Friday, January 07, 2005

Virus Alert: Winxor.A, Breacuk.E and Asan.A.

- Weekly report on viruses and intruders -

Virus Alerts, by Panda Software (

Madrid, January 7, 2005 - This week's report will focus on Winxor.A, Breacuk.E and Asan.A.

Winxor.A is the first malicious code designed to exploit a vulnerability inthe WINS service, which allows arbitrary code to be run on Windows 2003/XP/2000/NT/Me/98/95 servers.

Winxor.A can also affect computers runningWindows 2003/XP/2000/NT/Me/98/95.

Winxor.A connects to an IRC server and waits for control commands (such as download files or run programs).

When the author of this malicious code specifies, Winxor.A scans IP addresses in order to find open ports. If these belong to servers that are affected by this security flaw, it installs an FTP server in port 36010 and uses it to transfer itself to these computers.

When it has reached a computer, Winxor.A carries out the following actions:

- It creates two files: CCEVTMNGR.EXE, which is a copy of itself, andCCSETMNGR.EXE, which is a component that looks for remote computers affectedby the vulnerability in the WINS service in order to try and exploit it.

- It generates several entries in the Windows Registry in order to ensure itis run whenever the computer is started and thereby, register as a Windowsservice.

Breacuk.E is a worm that spreads via the P2P (peer-to-peer) file sharingprogram KaZaA. To do this, it follows the routine below:

- It creates a directory called SOFTWARE KINGS AND QUEENS in the Windowsdirectory and shares it through KaZaA.

- In this directory it creates multiple copies of itself under attractivenames, so that other users download them, thinking that they are games orother applications.

However, when the downloaded file is run, the computerwill be infected by Breacuk.E.

Breacuk.E deletes files with certain extensions, including: EXE, DLL, OCX and BMP, preventing certain applications from working correctly.

What's more, this malicious code causes problems on switching on the affected computer.

We are going to finish this week's report with Asan.A, a worm that affects servers with a vulnerable version of the program phpBB installed, and that have already been attacked by a worm detected by Panda Software as PHP/Santy.A.worm.

In this case, it removes the vulnerability from the server, although this could lead to loss of certain functionalities.

For further information about these and other computer threats, visit Panda Software's Encyclopedia:

Links to this post:

Create a Link

<< Home