Friday, July 30, 2004

Lovgate.AT, Mydoom.N, Zindos.A and Mabutu.B Viruses

- Weekly report on viruses and intrusions -

Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, July 30 2004 - This week's report on viruses and intruders looks at four worms (Lovgate.AT, Mydoom.N, Zindos.A and Mabutu.B), a Trojan(Dropper.O), a spy program (Ndrv) and an exploit (MhtRedir.N).

Lovgate.AT is a worm that uses a wide range of propagation techniques, such as email messages, the KaZaA file sharing program, shared network resources, etc. It also opens a backdoor on the computer, and sends a message by email to a remote user letting them know that the system has been infected and is accessible through a backdoor.

The most significant event this week has been the appearance of Mydoom.N. This worm is designed to spread rapidly via email to addresses that it finds in infected computers. However, it also uses the four main Internet search engines to search for all these addresses, thereby trying to saturate them with traffic.

One of them, Google, suffered serious problems for some hoursat the beginning of the week. Mydoom.N also uses a communication port to create a backdoor on the infected computer. This backdoor is exploited by the Zindos.A worm in order to spread.

The worm appeared one day after Mydoom.N, which makes it seem likely that both malicious code are the work of the same person. In addition, Zindos.A launches DDoS (Distributed Denial of Service) attacks againstMicrosoft's website.

Mabutu.B is a worm that connects to different IRC servers to notify its creator that the computer has been affected and to receive messages from remote users. The email messages that it uses to spread have variable characteristics.

Dropper.O is a Trojan that downloads the Adware/Nsearch application onto the computers it infects. Dropper.O spreads via web pages previously infected by the MhtRedir.N exploit, which was also detected for the first time thisweek. MhtRedir.N has been designed to exploit a vulnerability in MicrosoftOutlook Express, which it uses to install Dropper.O on computers.

Finally, Ndrv is a spyware program offering use of a program in exchange for viewing a series of advertising messages. Ndrv is made up of a DLL which loads along with Internet Explorer, so that every time the browser is opened, the spyware is activated.

For further information about these and other computer threats, visit Panda Software's Encyclopedia: http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

Adware: A program that can be installed for free in exchange for viewingadvertising banners while using it.

Exploit: This can be a technique or a program that takes advantage of a vulnerability or security hole in a certain communication protocol, operating system, or other IT utility or application.

More technical definitions at: http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of theURL.