- Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, February 25, 2005 - This week's report on viruses and intruders will
focus on four worms - the A and B variants of Stang, Assiral.A and Sober.M-.

Stang.A and Stang.B spread through MSN Messenger in messages containing
texts like 'Look At This Hot Naked Girl' and an attached file with names
like 'Hey look at my moms dildo!!.pif'. If this file is run, these worms
send themselves out to all of the contacts in this instant messaging
application and turn off the security programs that could be installed on
the computer, such as the Windows personal firewall.

What's more, Stang.A and Stang.B block the Task Manager and Registry Editor
in this operating system. They also try to end the SVCHOST.EXE and LSASS.EXE
processes, which could cause the computer to automatically shut down.

The third worm in today's report is Assiral.A, which spreads via email in a
message with the text 'Re: LOV YA !' in the subject and an attached file
called 'LOVE_LETTER.TXT.EXE'. When this file is run, the computer will be
infected by Assiral.A, which will then look for email addresses to send
itself to.

Assiral.A carries out many different actions on the computer it infects,
including the following:

- Prevent access to the Windows Registry Editor.

- Hide the Run option in the Start menu.

- Disable the command-line.

- Modify the home page in Internet Explorer.

- Try to end the processes belonging to different antivirus and firewall
applications.

- When it is run, it displays a message on screen which announces its
mission to rid the Internet of the actions of the Bropia worms.

We are going to finish this week's report with Sober.M, a worm that spreads
via email in a message that can be written in English or German. If the mail
domain ends in de, ch, at or li, both the subject and message will be
written in German.

After infecting a computer, Sober.M opens Notepad and displays a text and
then an error message.

MyDoom.be Debuts On The Net

What is it?
The latest in a wave of Medium Risk mass-mailing worms,W32/Mydoom.be@MM carries the dangerous BackDoor-CEB.f Trojan, which tries to disable anti-virus updating and help a remote user hijack an infected machine.

Like earlier variants, the worm spreads using stolen email addresses harvested from the victim PC and search engine queries. Watch out for messages pretending to be fake bounces from Postmaster or Mail Administrator.

Note: To fortify your anti-virus defense against threats like W32/Mydoom.be@MM that need Internet access to spread, we recommend installing McAfee Personal Firewall Plus.


What should I look for?

FROM: Spoofed.

SUBJECT: Examples: delivery failed, Message could not be Delivered, Mail System Error - Returned Mail

BODY: Example: We have received reports that your account was used to send a large amount of junk email messages during the week.

ATTACHMENT: Examples: README, INSTRUCTION, TRANSCRIPT


How do I find out more?

When run, the worm installs itself as JAVA.EXE in the Windows directory: C:\WINDOWS\JAVA.EXE.


Why am I receiving so many alerts?

By policy, when new viruses or variants (e.g., the current Mydoom string) reach Medium Risk threat status, McAfee immediately notifies customers who have opted to receive advisories, even if the latest variant mimics the last.