Saturday, January 29, 2005

Report on worms Crowt.A, Mydoom.AG, Cisum.A, Bagle.BK and Bagle.BL.

Crowt.A is a worm that spreads via email in messages that contain texts madeup of the headlines on CNN's website. This malicious code is designed tocreate a backdoor in affected computers in order to receive commands fromremote attackers.

What's more, Crowt.A installs a keylogger that can be used to steal personal or confidential data, such as passwords entered by theuser to access online banking services. Crowt.A also deletes the cookies stored on the computer and opens the Internet browser at a certain website.

Mydoom.AG is a new variant of a worm that, almost a year ago, caused a worldwide epidemic. This malicious code modifies the HOSTS file so that theaffected user cannot access the websites of certain antivirus manufacturers. It also ends the processes belonging to different antivirus programs and spreads via email and peer-to-peer (P2P) file sharing programs.

Cisum.A is a worm whose most distinguishing action is that it insults theuser by displaying a screen with the text 'YOU ARE AN IDIOT' while playing an MP3 audio file that repeats the same sentence.

This malicious code canonly spread automatically across computer networks. If a network user runsthe file carrying Cisum.A, it copies itself under the name ProjectX.exe to the root directory of the shared networks drives on the computer.

Cisum.A also ends the processes belonging to antivirus programs and other ITsecurity applications, leaving the computer vulnerable to possible attacksfrom other viruses and hackers. What's more, it creates several entries inthe Windows Registry in order to ensure that it is run whenever the affected computer is started up.

Finally, the BK and BL variants of the notorious Bagle worm reach computers in email messages in which the address of the sender of the message has been spoofed, and with a subject selected at random from a list of options. Some examples of these subjects are: 'Delivery by mail' or 'Delivery service mail'.

The message body contains texts like: 'Before use read the help' or'Thanks for use of our software'. The names of the files attached to these messages, which actually contain the code of these worms, are variable butalways have a COM, CPL, EXE or SCR extension.

In order to spread via P2P applications like KaZaA or Morpheus, these worms create copies of themselves under names like ACDSee 9.exe, Adobe Photoshop 9 full.exe or Ahead Nero7.exe, to name a few.

If a file carrying any of these worms is run, they automatically send themselves out to all the email addresses they find in files with certainextensions stored on the affected computer, using their own SMTP engine. What's more, these variants of Bagle end the processes running in memory belonging to various antivirus programs and other security applications.

Links to this post:

Create a Link

<< Home