Shruggle Virus, Sasser Virus, Gaobot Worm and Other Viruses

- Weekly report on viruses and intruders -

Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, August 27, 2004 - This week's report will focus on five malicious code: a virus called Shruggle.1318; two worms -Sasser.G and Gaobot.AIR-; and two Trojans -MhtRedir.S and StartPage.JL-.

Shruggle.1318 cannot spread automatically through its own means, but spreads its infection to other files. It infects other computers when previously infected files are distributed. These files can reach computers through the means normally used by viruses (floppy disks, email messages with attached files, Internet downloads, files transfers via FTP, IRC channels and P2P (peer-to-peer) file sharing networks, etc.).

Shruggle.1318 infects PE and DLL (Dynamic Link Library) executable files inWindows 64-bit operating systems for AMD processors.

The first worm in today's report is Sasser.G, which spreads via theInternet, attacking remote computers and exploiting the LSASS vulnerability. To do this, it sends ICMP queries to random IP addresses through TCP port445. Sasser.G only spreads automatically through computers running WindowsXP/2000, and works in the rest of the Windows operating systems if the file carrying the worm is run by a malicious user.

Finally, it is worth highlighting that Sasser.G exploits the LSASS vulnerability, causing a buffer overflow in the LSASS.EXE program, which restarts the computer.

Gaobot.AIR is a worm that creates a backdoor and uses a range of means of propagation, such as those mentioned below.

- It exploits the LSASS, RPC DCOM and WebDAV vulnerabilities to spread via the Internet.

- It makes copies of itself in the shared network resources it manages toaccess.

- It can get into computers with SQL Server with the System Administrator(SA) password left blank.

- It can get into computers with the DameWare Mini Remote Control program installed and into computers affected by the following backdoor Trojans: Optix, NetDevil, Kuang and SubSeven.

Gaobot.AIR allows remote control of the computers it affects, enabling an attacker to carry out actions like the following: run commands, download and run file, and capture the keystrokes entered.

We are going to finish today's report with MhtRedir.S, a Trojan that exploits the vulnerability reported in the Microsoft bulletin MS04-013 to run on the affected computer when the user visits a web page with malicious content.

When it is run, MhtRedir.S connects to a certain web page and downloads a file called HELP.CHM. This file contains a Trojan called StartPage.JL, which changes the home page of Internet Explorer and the default search options.

For further information about these and other computer threats, visit Panda Software's Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/