- Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)
Madrid, November 19 2004 - This week's virus report looks at five worms-Sober.I, Bagle.BG, Yanz.A, Drew.A and Aler.A-, and a Trojan called Msnsoug.A.
Sober.I is sent by email using its own SMTP engine, in a message either inGerman or English depending on the recipient. It gets email addresses from the infected computer and stores them in files. In order to ensure it is run whenever the computer is started up, it creates several entries in theWindows registry.
Bagle.BG sends itself out in emails with variable characteristics. The action it takes includes opening and listening on TCP port 2002. It acts as a backdoor allowing access to the infected computer. Bagle.BG also terminates processes belonging to certain applications that update antivirus solutions, leaving the computer vulnerable to future attack.
Yanz.A is an email worm that spreads in messages with highly variable characteristics and which displays false sender addresses. It can also useP2P file-sharing programs to spread creating files, with variable names, with copies of itself in folders whose name contains the letters 'shar'.
Both the messages and the shared files it creates, make reference to theChinese singer Sun Yan Zi. Should the file containing the worm be executed, Yanz.A displays a small window with the text "Kernel Hatasi". It also opens and listens on TCP port67. Through this port it will try to download all shorts of malware whichYanz.A will immediately execute.
Drew.A spreads both via email and P2P applications. In the first case ituses its own SMTP engine to send messages with a highly variable format. Both the message subject and text, along with the name of the attachment are chosen at random from a list of options. To spread via P2P applications, Drew.A searches all folders with the text 'share' and copies itself to these folders using names aimed at enticing users such as "Cameron Dias.scr","Delphi 8 keygen.com" and "DrWeb 4.32 Key.com".
If a user runs one of the attachments with Drew.A, this worm creates two files on the affected computer with copies of itself. At the same time, itsends itself to all entries in the users address book and deletes all fileswith HTM or TXT extension that it finds on the computer.
The last worm we'll look at today is Aler.A which, although it first appeared a few days ago, has been distributed massively over the last week in email messages.
The messages have the subject "Latest News about Arafat!!!", and include two attachments. One of them is an image file with a picture of the funeral of the Palestinian politician.
The other however, contains code designed to exploit a vulnerability in Internet Explorer. Through this flaw, it automatically installs the Aler.A worm which is designed to spread across inadequately protected networks.
Today's report ends with Msnsoug.A, a Trojan that does not spread under its own steam. Once it has infected a computer, it waits for a user to start a MSN Messenger session and sends -to all contacts active at that moment- a text message in Portuguese.
