Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

MADRID, May 20 2005 - This week's report on viruses and intruders will focus on
the worms Gaobot.GLV and Oscarbot.F, and the Trojan, Sober.W.

Sober.W is a Trojan whose only purpose would seem to be mass-mailing messages
with content related to the extreme right-wing movement in Germany, alluding to
the Second World War and its 60th anniversary. As is usual with this type of
malware, it cannot spread by itself but needs to be distributed manually
through other channels. Once installed, Sober.W starts collecting email
addresses from the affected computer and sends them one of the 30 mails it
includes in its code, at random. The Trojan also edits several registry keys to
ensure it is executed on every system startup. It has been designed to stop
sending spam at May 23rd, and then start trying to download files from a series
of URLs it has embedded on its code.

Oscarbot.F is a worm with backdoor characteristics, designed to spread through
AOL Instant Messenger (AIM), a popular instant messaging application, by
sending messages to all the addresses in the Contact List. These messages
include an URL which, on accessing it, downloads a copy of this worm or other
kind of malware to the affected computer. As is usual with bots, once installed
on the targeted system, Oscarbot.F connects to an IRC server, waiting for
orders from a remote user to download and run files, spread via AIM, etc.
Finally, the worm edits certain registry keys to ensure that it is run every
time the system starts up.

The main purpose of Gaobot.GLV is to end processes belonging to several
security tools, such as antivirus programs and firewalls, prevent users from
accessing several web pages, mainly belonging to antivirus and computer
security companies (by modifying the HOSTS file in the affected computer), and
install a TFTP server. It also has a tool designed to hide its actions on the
affected computer, which, however, does not function properly on Window XP
systems.

Gaobot.GLV spreads both across the Internet and shared network resources. In
the first case, it tries to exploit the LSASS, RPC DCOM, WINS, Workstation
Service Buffer Overrun and Buffer Overrun in SQL Server 2000 Resolution Service
vulnerabilities as well as trying to access computers with SQL Server installed
and blank passwords. In the case of shared network resources, Gaobot.GLV
attempts to take advantage of weak passwords or user names (passwords that are
typical or easy to guess). If successful, Gaobot.GLV makes copies of itself to
the shared resources.