Saturday, January 22, 2005

- Weekly report on viruses and intruders - Virus Alerts, by Panda Software

Madrid, January 21 2005 - This week's virus report looks at three worms-Bropia.A, Zar.A and Mydoom.AE-, and Gaobot.batch.

Bropia.A spreads via MSN Messenger. It does this by searching the application for an instance of the class 'IMWindowClass' and, if it finds one, it sends itself out with one of the following names: Drunk_lol.pif,Webcam_004.pif, sexy_bedroom.pif, naked_party.pif and love_me.pif.

After it is run, Bropia.A searches -in %systemdir%- files with the following names: adaware.exe, VB6.EXE, lexplore.exe and Win32.exe.

If they don'texist, it creates a file that contains a copy of a variant of Gaobot. Bropia.A also generates several empty files in the path %systemdir% and opens them to prevent the taskmgr.exe and cmd.exe processes from executing.

Similarly, Bropia.A disables the CTRL+ALT+Del key combination, and can also disable the right button on the mouse.

Zar.A spreads via email in a message that refers to the tsunamis that struckAsia in December 2004. Both the subject and the message text make an appeal for help for the victims, and the attachment is called TSUNAMI.EXE.

When thefile is run, the computer is infected by Zar.A, which, using MAPI, sends acopy of itself to all addresses in the Outlook address book.

Zar.A creates three files and generates a Windows registry entry to ensurethat it is run every time the computer is started up. This worm also tries to launch Denial of Service attacks (DoS), against the w w w.hacksector.de website.

The next worm we'll be looking at today is Mydoom.AE, which spreads in an email with variable characteristics, and through P2P file sharing programs.

Once it infects a computer, Mydoom.AE takes the following action:

- It opens Notepad and displays a text made up of random characters.

- It alters the HOSTS file to prevent users from accessing the web pages ofcertain antivirus companies. It also terminates processes belonging tocertain antivirus programs, leaving the computer vulnerable to attack fromother malware.

- It terminates processes belonging to malware.- It tries to download a file from the Internet.

We end today's report with a mention of Gaobot.batch, which is a batch process file that deletes the original Gaobot file when this has been installed on the computer.

For further information about these and other computer threats, visit PandaSoftware's Encyclopedia: http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information-

Batch files / BAT files: Files with a BAT extension that allow operationsto be automated.

- MAPI (Messaging Application Program Interface): A system used to enableprograms to send and receive e-mail via a certain messaging system.

More technical definitions at: http://www.pandasoftware.es/virus_info/glosario/default.aspx

Monday, January 17, 2005

Removing about:blank (aka Cool Web Search)

The best tools are here:

http://www.spywareinfo.com/~merijn/downloads.html

Start with CWShredder to remove it's anti-spyware tools capabilities.

Then use Spybot Search & Destroy or any of the other free utilities listed here to remove all traces of this annoying pest from your system.

Cheers!

Lasco.A Mobile Phone Virus and WmvDownloader Update

- Weekly report on viruses and intruders -

Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, January 14 2005 - This week's virus report looks at three vulnerabilities, two Trojans -WmvDownloader.A and WmvDownloader.B-, and two worms -Lasco.A and Gaobot.CKP-.

We start this report by looking at three security problems, for which Microsoft has this week published the corresponding patches.

- Vulnerability in the Windows HTML help, that could allow hackers to take control of a computer with the same privileges as the user that started the session. It could be exploited by the creation of a specially designed web page and affects computers with Windows 2003/XP/2000/NT/Me/98.

- A security problem in the format of Windows icons and cursors. A usercould exploit it to take control of a vulnerable computer by hosting aspecially created icon or cursor on a malicious web page or HTML email. It affects computers with Windows 2003/XP/2000/NT/Me/98.

- Vulnerability in the Index Server service, which allows remote code to beexecuted and privilege escalation.

It affects computers with Windows XP-without Service Pack 2- and Windows 2003.

WmvDownloader.A and WmvDownloader.B are two Trojans that spread across P2P networks in the form of video files with the extension ".wmv".

In order to spread, WmvDownloader.A and WmvDownloader.B use Windows MediaDigital Rights Management (DRM), a technology that demands a valid licensenumber when a protected Windows Media file is run.

If a user were to execute a video file infected with WmvDownloader.A or WmvDownloader.B, these Trojans simulate the download of the corresponding license from certain web pages.

However, what they really do is redirect users to other addresses from whichmalicious applications like adware, dialers or spyware are downloaded.


The first worm we'll look at today is Lasco.A, which spreads to cell phones using the Symbian operating system.

Although at first it targeted Nokia 60series phones, it can also target other devices using the same software.

Lasco.A uses the following means of propagation.

1.- Via Bluetooth (technology that allows wireless connection betweendevices over short distances).When executed, Lasco.A starts a search for other devices connected using Bluetooth and if it finds any, it sends a copy of itself in a file calledVELASCO.SIS.

When the device to which it has sent a file is out of range ofBluetooth, Lasco.A searches for others to infect.

2.- Inserting its code in all SIS files on the affected device. When these files are distributed and run in new devices, these are then infected byLasco.A.

In order to be able to spread, Lasco.A requires intervention from users, asthey receive a message announcing the fact that it has been received. If theusers accept this message, the worm installs itself on the device.

We end today's report with Gaobot.CKP, a worm that spreads by making copiesof itself in shared resources on the network and exploits the LSASS, RPCDCOM and WebDAV vulnerabilities.

It can also enter computers running SQLServer, whose System Administrator account's password is blank, and in computers running DameWare Mini Remote Control. Finally, Gaobot.CKP also accesses computers affected by the following malware: Bagle.A, Mydoom.A,Optix, NetDevil, Kuang and SubSeven.

Gaobot.CKP lets attackers take remote control of the computer it affects,allowing them to execute commands, download and execute files, logkeystrokes and carry out Distributed Denial of Services attacks (DDoS).

For further information about these and other computer threats, visit PandaSoftware's Encyclopedia:http://www.pandasoftware.com/virus_info/encyclopedia/