloads and runs a file (detected as VBS/Psyme.C). Finally, a file called
EXPLOIT.EXE, which contains the Trojan Trj/Small.B is downloaded from
Internet to users' computers.

For further information about these and other computer threats, visit Panda
Software's Virus Encyclopedia at:


Stay safe out there...

Links to this post:

Create a Link

<< Home