Thursday, June 17, 2004

New Virus Alerts from panda Software

In this week's report we are going to look at six
worms -Plexus.A, Cult.J and four variants of Korgo-, and at Protoride.gen.

Plexus.A spreads via the Internet by exploiting the RPC DCOM and LSASS
vulnerabilities -in the computers that have not been patched- and sending
itself out to the addresses it finds on the local machine and in mapped

Plexus.A overwrites the host file, preventing the computer from connecting
to certain web addresses of an antivirus company, and therefore, the PC will
not be able to update the protection installed. Plexus.A obtains the shared
directory for KaZaA and copies itself to it, and also creates copies of
itself in the shared folders in the network.

Cult.J spreads via e-mail in a message with the subject: 'Hello, I sent you
a beautiful love card. ^_*' and an attached file called:
'BEAUTIFULLOVE.PIF'. When this file is run, the worm sends a copy of itself
to a series of addresses using its own SMTP engine.

Cult.J goes memory resident and tries to connect to an IRC channel. If it
manages to establish a connection, this malicious code will give an attacker
remote access to the affected computer, allowing the attacker to carry out
the following actions, among others:

- Attacks through IRC.

- Send out confidential and system information.

- Download and run files.

- Send worms to other IRC channels.

Protoride.gen is a generic detection routine for the variants of the
Protoride worm, which could emerge in the future. The malicious code in this
family have the following characteristics:

- They spread across computer networks by copying themselves to the network
resources they manage to access.

- They connect to an IRC channel through port 6667 and wait for a hacker to
send remote control commands (to download and run files, hide active
processes, uninstall themselves, etc.).

- They modify a Windows Registry entry, preventing EXE files from running.
As a result, certain application will not work.

The next worms in today's report are the C, D, E and F variants of Korgo,
which spread via the Internet by exploiting the LSASS vulnerability. All
four variants open port 3067 and listen in on it. They also try to connect
to IRC servers and are designed to prevent the computer from shutting down.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia at:

Additional information

- IRC (Chat IRC): These are written conversations over the Internet in which
files can also be transferred.

- Resident / Resident virus: A program or file is referred to as resident
when it is stored in the computer's memory, continuously monitoring
operations carried out on the system.

More definitions of virus and antivirus terminology at:

Wednesday, June 16, 2004

New virus warning - Zafi.B - Panda Labs Alert

- Panda Software warns of the propagation of Zafi.B -
Virus Alerts, by Panda Software (

Madrid, June 14 2004 - According to data from PandaLabs, the Zafi.B worm
-first detected last weekend- is now spreading widely around the world.
Although the number of incidents caused by this malicious code is not
alarming, the extent to which it has spread geographically has increased the
risk of computers being infected by Zafi.B.

Zafi.B spreads, using its own SMTP engine, via e-mail to addresses that it
finds in infected computers in files with the following extensions: htm,
wab, txt, dbx, tbb, asp, php, sht, adb, mbx, eml and pmr.

Messages carrying Zafi.B have variable characteristics and can be written in
various languages including: English, French, Spanish, German or Italian.
For more details on the e-mails carrying Zafi.B, go to Panda Software's
Virus Encyclopedia at:

If users run the file attached to the message an Internet Explorer window
opens and tries to connect to or It also
enters several keys in the Window Registry.

Zafi.B copies itself to the infected computer in two files with random
names. It also creates infected files called "Total Commander 7.0
full_install.exe" or "winamp 7.0 full_install.exe"- in directories with
names including the words "share" or "upload".

The worm continually searches for memory process with the strings "regedit",
"task" or "msconfig" and on finding them it terminates them. It also looks
for directories that could contain antivirus programs in order to overwrite
all executable files with its own code.

To prevent incidents involving Zafi.B, Panda Software advises users to take
precautions and update their antivirus software. Panda Software has made the
corresponding updates available to its clients to detect and disinfect this
new malicious code.

For further information about Zafi.B and other computer threats, visit Panda
Software's Virus Encyclopedia at:

In addition, users can scan their computers online for free with the
ActiveScan solution, available on the company's web page at:

Tuesday, June 15, 2004

PC Security Secrets Mini-Course Day 7 - Secure Clean


The 7 PC Security Secrets Hackers DON'T Want
You To Know But I'm Going To Tell You Anyway.

A 7 Day Mini Course

Greg Reynolds

You or someone else has subscribed to my 7 day mini
course. If this is an error or you would like to
un-subscribe just go to the bottom of this message
for instructions.


Day 7

How to Securely Clean Your PC

Remember back on Day One of this course when I told
you that a large amount of your personal data gets stored
in unerasable files on your PC?

That's right. Ordinary file deletion doesn't actually
remove files permanently.

In addition, all your online activity since day one is
stored in your index.dat file.

Every website you've ever visited is there. Every image
file you've ever downloaded is still on your computer even if
you've "deleted" it.

Any information you've ever entered in an online form is
still stored on your computer. All of this data is just
sitting there on your hard drive waiting for someone to
access it.

You can delete temporary files in your browser, you can
clear history, you can think you've deleted information, but
it's all still there.

When you think about it, this is a big problem for
companies when they dispose of their old PCs. Hackers love
hitting the disposal auctions and scarfing up tons of
valuable data left behind.

It's all easily accessible with simple tools. It's also
easily accessible to anyone who hacks into the system
remotely or even just accesses your keyboard.

The only way to securely clean your PC is to run special
utility software periodically that wipes all traces of things
you don't want left behind.

Secure PC Cleaning Solution

There are two programs I recommend for anyone who wants
to really protect all the information they've accessed or
entered on their computer.

The first is History Kill:

The second is CyberScrub:

Of the two, CyberScrub is the stronger product. It's
Department of Defense certified for use on military equipment
while its deployed and mandatory for use when those computers
are retired from service.

Both offer no-charge looks at how they perform. They're
both highly recommended to close the final hole in your PC

I hope you've enjoyed this mini-course. If you have, please
recommend us to your friends and associates.

Take care and stay safe.

Greg Reynolds

Next up:

Net Sense Monthly Newsletter

Monday, June 14, 2004

PC Secrets Mini-Course Day 6: Personal Firewalls


The 7 PC Security Secrets Hackers DON'T Want
You To Know But I'm Going To Tell You Anyway.

A 7 Day Mini Course

Greg Reynolds

You or someone else has subscribed to my 7 day mini
course. If this is an error or you would like to
un-subscribe just go to the bottom of this message
for instructions.


Day 6

Personal Firewalls Keep Evil At Bay

Firewalls are an essential protective measure. Every
corporation has them in place and for good reason.

Hackers can probe your ports and easily access those
that aren't locked down. And it's not hard to find systems
to probe.

Remember those hacking tools I told you about that are
offered for sale cheap on eBay? Well they're also offered
in stronger versions on underground sites frequented by
low lifes and criminals.

A good scanner can search 10,000 systems in one night.
That's right. One kid can search 10,000 systems automatically
in a single night.

Think you've got your PC locked up tight? Head on over
to Steve Gibson's website and test your system with his
famous Shields UP tool.

You'll find that most of your 65,000 ports are wide open
to anyone scanning your IP address. And don't think that
hiding behnd a DSL router or a cable modem is any great
protection either.

Once a hacker gets a confirmed ping from an open port,
they simply use another automated tool to execute a buffer
overflow on your system to gain control.

Buffer overflows are the Achilles heel of all Windows
PCs. By simply feeding your system more data than a particular
procedure call can handle, an attacker gains "root" access.

Hackers take great pride in their "Got Root?" conquests
because root access means full system admin privileges. They
can take any data they want and send it anywhere they want.

The good ones know how to erase their tracks afterward
so you never know they've even been there.

How do you protect yourself?

Your Personal Firewall Solution

The only firewall software that passes Steve Gibson's
rigorous testing with flying colors is also the top-selling
firewall program.

That's Zone Alarm Pro from Zone Labs.

You can read our review here:

Or you can jump on over to Zone Alarm HQ:

That's all for today. See you tomorrow with more good stuff.

Greg Reynolds