Friday, May 14, 2004

Sasser.F Makes its Appearance

- Weekly report on viruses and intrusions -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, May 14, 2004 - This week's report on viruses and intrusions will
deal with five worms -Sasser.F, Cycle.A, Bagle.AC, Sober.G and Wallon.A-,
and Qhost.gen.

Sasser.F spreads via the Internet by exploiting the LSASS vulnerability. In
the computers it infects, this worm causes a buffer overflow in the
LSASS.EXE program, restarts the computer and displays a message on screen.
Like previous variants of Sasser, variant F spreads automatically across
Windows XP/2000 computers. It also works in the rest of the Windows
operating systems, if the file carrying this worm is run by a malicious
user.

Like the malicious code mentioned above, Cycle.A also spreads via the
Internet by exploiting the LSASS vulnerability and causes affected computers
to restart. It also ends the processes of the Blaster, Sasser.A, Sasser.B,
Sasser.C and Sasser.D worms and launches Denial of Service attacks (DoS)
against several websites when the system date is any other than May 1 to 18,
inclusive.

The third worm in today's report is Bagle.AC, which ends the processes of
several IT security applications, such as antivirus and firewall programs,
and of several worms. It also tries to connect, through port 14441, to
various websites that house a PHP script in order to notify the virus author
that the computer has been infected.

Sober.G is a worm that spreads via e-mail. This message can be written in
English or German, depending on the domain in the user's e-mail address. It
looks for e-mail addresses in files with certain extensions on the affected
computer, and sends itself out to the addresses it finds using its own SMTP
engine.

The fifth worm is Wallon.A, which installs itself on computers by exploiting
the Exploit/MIE.CHM vulnerability. To do this, it uses the following
propagation routine: the user receives an e-mail containing a link to a
certain website, if the user accesses the web page, Wallon.A will be
downloaded to the computer.

Wallon.A collects all of the addresses in the Windows Address Book and sends
them to an e-mail address. This worm also changes the home page of Internet
Explorer and if the Windows Address Book does not contain any addresses, it
displays an error message on screen.

We are going to finish this week's report with Qhost.gen, a generic
detection routine for HOSTS files modified by several malware, including
variants of the Gaobot worm. This file contains a series of lines that are
the first lines used by Windows to translate names to IP addresses (before
other services like WINS or DNS).

The HOSTS files are modified by this malware so that a list of web address
is associated to the IP address 127.0.0.1, making the addresses included in
this list inaccessible. These web pages are usually those of security
software manufacturers, such as anti-malware solutions. For this reason,
users of computers affected by Qhost.gen will not be able to access these
pages and obtain information, update their solution, etc.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/