Six New Korgo Virus Variants Spotted

Weekly report on viruses and intrusions -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, June 25 2004 - This week's report will focus on six Korgo variants,
the Downloader.JH Trojan and a hacking tool called IPScanner.A.

Like its predecessors, the six Korgo variants -T, S, R, Q, P, O and N- that
we refer to in this report take advantage of the Windows LSASS vulnerability
to spread automatically to computers via the Internet. Even though these
malicious codes affect all Windows platforms, they can only spread
automatically to Windows XP/2000 computers.

Korgo variants S, R, Q, P and O connect to several websites in an attempt to
download files from them. They also send information on the country in which
the affected computer is to those websites. Korgo.T opens port 3067 and
listens on it, waiting for a file in order to run it on the affected
computer. It also tries to connect to several IRC servers in order to allow
remote control commands to be run.

In order to go unnoticed by users and unlike other malicious code that
exploit the LSASS vulnerability to affect computers, these Korgo variants do
not display an error message with a countdown clock or restart the affected
computer.

The Trojan in today's report is Downloader.JH, which obtains information
from the affected computer and downloads a dialer onto it (detected by Panda
Software as Dialer.DA). It also creates the following files on the target
computer: D1K.EXE, OLE32WS.DLL and CAX.CAB.

Downloader.JH is difficult to recognize, as it does not display any messages
or warnings that indicate it has reached the computer. The Trojan does not
spread automatically using its own means. It needs the attacker's
intervention to reach affected computers through various means of
transmission (floppy disks, CD-ROMs, e-mail messages with attached files,
Internet downloads, FTP, IRC channels, peer-to-peer -P2P- file sharing
networks, etc.).

We are going to finish this week's report with IPScanner.A, a tool designed
to monitor computers within Microsoft networks. IPScanner.A does not show
any messages or warnings that reveal its presence on the affected computer.

For further information about these and other computer threats, visit Panda
Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Dialer: this is a program that is often used to maliciously redirect
Internet connections. When used in this way, it disconnects the legitimate
telephone connection used to hook up to the Internet and re-connects via a
premium rate number. Often, the first indication a user has of this activity
is an extremely expensive phone bill.

- Hacking tool: program that can be used by a hacker to carry out actions
that cause problems for the user of the affected computer (allowing the
hacker to control the affected computer, steal confidential information,
scan communication ports, etc.).

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

McAfee VirusScan Detects 98.9% of Dialer Trojans

Dialers Ring Up Hijacked Phone Charges
Also known as "drive by downloads", Web Dialers—often sporting garish names like XXXDial or CashDialer — prey on dial-up account users running unpatched Windows operating systems, older versions of Internet Explorer or PCs without good anti-virus software.

The scam is devilishly simple: Simply by visiting a site, you can become targeted and have your online session redirected to an expensive ISP—in the blink of an eye, without your immediate knowledge.

Some pages are more brazen, asking unsuspecting surfers to "Click here to see adult content" or "Play a game", which trigger the download of nefarious payloads in the background.

"Most Web Dialers don't ask permission before they drop a piece of executable code", explained Bryson Gordon, senior product manager for McAfee VirusScan. "Regardless, they all instantly disconnect your session, then reconnect you to another service. You notice nothing, until a month later when your phone bill arrives with unexpected charges."

The threat is huge. "We've detected about 250,000 different Web Dialers, many spawned by organized crime in Eastern Europe," Gordon added. "And since August 2003, we've noted 4 million computers affected. It's not uncommon to have victims report $5,000 charges on their phone bill. Some Dialers redirect to services charging up to $500 per minute."

The Best Way to Hang Up on Web Dialers


Follow a key anti-virus best practice: Always update your OS with the latest patches from Microsoft.

Install spyware detection. For example, McAfee VirusScan detects then deletes a range of intrusive spyware, from Web Dialers and adware to key loggers, which secretly rob passwords, log-ins and credit card number numbers.

"A recent German study comparing spyware detection by 15 anti-virus products put VirusScan at No. 1, with the highest Web Dialer detection rate, 98.9%," said Gordon, "far ahead of Symantec at just 65%."

Regularly run on-demand spyware scans, especially if you frequent online adult or gaming destinations.

New Cabir Virus Hits Cellphones - First To Do So!

Madrid, June 18, 2004 - This week's report will focus on Cabir, the first
worm capable of spreading through mobile phones, two Trojans -StartPage.FH
and Downloader.HC- and a joke called Argen.

Cabir starts a new era in IT security, as it is the first worm capable of
spreading through mobile phones. It affects devices running under the
Symbian operating system used in many phones manufactured by companies like
Nokia, Siemens and Sony Ericsson.

Cabir spreads in a file called Caribe.sis, which is automatically installed
on the system when the user accepts the transfer. When it is launched, it
displays the following message on screen: Caribe. Then it starts a constant
search for other phones that are also connected using Bluetooth technology.
This process significantly reduces the phone's battery operating time.

The two Trojans in today's report are StartPage.FH and Downloader.HC. In
order to reach the affected computer, they need the attacker's intervention.
They can spread through many different means of transmission (floppy disks,
CD-ROMs, e-mail messages with attached files, Internet downloads, FTP, IRC
channels, peer-to-peer (P2P) file sharing networks, etc.).

StartPage.FH changes the home page of Internet Explorer. It also shows false
messages on screen warning the user that the computer is infected by
different spyware and adware programs. It does this to trick the user into
accessing certain web pages. When these pages are accessed, messages are
displayed on screen asking for permission to install other malware or
programs like eAcceleration and eAnthology. As long as the computer is
affected by StartPage.FH, the original home page cannot be restored.

Downloader.HC downloads the adware detected by Panda Software as Lop on the
affected computer, which adds a tool bar to Internet Explorer. Downloader.HC
also modifies the home page and several search options of Internet Explorer
and adds several links to the Favorites folder. Occasionally, when the user
closes the browser window, it displays advertisements.

We are going to finish this week's report with Argen, a joke that displays
several windows on screen as it opens the CD-ROM drive. When the user clicks
on the 'OK' button, the CD-ROM drive closes. Once Argen is run, the user
will not be able to use the computer until its actions have finished.

For further information about these and other computer threats, visit Panda
Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Joke: a program that displays false messages on screen warning the user
that destructive actions will be carried out on the computer, pretend to
carry out these actions or modify the settings of the screen, mouse, etc.

- Spyware: program that is automatically installed with another, (usually
without the user's permission and even without the user realizing), which
collects personal data (data on Internet access, action carried out while
browsing, pages visited, programs installed on the computer, etc.).

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx