- Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)
Madrid, February 18, 2005 - Two variants of Mydoom -AO and AM-, two variants
of Gaobot -DAC and CYK-, and Bropia.J are the subjects of this week's
report.
Mydoom.AO appeared midweek and has the capacity to spread much more rapidly
and widely than the majority of computer viruses. The reason for this is
that it uses Google, Altavista, Yahoo and Lycos to search for email
addresses to which to send itself. In order to trick users, it sends out
emails that that pass themselves off as mail delivery error messages.
The email messages carrying Mydoom.AO include and attachment -which contains
the worm's code- with one of the following extensions: ZIP, COM, SCR, EXE,
PIF, BAT or CMD. If the user runs the attached file, the worm will create
several copies of itself on the affected computer under the name JAVA.EXE,
and look for email address in the Windows address book, in temporary
Internet files and in files with the certain extensions. Then it selects the
domain names of the addresses it has collected and enters them as a search
term in Google, Altavista, Yahoo and Lycos. Then Mydoom.AO sends itself out
to all the addresses found. This worm also creates several entries in the
Windows Registry in order to ensure that it is run whenever the affected
computer is started up.
The second variant of Mydoom in today's report is AM, which spreads in email
messages with variable characteristics and through the peer-to-peer (P2P)
file sharing programs KaZaA, Morpheus, eDonkey2000, iMesh and LimeWare.
In the computers it infects, Mydoom.AM ends the processes belonging to
certain security tools, such as several antivirus programs and firewalls,
leaving the affected computer vulnerable to the attack of other malware.
This worm also modifies the HOSTS file, in order to prevent access to the
websites of several antivirus companies and ends the processes belonging to
other worms, such as Netsky, Bagle, Sobig and Blaster.
Gaobot.DAC and Gaobot.CYX are two worms that use several means of
propagation, including the follow:
- They make copies of themselves in the shared network resources they manage
to accesses.
- To spread across the Internet, they exploit security flaws, like the LSASS
and RPC DCOM vulnerabilities, for which Microsoft has already released the
patches that fix them.
The DAC and CYX variants of Gaobot have backdoor characteristics that allows
hackers to gain remote control over the affected computer and carry out
actions such as executing commands, downloading and running files, logging
keystrokes, stealing different information from the computer, launching
Distributed Denial of Service (DDoS) attacks, etc.
We are going to finish this week's report with Bropia.J, a worm that spreads
via MSN Messenger. When it is run, this malicious code tries to display an
HTML page that contains a link to a certain web page in order to display an
image. Bropia.J also prevents the user from accessing the Task Manager and
the Windows Registry Editor (REGEDIT.EXE file).