Monday, January 17, 2005

Lasco.A Mobile Phone Virus and WmvDownloader Update

- Weekly report on viruses and intruders -

Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, January 14 2005 - This week's virus report looks at three vulnerabilities, two Trojans -WmvDownloader.A and WmvDownloader.B-, and two worms -Lasco.A and Gaobot.CKP-.

We start this report by looking at three security problems, for which Microsoft has this week published the corresponding patches.

- Vulnerability in the Windows HTML help, that could allow hackers to take control of a computer with the same privileges as the user that started the session. It could be exploited by the creation of a specially designed web page and affects computers with Windows 2003/XP/2000/NT/Me/98.

- A security problem in the format of Windows icons and cursors. A usercould exploit it to take control of a vulnerable computer by hosting aspecially created icon or cursor on a malicious web page or HTML email. It affects computers with Windows 2003/XP/2000/NT/Me/98.

- Vulnerability in the Index Server service, which allows remote code to beexecuted and privilege escalation.

It affects computers with Windows XP-without Service Pack 2- and Windows 2003.

WmvDownloader.A and WmvDownloader.B are two Trojans that spread across P2P networks in the form of video files with the extension ".wmv".

In order to spread, WmvDownloader.A and WmvDownloader.B use Windows MediaDigital Rights Management (DRM), a technology that demands a valid licensenumber when a protected Windows Media file is run.

If a user were to execute a video file infected with WmvDownloader.A or WmvDownloader.B, these Trojans simulate the download of the corresponding license from certain web pages.

However, what they really do is redirect users to other addresses from whichmalicious applications like adware, dialers or spyware are downloaded.


The first worm we'll look at today is Lasco.A, which spreads to cell phones using the Symbian operating system.

Although at first it targeted Nokia 60series phones, it can also target other devices using the same software.

Lasco.A uses the following means of propagation.

1.- Via Bluetooth (technology that allows wireless connection betweendevices over short distances).When executed, Lasco.A starts a search for other devices connected using Bluetooth and if it finds any, it sends a copy of itself in a file calledVELASCO.SIS.

When the device to which it has sent a file is out of range ofBluetooth, Lasco.A searches for others to infect.

2.- Inserting its code in all SIS files on the affected device. When these files are distributed and run in new devices, these are then infected byLasco.A.

In order to be able to spread, Lasco.A requires intervention from users, asthey receive a message announcing the fact that it has been received. If theusers accept this message, the worm installs itself on the device.

We end today's report with Gaobot.CKP, a worm that spreads by making copiesof itself in shared resources on the network and exploits the LSASS, RPCDCOM and WebDAV vulnerabilities.

It can also enter computers running SQLServer, whose System Administrator account's password is blank, and in computers running DameWare Mini Remote Control. Finally, Gaobot.CKP also accesses computers affected by the following malware: Bagle.A, Mydoom.A,Optix, NetDevil, Kuang and SubSeven.

Gaobot.CKP lets attackers take remote control of the computer it affects,allowing them to execute commands, download and execute files, logkeystrokes and carry out Distributed Denial of Services attacks (DDoS).

For further information about these and other computer threats, visit PandaSoftware's Encyclopedia:http://www.pandasoftware.com/virus_info/encyclopedia/