Friday, July 30, 2004

Lovgate.AT, Mydoom.N, Zindos.A and Mabutu.B Viruses

- Weekly report on viruses and intrusions -

Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, July 30 2004 - This week's report on viruses and intruders looks at four worms (Lovgate.AT, Mydoom.N, Zindos.A and Mabutu.B), a Trojan(Dropper.O), a spy program (Ndrv) and an exploit (MhtRedir.N).

Lovgate.AT is a worm that uses a wide range of propagation techniques, such as email messages, the KaZaA file sharing program, shared network resources, etc. It also opens a backdoor on the computer, and sends a message by email to a remote user letting them know that the system has been infected and is accessible through a backdoor.

The most significant event this week has been the appearance of Mydoom.N. This worm is designed to spread rapidly via email to addresses that it finds in infected computers. However, it also uses the four main Internet search engines to search for all these addresses, thereby trying to saturate them with traffic.

One of them, Google, suffered serious problems for some hoursat the beginning of the week. Mydoom.N also uses a communication port to create a backdoor on the infected computer. This backdoor is exploited by the Zindos.A worm in order to spread.

The worm appeared one day after Mydoom.N, which makes it seem likely that both malicious code are the work of the same person. In addition, Zindos.A launches DDoS (Distributed Denial of Service) attacks againstMicrosoft's website.

Mabutu.B is a worm that connects to different IRC servers to notify its creator that the computer has been affected and to receive messages from remote users. The email messages that it uses to spread have variable characteristics.

Dropper.O is a Trojan that downloads the Adware/Nsearch application onto the computers it infects. Dropper.O spreads via web pages previously infected by the MhtRedir.N exploit, which was also detected for the first time thisweek. MhtRedir.N has been designed to exploit a vulnerability in MicrosoftOutlook Express, which it uses to install Dropper.O on computers.

Finally, Ndrv is a spyware program offering use of a program in exchange for viewing a series of advertising messages. Ndrv is made up of a DLL which loads along with Internet Explorer, so that every time the browser is opened, the spyware is activated.

For further information about these and other computer threats, visit Panda Software's Encyclopedia: http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

Adware: A program that can be installed for free in exchange for viewingadvertising banners while using it.

Exploit: This can be a technique or a program that takes advantage of a vulnerability or security hole in a certain communication protocol, operating system, or other IT utility or application.

More technical definitions at: http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of theURL.

Tuesday, July 27, 2004

New MyDoom virus variant strikes the Net:

What is it?

W32/Mydoom.o@MM is a Medium-On-Watch mass-mailing worm that tries to open a hacker backdoor on your PC. Often pretending to be a bounced email alert, the worm arrives inside an attachment then spreads by sending itself to stolen contacts and via peer-to-peer programs.
Up-to-date McAfee VirusScan users with DAT 4381 are protected from this threat.

Note: To fortify anti-virus defense against viruses that carry backdoor payloads, we recommend installing McAfee Personal Firewall Plus.

What should I look for?

FROM: Varies. Examples: "Bounced mail," "MAILER-DAEMON," "Mail Administrator". Often spoofed.

SUBJECT: Varies. Examples: delivery failed, Message could not be delivered, Mail System Error - Returned Mail

BODY: Example: We have received reports that your account was used to send a large amount of junk email messages during the last week.

ATTACHMENT: Examples: README, INSTRUCTION, TRANSCRIPT

How do I know if I've been infected?
The worm installs itself as JAVA.EXE in an infected computer's Windows directory. TCP Port 1034 open.

Why am I receiving so many alerts?
It's our policy to notify McAfee customers or those who have opted-in to receive alerts of new viruses or serious variants (e.g., W32/Mydoom.o@MM), which often come in waves.

How do I find out more?
View details about W32/Mydoom.o@MM here.