Thursday, June 17, 2004

New Virus Alerts from panda Software

In this week's report we are going to look at six
worms -Plexus.A, Cult.J and four variants of Korgo-, and at Protoride.gen.

Plexus.A spreads via the Internet by exploiting the RPC DCOM and LSASS
vulnerabilities -in the computers that have not been patched- and sending
itself out to the addresses it finds on the local machine and in mapped
drives.

Plexus.A overwrites the host file, preventing the computer from connecting
to certain web addresses of an antivirus company, and therefore, the PC will
not be able to update the protection installed. Plexus.A obtains the shared
directory for KaZaA and copies itself to it, and also creates copies of
itself in the shared folders in the network.

Cult.J spreads via e-mail in a message with the subject: 'Hello, I sent you
a beautiful love card. ^_*' and an attached file called:
'BEAUTIFULLOVE.PIF'. When this file is run, the worm sends a copy of itself
to a series of addresses using its own SMTP engine.

Cult.J goes memory resident and tries to connect to an IRC channel. If it
manages to establish a connection, this malicious code will give an attacker
remote access to the affected computer, allowing the attacker to carry out
the following actions, among others:

- Attacks through IRC.

- Send out confidential and system information.

- Download and run files.

- Send worms to other IRC channels.

Protoride.gen is a generic detection routine for the variants of the
Protoride worm, which could emerge in the future. The malicious code in this
family have the following characteristics:

- They spread across computer networks by copying themselves to the network
resources they manage to access.

- They connect to an IRC channel through port 6667 and wait for a hacker to
send remote control commands (to download and run files, hide active
processes, uninstall themselves, etc.).

- They modify a Windows Registry entry, preventing EXE files from running.
As a result, certain application will not work.

The next worms in today's report are the C, D, E and F variants of Korgo,
which spread via the Internet by exploiting the LSASS vulnerability. All
four variants open port 3067 and listen in on it. They also try to connect
to IRC servers and are designed to prevent the computer from shutting down.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- IRC (Chat IRC): These are written conversations over the Internet in which
files can also be transferred.

- Resident / Resident virus: A program or file is referred to as resident
when it is stored in the computer's memory, continuously monitoring
operations carried out on the system.

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx