Saturday, February 19, 2005

MSN Messenger Worm - Bropia W32

What is it?
W32/Bropia.worm.p is a Medium Risk Internet worm carried by an MSN Messenger attachment. When run, the worm tries to display a .jpg image from a remote site and prevent users from manually using Windows Task Manager to remove the threat.

What should I look for?
The worm copies itself into the C:\ directory using filenames like:

Beautiful A**.pif

John Kerry as Super Chicken.scr


Me & you pic!.pif

How do I find out more?

View details about W32/Bropia.worm.p here.

Update: Mydoom Returns

Two more serious Mydoom mass-mailing worms, W32/Mydoom.bc@MM and W32/, are now Medium Risk threats. They carry the BackDoor-CEB.f Trojan, which tries to disable anti-virus updating and also help a remote user hijack an infected machine.

Watch out for attachments inside messages posing as bounces from Postmaster or Mail Administrator.

Find out more about W32/Mydoom.bc@MM here.
Find out more about W32/ here.

- Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (

Madrid, February 18, 2005 - Two variants of Mydoom -AO and AM-, two variants
of Gaobot -DAC and CYK-, and Bropia.J are the subjects of this week's

Mydoom.AO appeared midweek and has the capacity to spread much more rapidly
and widely than the majority of computer viruses. The reason for this is
that it uses Google, Altavista, Yahoo and Lycos to search for email
addresses to which to send itself. In order to trick users, it sends out
emails that that pass themselves off as mail delivery error messages.

The email messages carrying Mydoom.AO include and attachment -which contains
the worm's code- with one of the following extensions: ZIP, COM, SCR, EXE,
PIF, BAT or CMD. If the user runs the attached file, the worm will create
several copies of itself on the affected computer under the name JAVA.EXE,
and look for email address in the Windows address book, in temporary
Internet files and in files with the certain extensions. Then it selects the
domain names of the addresses it has collected and enters them as a search
term in Google, Altavista, Yahoo and Lycos. Then Mydoom.AO sends itself out
to all the addresses found. This worm also creates several entries in the
Windows Registry in order to ensure that it is run whenever the affected
computer is started up.

The second variant of Mydoom in today's report is AM, which spreads in email
messages with variable characteristics and through the peer-to-peer (P2P)
file sharing programs KaZaA, Morpheus, eDonkey2000, iMesh and LimeWare.

In the computers it infects, Mydoom.AM ends the processes belonging to
certain security tools, such as several antivirus programs and firewalls,
leaving the affected computer vulnerable to the attack of other malware.
This worm also modifies the HOSTS file, in order to prevent access to the
websites of several antivirus companies and ends the processes belonging to
other worms, such as Netsky, Bagle, Sobig and Blaster.

Gaobot.DAC and Gaobot.CYX are two worms that use several means of
propagation, including the follow:

- They make copies of themselves in the shared network resources they manage
to accesses.

- To spread across the Internet, they exploit security flaws, like the LSASS
and RPC DCOM vulnerabilities, for which Microsoft has already released the
patches that fix them.

The DAC and CYX variants of Gaobot have backdoor characteristics that allows
hackers to gain remote control over the affected computer and carry out
actions such as executing commands, downloading and running files, logging
keystrokes, stealing different information from the computer, launching
Distributed Denial of Service (DDoS) attacks, etc.

We are going to finish this week's report with Bropia.J, a worm that spreads
via MSN Messenger. When it is run, this malicious code tries to display an
HTML page that contains a link to a certain web page in order to display an
image. Bropia.J also prevents the user from accessing the Task Manager and
the Windows Registry Editor (REGEDIT.EXE file).

Friday, February 18, 2005

Mydoom.AO Virus - Targets search engines for email addresses

Virus Alerts, by Panda Software (

Madrid, February 17, 2005 - PandaLabs has detected the appearance of a new
worm that uses Internet search engines to spread rapidly: Mydoom.AO. This
worm uses Google, Altavista, Yahoo and Lycos to search for email addresses
to which to send itself. In this way, a single infected computer can
distribute thousands of copies of the worm in just a few minutes. This means
that probability of a computer becoming infected by the Mydoom.AO worm is

Panda Software clients that already have TruPrevent(TM) Technologies to
protect against unknown viruses and intruders, have had preventive
protection against Mydoom.AO from the moment it first appeared as they are
able to detect and block this threat without needing to have identified it
previously (more information about the new TruPrevent(TM) Technologies at

Mydoom.AO uses so-called 'social engineering' to try to trick users, as the
email messages it spreads in appear to be mail delivery error messages,
these include: Message could not be delivered, Mail System Error - Returned
Mail, or Delivery reports about your e-mail.

The message text itself is also variable. One example is:

Your message (was not|could not be) delivered because the destination
(computer|server) was (not|un)reachable within the allowed queue period. The
amount of time a message is queued before it is returned depends on local
configura-tion parameters (the text in brackets is variable).

The name of the attached file that actually contains the worm is chosen at
random and has one of the following extensions: ZIP, COM, SCR, EXE, PIF, BAT
or CMD.

If a user becomes infected by the worm, it creates a copy of itself under
the name JAVA.EXE and searches for email addresses in the Windows address
book, Internet temporary files, and in files on the computer with certain
extensions. Once it has done this, it selects domain names from the
addresses it has collected and uses them as search words in Google,
Altavista, Yahoo and Lycos. Finally, Mydoom.AO sends itself out to all
addresses it finds.

The worm also creates several Windows registry entries to ensure it is run
on every system start up.

According to Luis Corrons, director of PandaLabs: "Virus creators are
finding Internet search engines a powerful tool for rapidly spreading
malicious code. Mydoom.N was the first to use this strategy, and this new
worm is following in its footsteps. This tactic effectively multiplies the
propagation capacity of a malicious code, and it is therefore likely that we
will see more of the same".

Given the likelihood of incidents involving Mydoom.AO, Panda Software
advises users to act with caution and update their antivirus software. Panda
Software clients already have the corresponding updates to detect and
disinfect this new malicious code.

Thursday, February 17, 2005 Makes It's Presence Felt

What is it?

W32/ is a Medium Risk mass-mailing worm that carries the dangerous BackDoor-CEB.f Trojan, which tries to disable regular anti-virus updating and also help a remote user hijack an infected machine.

The worm spreads using stolen email addresses harvested from the victim PC and search engine queries. Watch out for messages pretending to be fake bounces from Postmaster or Mail Administrator.

Note: To fortify your anti-virus defense against threats like W32/ that need Internet access to spread, we recommend installing McAfee Personal Firewall Plus.

What should I look for?

FROM: Spoofed.

SUBJECT: Examples: delivery failed, Message could not be Delivered, Mail System Error - Returned Mail

BODY: Example: We have received reports that your account was used to send a large amount of junk email messages during the week.


How do I know if I've been infected?

When run, the worm installs itself as JAVA.EXE in the Windows directory:

How do I find out more?

View details about W32/ here.

Wednesday, February 16, 2005

Google Hacking Exposes Sensitive Material

By Andy Sullivan
WASHINGTON (Reuters) - Hackers have found a handy tool to take control of bank accounts, tap into corporate computer networks and dig up sensitive government documents.
It's called Google.

The Internet's most popular search engine can find everything from goldfish-care tips to old classmates in the blink of an eye, but it's equally adept at finding caches of credit-card numbers and back doors into protected databases.

"If you don't want the world to see it, keep it off the Web," said Johnny Long, a Computer Sciences Corp. (CSC.N: Quote, Profile, Research) researcher and author of "Google Hacking for Penetration Testers."

Unlike other intrusion techniques, Google hacking doesn't require special software or an extensive knowledge of computer code.

At a recent hackers' conference in Washington, Long demonstrated the eye-opening results of dozens of well-crafted Google searches.

Using Google, identity thieves can easily find credit-card and bank-account numbers, tax returns, and other personal information buried in court documents, expense reports and school Web sites that contain such information.

Google hackers can download Department of Homeland Security threat assessments marked "For Official Use Only."

They can gain control of office printers, Internet phones and other devices controlled through a Web interface -- including electrical power systems.

"One Google query, a couple of buttons, you can actually turn off power to their house," Long said.

Corporate spies can uncover passwords and user names needed to log on to a corporate network, or find poorly configured computers that still use default passwords.

A search for error messages can provide important clues for intruders as well.

One particular Google feature allows users to pull up older versions of a Web page. Such "cached" pages can turn up security holes even after they've been fixed, or allow an intruder to scan a network without leaving a footprint.

It's impossible to tell how often malevolent hackers use Google. But the recent emergence of computer worms that spread using the search engine suggests that Google hacking has been common practice for years, Long said.

"As soon as something gets to the worm phase, it's been in the manual phase for quite some time," he said in an interview with Reuters.

Long said Google should not be blamed for the effectiveness of its search engine, though he said the company could raise the alarm when it notices suspicious activity.

"Google removes content from search results under very limited circumstances," Google spokesman Steve Langdon said in an e-mail message, citing pages that contain child pornography, credit-card numbers and other personal information, or copyrighted material that is used without permission.

As awareness of Google hacking grows, security experts are boning up on search techniques to make sure their systems aren't vulnerable.

Long's Web site ( has collected more than 1,000 Google searches that can uncover flaws, and free software programs by Foundstone Inc. (MFE.N: Quote, Profile, Research) and SensePost can run those searches automatically.

Anybody with a Web site should Google themselves using a "site:" query that lists every Web site they have available online, Long said.

"The most practical thing I can tell people is to be fully aware of what their Google presence is. Companies and even individuals should be aware of what they look like through Google," he said.