Friday, February 04, 2005

Are You Sharing Your files With the Entire Internet?

Over the last few years, we have all become accustom to Microsoft’s steady stream of security vulnerabilities and corresponding patches. Most of the time these security vulnerabilities are unchecked buffers, which could theoretically be used for remote code execution.

Every once in a while though, a security vulnerability comes along that is so scary that it defies belief. This article is about just such vulnerability. If this story doesn’t convince you that you should enable automatic updates for Windows, then nothing will.

The problem has to do with the way that the Windows firewall interacts with Windows file sharing. The reason that the problem exists is that when ever a user enables file and print sharing, Windows automatically opens a port in the firewall which makes the shared resource available across the local network. This in and of itself is not a problem.

The problem comes into play with the definition of the local network. Some Internet Service Providers require their clients to run a configuration in which the Internet essentially becomes the computer’s “local network”.

This means that if someone were using one of these Internet Service Providers and they enabled file sharing, then anyone on the Internet would be able to access the shared files. Read more...

- Weekly report on viruses and intruders -

Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, February 4, 2005 - This week's report on viruses and intruders will focus on the worms Sober.J, Bropia.E and Gaobot.CTX, and the TrojansLocknut.A and Downloader.ALQ.

Sober.J is a new variant of the Sober family of worms that is very similar to its predecessors. It spreads via email in an attachment to an email message that could be written in English or German, depending on the domainof the recipient's address of the message.

What's more, the address of the sender of the message is spoofed. If the user runs the attachment, Sober.J looks for email addresses in thefiles with certain extensions in the affected computer and sends itself out to them using its own SMTP engine.

This worm also tries to carry out other actions like accessing the POP3 mail accounts of a well-known German Internet service provider, downloading malware updates from the Internet orrestoring Windows Registry entries modified by other malicious code.

Bropia.E and Gaobot.CTX are two worms that spread together. Bropia.E sends itself out using the instant messaging program MSN Messenger disguised as an image file with a variable name taken from a long of options and a .pif or.scr extension.

Some examples of the name of this file are:bedroom-thongs.pif, LMAO.pif or LOL.scr. If the user runs the file, itdisplays a curious image of a roast chicken on screen. However, this image is just a cover up to hide the real actions carried out by the worm.

This malicious code sends itself out to all the contacts in MSN Messenger and creates various files on the computer, including a file called winhost.exe, which actually contains the Gaobot.CTX worm.

Gaobot.CTX carries out the actions that pose the biggest threat to the integrity of the computer, as it connects to IRC channels and waits for commands from a remote user. This allows a hacker to download all kinds of files to the affected computer: spyware, adware, other viruses, etc.

Locknut.A is a Trojan that only affects cellular phones that use the operating system Symbian 7.0S or later.

This malicious code tries to trickthe user into running it by passing itself off as a patch for the cellphone. Once it is run, Locknut.A replaces the operating system components, which prevents some applications from being run and blocks the phone.

Somevariants of Locknut.A also install a copy of Cabir.A, another worm that targets mobile devices which appeared last year.

Finally, Downloader.ALQ is a new member of the huge family of DownloaderTrojans. Like the rest of the variants, this malicious code is designed to download and run all types of malicious code on the system, mainly spyware.

Wnindows Messenger Chicken In A Bikini Virus

If your Messenger displays a chicken with a bikini, your PC has been infected by the new Bropia.E and Gaobot.CTX worms

PandaLabs has detected Bropia.E and Gaobot.CTX, two malicious code that spread together. Bropia.E sends itself out using the instant messaging program MSN Messenger disguised as an image file with a variable name taken from a long list of options and a .pif or .scr extension.

Some examples of the name of this file are: bedroom-thongs.pif, LMAO.pif or LOL.scr. If the user runs the file, it displays a curious image - a roast chicken with a bikini - on screen.

However, this image is just a cover up to hide the real actions carried out by the worm. This malicious code sends itself out to all the contacts in MSN Messenger and creates various files on the computer, including a file called winhost.exe, which actually contains the Gaobot.CTX worm.

Gaobot.CTX carries out the actions that pose the biggest threat to the computer, as it connects to IRC channels and waits for commands from a remote user.

This allows a hacker to download all kinds of files to the affected computer: spyware, adware, other viruses, etc.

"As a rule of thumb, you should never open a file you receive throughinstant messaging systems without scanning it first with an updatedantivirus. A growing number of viruses are using these applications to spread, and their biggest danger lies in the recipient running executable files without thinking twice, as they are sent from a known address.

This also implies that there is risk of them spreading rapidly via instant messaging, leaving poorly protected networks vulnerable to becoming infected in a matter of seconds," warns Luis Corrons, head of Panda Labs.

As Panda Software's international tech support network has already detected incidents caused by this worm, Panda Software advises users to take precautions and update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect these new malicious code.

Monday, January 31, 2005

Sober.K Virus Strikes Unprotected Users

The 11th variant of the Sober virus, W32/Sober.k@MM is a Medium Risk mass-mailing worm hiding inside an email attachment. When run, the worm displays a fake error message in Notepad, infects the host computer and sends itself to stolen email addresses. Outgoing messages may be in German or English, depending on the recipient's domain.

Note: To fortify your anti-virus defense against threats like W32/Sober.k@MM that need Internet access to spread, we recommend installing McAfee Personal Firewall Plus.

What should I look for?
FROM: Varies (forged addresses taken from infected system)
SUBJECT:English: I've got YOUR email on my account!! German: Ey du DOOF Nase, warum beantw...
BODY: English: First, Sorry for my very bad English!German: Warum beantwortest Du meine E-Mails nicht?
ATTACHMENT: EMAIL_TEXT.ZIP or TEXT.ZIP

How do I know if I've been infected?
Fake error message displayed. Outgoing messages as noted above. Increased network traffic on TCP port 37. Alerts from a desktop firewall (if installed) that a new application is trying to access the Internet.