Saturday, May 08, 2004

Hi there,

Here's a weekly update on viruses in circulation:

- Weekly report on viruses and intrusions -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, May 7, 2004 - This week's virus activity has centered around the
epidemic caused by the appearance of four variants of the Sasser worm.
However, they are not the only malicious code that have emerged this week.
Therefore, as well as describing the Sasser worms, this week's report will
also look at Netsky.AC, three new hacking tools called DSScan, JohnTheRipper
and Brutus.A, and the Briss.A Trojan.

The appearance of the A, B, C and D variants of the Sasser worm have caused
a widespread epidemic that has affected users worldwide. These malicious
code are designed to exploit a vulnerability recently discovered in some
versions of Windows called LSASS. By exploiting this vulnerability, they do
not need to use traditional means of transmission to infect computers, as
they can get into computers directly through the Internet. The four variants
of Sasser are very similar to one another, and only differ in the name of
the files they create on the system or the number of processes they load in
memory in order to spread.

The Sasser worms cause a buffer overflow that results in the affected
systems restarting every 60 seconds. In order to solve this problem, as well
as using an updated antivirus to scan and disinfect the computer, it is
essential to install the patch released by Microsoft to fix the LSASS
vulnerability, which can be downloaded from
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx.

As computers are restarted every minute, users may not have enough time to
eliminate the worm from the computer and download the Microsoft patch. To
avoid this problem, one of the options available to users is to put back the
system clock by following the steps below:

- When the window warning that the computer is going to be restarted
appears, double click on the clock that appears in the bottom right corner
of the monitor.

- When the date and time settings screen opens, in the textbox in which the
hours and minutes appear, change the time to a few hours earlier than the
time that appears.

Panda Software has made its PQRemove tools available to users. These
applications not only disinfect computers but also restore system
configurations altered by the worm.

One of the PQREMOVE tools is specifically designed for networks, and removes
Sasser and all its variants from any network that could have been affected.
This tool can be downloaded from: http://www.pandasoftware.com/support. The
other PQREMOVE applications can disinfect any computer attacked by any of
the variants of the Sasser worms. These can be downloaded from:
http://www.pandasoftware.com/download/utilities.

Netsky.AC is a new variant of this family of mass-mailing worms that has
been attacking the Internet over the last few months. However, the most
interesting aspect of this worm is the message hidden in its code, which
boasts that the authors of the Netsky worms also created the Sasser worms:

Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah
thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server
code with the one from Skynet.V!!! LooL! We are the Skynet...'
Here is an part of the sasser sourcecode you named so, lol

However, until these delinquents are caught, users should continue to keep
their guard up against the highly probable appearance of new viruses.
Considering how the previous attacks were carried out, it is likely that the
authors of the Sasser and Netsky worms are putting the final touches to an
extremely dangerous malicious code that -as they have done up until now -
they will unleash at the weekend.

"These authors could try to create a virus that spreads via e-mail as well
as exploiting the LSASS vulnerability. By doing this, it could get round the
firewall protection that blocks the Sasser worms. This could be especially
dangerous for companies that, as they have firewall protection installed,
have not applied the Microsoft patches," says Luis Corrons, head of
PandaLabs.

DSScan.A, JohnTheRipper and Brutus.A are three new hacking tools. These are
legitimate tools that, in theory, are not designed to cause any damage.
However, they can also be used by hackers to carry out malicious actions.

DSScan.A is a network tool that detects computers affected by the LSASS
vulnerability. JohnTheRipper.A allows hackers to steal passwords from
computers running Unix or Windows operating systems.

Brutus.A is a program that allows malicious users to crack passwords using
brute force attacks. This technique involves trying every possible
combination until the correct password is found.

Finally, Briss.A is a Trojan that goes memory resident and installs other
malware on the computer every 24 hours, without the user realizing. It also
carries out other actions, such as capturing certain key combinations.

Like many other Trojans, Briss.A cannot spread by itself; it needs the help
of a malicious user. The means of transmission it uses include: floppy
disks, e-mail messages with attachments, Internet downloads, etc.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Trojan: Strictly speaking, a Trojan is not a virus, although it is often
thought of as such. Really they are programs that, enter computers appearing
to be harmless programs, install themselves and carry out actions that
affect user confidentiality.

- Vulnerability: Flaws or security holes in a program or IT system, and
often used by viruses as a means of infection.

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx