- Weekly report on viruses and intruders - Virus Alerts, by Panda Software

Madrid, January 21 2005 - This week's virus report looks at three worms-Bropia.A, Zar.A and Mydoom.AE-, and Gaobot.batch.

Bropia.A spreads via MSN Messenger. It does this by searching the application for an instance of the class 'IMWindowClass' and, if it finds one, it sends itself out with one of the following names: Drunk_lol.pif,Webcam_004.pif, sexy_bedroom.pif, naked_party.pif and love_me.pif.

After it is run, Bropia.A searches -in %systemdir%- files with the following names: adaware.exe, VB6.EXE, lexplore.exe and Win32.exe.

If they don'texist, it creates a file that contains a copy of a variant of Gaobot. Bropia.A also generates several empty files in the path %systemdir% and opens them to prevent the taskmgr.exe and cmd.exe processes from executing.

Similarly, Bropia.A disables the CTRL+ALT+Del key combination, and can also disable the right button on the mouse.

Zar.A spreads via email in a message that refers to the tsunamis that struckAsia in December 2004. Both the subject and the message text make an appeal for help for the victims, and the attachment is called TSUNAMI.EXE.

When thefile is run, the computer is infected by Zar.A, which, using MAPI, sends acopy of itself to all addresses in the Outlook address book.

Zar.A creates three files and generates a Windows registry entry to ensurethat it is run every time the computer is started up. This worm also tries to launch Denial of Service attacks (DoS), against the w w w.hacksector.de website.

The next worm we'll be looking at today is Mydoom.AE, which spreads in an email with variable characteristics, and through P2P file sharing programs.

Once it infects a computer, Mydoom.AE takes the following action:

- It opens Notepad and displays a text made up of random characters.

- It alters the HOSTS file to prevent users from accessing the web pages ofcertain antivirus companies. It also terminates processes belonging tocertain antivirus programs, leaving the computer vulnerable to attack fromother malware.

- It terminates processes belonging to malware.- It tries to download a file from the Internet.

We end today's report with a mention of Gaobot.batch, which is a batch process file that deletes the original Gaobot file when this has been installed on the computer.

For further information about these and other computer threats, visit PandaSoftware's Encyclopedia: http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information-

Batch files / BAT files: Files with a BAT extension that allow operationsto be automated.

- MAPI (Messaging Application Program Interface): A system used to enableprograms to send and receive e-mail via a certain messaging system.

More technical definitions at: http://www.pandasoftware.es/virus_info/glosario/default.aspx