Tuesday, May 03, 2005

- New worm Sober.V give tickets for the FIFA World Cup 2006 in Germany
for free to cheat users with social engineering techniques -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

MADRID, May 3, 2005- The new variant V of the worm Sober (Sober.V) has begun spreading and infecting several computers from US, Germany, Austria and Switzerland. It is supposedly sent by the soccer organization FIFA and give users tickets for the FIFA World Cup 2006 in Germany for free. This new worm distributes itself by its own SMTP engine in English or in German, choosing the language depending on the domain and the country in which it will be distributed. Sober.V sends itself out to all the addresses it has gathered from the infected computer.

This new worm, which is using the social engineering to cheat users, comes from a random address choose between one of the followings: Admin, Hostmaster, Info, Postmaster, Register, Service o Webmaster. Furthermore, Sober.V avoids sending messages to addresses containing some strings in its domain. The subject can be one of the followings:

Glueckwunsch: Ihr WM Ticket mailing error
Ich bin's, was zum lachen ;) Re:
Ihr Passwort Registration Confirmation
WM Ticket Verlosung Your email was blocked
WM-Ticket-Auslosung Your Password

- Panda Software weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, April 29, 2005 - This week's report on viruses and intruders looks at the Kedebe.B and Nopir.A worms, as well as the Bancos.NL Trojan.

Kedebe.A is an email worm whose main danger lies in the fact that it leaves systems defenseless against attacks from other malware. This malicious code spreads in the form of attachments to other emails with variable characteristics, as both the subject and the message text are selected from a predefined list of options.

If a user were to run a file containing Kedebe.A, this would generate two files on the system. One of these contains a copy of the worm, while the other is a text file that reads: "Properly infected. Kill those fools, Mydoom-er and Bagle-r!! They're DEAD!! EthioLove.X!!".

Kedebe.A finalizes memory processes corresponding to security and antivirus applications. Similarly, it modifies the HOSTS file, to prevent access to several web pages related to IT security. It also makes an entry in the Windows registry to ensure it is run on every system start-up.

Nopir.A is designed to spread across P2P networks, deleting files with COM and MP3 extensions that it finds on the computer. For this reason, some media sources have dubbed it an "anti-pirate" worm, but really it is a dangerous type of malware that can cause serious damage to systems. It prevents systems from running Windows 2003/XP/2000/NT from starting up, as it deletes the NTDETECT.COM file.

If a user were to run a file containing, an 'anti-pirate' image is displayed on screen. At the same time, it disables the Windows registry editor, the task administrator and the control panel. In order to spread, Nopir.A uses the eMule file-sharing program. It does this by generating a file called ANYDVD 5.1.0.1 CRACK+KEYGEN BY RAZOR.EXE in the folder of this program which other users can download to their computers without realizing that it really contains a copy of Nopir.A.

Finally, the Bancos.NL Trojan is designed to intercept confidential data from clients of more than 2,500 bank portals. This Trojan cannot spread under its own steam, and needs third-parties to intervene manually, using traditional propagation methods such as floppies or CDs or through Internet downloads, email, FTP transfers, P2P networks, etc.

Once a user runs a file containing the Trojan, it is installed on the system as MSCVC.EXE, and starts to monitor the user's Internet activity, waiting for it to connect to one of the 2,500 Internet addresses listed in its code. When this happens, it logs the information entered by the user related to credit cards, account numbers, passwords, etc. This information is sent to a server where it can be collected by cyber-crooks.

- A Trojan threatens the confidential data of the clients
of thousands of banks worldwide -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

MADRID, April 28, 2005 - PandaLabs reports the appearance of the NL variant of the Bancos Trojan, programmed to intercept the confidential data of the clients of over 2,500 banking portals. Panda Software has already informed law enforcement authorities of the appearance of this malicious code.

This Trojan cannot spread by itself, but needs to be distributed manually by third-parties. Bancos.NL can therefore be distributed through traditional channels (floppy disks, CD-ROM), or email messages, Internet downloads, FTP transfers, P2P networks, etc.

In the event that a user executes the file containing Bancos.NL, the Trojan will be installed on the system under the name MSCVC.EXE. It then starts monitoring the user's Internet activity, waiting for a connection to be established with one of the 2,500 Internet addresses listed in its code. When this happens, it registers all the information about bank account numbers, credit cards, passwords or any other information entered by the user. This information is sent to an Internet server where it can be collected by cyber criminals.

"Although this malicious code does not have any technical characteristics that make it stand out from other Trojans programmed to steal banking details, its danger lies in the large number of users that could be affected by Bancos.NL. In fact, the addresses of the banking portals listed in the Trojan's code belong to financial entities in 120 countries worldwide. These countries include Germany and Switzerland with over 200 addresses each," explains Luis Corrons, director of PandaLabs.

To prevent Bancos.NL or any other malicious code entering computers, Panda Software advises users to take precautions and to update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect this new malicious code.

- Panda Software's weekly report on viruses and intruders-
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, April 22, 2005 - This week's report on viruses and intruders includes several new threats that have emerged this week; two variants of the Mytob worm, a variant of the Mitglieder Trojan and a new version of the Bancos Trojan.

The new variants of Mytob -Mytob.BC and Mytob.BD- open backdoors in affected computers. This action allows the BC variant to connect to a web server and the BD variant to connect to an IRC server, where they wait for commands from a malicious user. What's more, they modify the system HOSTS file so that the user cannot access the websites of certain antivirus companies. These worms spread via email, across networks protected with weak passwords and by exploiting the LSASS vulnerability. They also download other malware, such as the Faribot.A worm.

The Bancos.FC Trojan has also appeared this week. This malicious code goes memory resident and has keylogger functions. Bancos.FC waits for a dialup modem connection to be established (it only affects this type of connection). When this happens, it checks if the websites visited coincide with the address of any of the banking entities included in its code. If it finds any matches, it collects the information entered through the keyboard and sends it to an Internet server. Bancos.FC cannot spread alone, it needs external intervention to do so.

Finally, Mitglieder.CG is a Trojan that aims to disable certain security tools (antivirus and firewalls), which could be installed on the computers it affects. To do this, it can delete files and Registry entries or end the processes running in memory. What's more, it modifies the system HOSTS file so that the user cannot access the websites of certain antivirus companies.

Mitglieder.CG seems to have been mass-mailed, either manually or through zombi computers, and tries to download other malware from different websites.
>