Saturday, May 01, 2004

Howdy,

There's a new scanning virus (remember Blaster?) known as Sasser that's
ripping up the Net.

Here's Panda's alert message:

- Panda Software reports the appearance of Sasser.A -


PandaLabs has detected the appearance of W32/Sasser.A. This worm exploits
the LSASS vulnerability to access the remote systems. This is one of the
vulnerabilities published by Microsoft which affects LSASS (published in the
bulletin MCS4-011 an available in the following address:

(http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx).

Panda Software has received numerous incidents due this new worm. Its
propagation is on the increase, and right now is one of the most detected
by Panda ActiveScan.

It behaviour is similar to Blaster. The worm scans random IP addresses until
it finds systems with this vulnerability. Once found, it copies itself in
Windows directory with the name AVSERVE.EXE and creates the folowing
registry entry, to ensure it is launched when the system is booted:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

avserve.exe = %windir%\avserve.exe

In addition, the vulnerability uses a buffer overflow to make the LSASS.EXE
application crash. Because of this, the system can fail.

To prevent incidents with Sasser.A, Panda Software advises users to update
their antivirus software. The company has already made the updates to its
products available to users to ensure their solutions can detect and
eliminate this worm. Similarly, users can also detect and disinfect this and
other malicious code using the free, online antivirus, Panda ActiveScan,
which is also available on the company's website at
http://www.pandasoftware.com.

More information on Sasser.A is available in Panda Software's Virus
Encyclopedia, available on the company's website at:
http://www.pandasoftware.com/virus_info/encyclopedia.

Additional information:
- Vulnerability: Flaws or security holes in a program or IT system, and
often used by viruses as a means of infection.

- Worm: This is similar to a virus, but it differs in that all it does is
make copies of itself (or part of itself).

More technical terms available on:
http://www.pandasoftware.com/virus_info/glossary

Later gator...

Friday, April 30, 2004

Hi everyone,

The virus war continues unabated across the Net with new viruses being released relentlessly. Any system without a multi-layered defense is at serious risk.

Don't lose your personal information or have your data corrupted. Take precautions!

This week's report on viruses
and intrusions focuses on three variants of Bagle -Z, AA, and AB-, two
variants of Netsky -AA and AB-, and the Gimared.A and Gaobot.PX worms.

Even though they are all variants of the same malicious code, the three new
members of the Bagle worm family have some significant differences. For
example, in order to spread, Bagle.AA uses e-mail messages with variable
characteristics that contain images in the form of attached files with a
JPEG extension. Bagle.AB spreads via P2P file sharing programs as well as
e-mail.

Unlike the two variants above, Bagle.Z does not spread automatically. This
worm needs a malicious user's intervention to reach the affected computer.
The means of transmission it can use include floppy disks, CD-ROMs, e-mail
messages with attached files, Internet downloads, FTP, IRC channels,
peer-to-peer (P2P) file sharing networks, etc.

The three Bagle variants can connect to several web pages that host a
certain PHP script. By doing this, these worms notify their author when a
computer has been affected. They also end processes belonging to antivirus
and firewalls programs, as well as those corresponding to many worms.

Netsky.AA and Netsky.AB are two very similar variants. Both of them spread
via e-mail in a message with variable characteristics and an attached file
with a PIF extension. However, they have different effects: when run,
Nestky.AA displays a fake error message on screen, whereas Netsky AB deletes
the entries that other worms, like Bagle, insert in the Windows Registry.

Gimared.A is a malicious code that spreads via e-mail. When run on a Windows
NT computers, it displays a message on the screen about the social and
political situation in Cuba, the country where the worm was created.

Gimared.A also notifies the affected user of its presence by sending a
message to the user's mail account.

Gaobot.PX is a dangerous worm that can carry out several actions on affected
computers, as it has been designed to exploit several Windows
vulnerabilities and use backdoors opened by the worms Bagle.A and Mydoom.A
on infected computers.

Gaobot.PX also ends the processes belonging to antivirus programs and
firewalls, leaving infected computers vulnerable to virus attacks. It also
prevents many antiviruses from connecting to the web pages that allow them
to update.

Gaobot.PX connects to specific IRC servers and waits for instructions from
malicious users. In this way, it can download files, run commands or update
itself. It can also steal confidential data, obtain system information and
launch distributed denial of service (DDoS) attacks.

For further information about these and other computer threats, visit Spam Virus Help

Additional information

- Script: The term script refers to files or sections of code written in
programming languages like Visual Basic Script (VBScript), JavaScript, etc.

- IRC (Internet Relay Chat): System that allows users to have written
conversations over the Internet in real time. It is based on a client-server
technology, that is, in order to use it is necessary to have a program
(client) that establishes a connection with the computer (server) that
offers the service.

Thursday, April 29, 2004

More on the continuing wave of Netsky virus variations:

PandaLabs has detected the appearance of the W32/Netsky.X worm. This is
another new variant of Netsky, which so far in 2004 has caused numerous
incidents to computers around the world. Its propagation is on the increase,
although it has yet to reach alarming proportions.

Netsky.X is designed to spread, using its own SMTP engine, to as many
computers as possible. It searches for e-mail addresses to send itself to in
files with the following extensions: .eml, .txt, .php, .cfg, .mbx, .mdx,
.asp, .wab, .doc, .vbs, .rtf, .uin, .shtm, .cgi, .dhtm, .adb, .tbb, .dbx,
.pl, .htm, .html, .sht, .oft, .msg, .ods, .stm, .xls, .jsp, .wsh, .xml,
.mht, .mmf, .nch and ppt.

The X variant of Netsky is transmitted in a message with the following
characteristics:

- The e-mail address of the sender is faked to confuse the recipient.

- The message carrying the virus can appear in various languages depending
on the country indicated in the domain of the recipient's e-mail address.
So, if the domain is .de, .fi, .fr, .it, .no, .pl, .pt or .se, the message
will be in German, Finnish, French, Italian, Norwegian, Polish, Portuguese
or Swedish respectively. If there is a generic domain, the message is in
English. Curiously, if the domain is .tc (Turks and Caicos Islands), the
message includes the text "mutlu etmek okumak belgili tanimlik belge".

- It includes a file with a .pif extension which contains the worm's code.
The file size is 26,112 bytes and it is packed with "tElock".

- Whatever the language, the text encourages the user to open the
attachment.

Netsky.X is programmed to carry out a denial of service attack between April
28 and 30 2004, against www.nibis.de, www.medinfo.ufl.edu and www.educa.ch.

To prevent incidents with Netsky.X, Panda Software advises users to treat
e-mails received with caution and to update their antivirus software. The
company has already made the updates to its products available to users to
ensure their solutions can detect and eliminate this worm. Similarly, users
can also detect and disinfect this and other malicious code using the free,
online antivirus, Panda ActiveScan, which is also available on the company's
website at http://www.pandasoftware.com.

Stay safe...

Tuesday, April 27, 2004

Howdy,

Here's another state-of-the-net virus attack status report:

This week's report on viruses and intrusions
focuses on four variants of Netsky -W, X, Y and Z-, two variants of Mydoom
-I and J-, the Zafi.A worm, Blaster.H, and a spam message designed to
download a Trojan to the computer.

The four new variants of Netsky are very similar to one another. They are
all designed to spread in files attached to e-mail messages with variable
characteristics.

The actions carried out by Netsky.W include deleting entries from the
Windows Registry that are generated when some variants of the Mydoom, Mimail
and Bagle worms attack computers. The X, Y and Z variants try to launch
denial of service attacks against certain web pages.

The I variant of the Mydoom worm spreads via e-mail in a message with
variable characteristics. This worm also launches Distributed Denial of
Service (DDoS) attacks against a web page.

As well as e-mail, Mydoom.J also spreads through the peer-to-peer file
sharing program KaZaA. A characteristic of this worm that can be highlighted
is that it uses a dynamic link library (DLL) which was also used by the
Bugbear.B worm and is detected by Panda Antivirus as Trj/PSW.Bugbear.B.

It is easy to know whether a computer has been infected by either of these
variants of Mydoom, as when they are run, they open Windows Notepad and
display junk data.

Zafi.A is a worm that spreads via e-mail in a message written in Hungarian,
which always has the subject 'kepeslap erkezett!'. This worm ends the
processes belonging to antivirus and firewall programs, among others,
leaving the computer vulnerable to attack from other types of malware.

Zafi.A stops spreading on May 1, 2004 and from this date on, it displays a
window on screen with a political message.

Like its predecessors, Blaster.H exploits a Windows vulnerability known as
'Buffer Overrun In RPC Interface' discovered last July. This worm can get
into computers that have not been correctly patched directly through the
Internet.

When Blaster.H reaches a computer, it creates a backdoor in one of the
communications ports, which it uses to carry out a large number of actions.

Finally, this week a spam message has been detected which tries to get
recipients to visit an advertising page and which also downloads a Trojan to
users computers.

The characteristics of the message are:

Sender: the name of the sender is variable, although it tries to make
recipients think it has been sent by the BBC or CNN.

Subject: "Osama Bin Laden Captured",

Message text: "Hey, Just got this from CNN, Osama Bin Laden has been
captured! Goto the link below to view the pics and to download the video if
you so wish: (Internet address) "Murderous coward he is". God bless
America!".

The address indicated in the message takes users to what appears to be an
advertising page. However, the page actually contains code that exploits a
vulnerability (detected by Panda antivirus as Exploit/MIE.CHM). This code
downloads and runs a file (detected as VBS/Psyme.C). Finally, a file called
EXPLOIT.EXE, which contains the Trojan Trj/Small.B is downloaded from
Internet to users' computers.

For further information about these and other computer threats, visit Panda
Software's Virus Encyclopedia at:

http://www.pandasoftware.com/virus_info/encyclopedia/

Stay safe out there...

Monday, April 26, 2004


Hi there,

The latest variant of W32/Bagle@MM, W32/Bagle.z@MM is a Medium Risk mass-mailing worm that:

- Attempts to open a backdoor on an infected user's PC

- Spreads by sending itself to email addresses collected from an infected machine

- Attempts to spread using popular file-sharing applications such as KaZaa, Bearshare and Limewire

- Attempts to terminate processes belonging to several anti-virus and firewall applications

Be sure your anti-virus definitions are up-to-date!

Ciao...

Sunday, April 25, 2004

Howdy,

Little info on the Osam Virus:

PandaLabs has detected a spam message currently being sent to users which tries to get recipients to visit an advertising page and which also downloads a Trojan to users computers.

The characteristics of the message are:

From: the name of the sender is variable, although it tries to make recipients think it has been sent by the BBC or CNN.

Subject: "Osama Bin Laden Captured",

Message text: "Hey, Just got this from CNN, Osama Bin Laden has been captured! Goto the link below to view the pics and to download the video if you so wish: (Internet address) "Murderous coward he is". God bless America!".

The address indicated in the message takes users to what appears to be an advertising page.

However, the page contains code that exploits a vulnerability (detected by Panda antivirus as Exploit/MIE.CHM).

The code also downloads and runs a file (detected as VBS/Psyme.C).

Finally, a file called EXPLOIT.EXE, which contains the Trojan Trj/Small.B is downloaded from Internet onto users' machines.

Panda Software advises users to treat e-mails received with caution and to update their antivirus software. The company has already made the updates to its products available to users to ensure their solutions can deal with this threat.

Similarly, users can also detect and disinfect malicious code using the free, online antivirus, Panda ActiveScan, which is also available on the company's website at http://www.pandasoftware.com

Later