Friday, June 16, 2006

Virus Report

This week's virus report focuses on the BlackAngel.B worm, the Trojans Banker.DJH and Xorpix.O, the Detnat.A virus and twelve vulnerabilities reported by Microsoft -MS06-21, MS06-22, MS06-23, MS06-24 MS06-25, MS06-26 MS06-27, MS06-28 MS06-29, MS06-30, MS06-31 and MS06-32.

BlackAngel.B is a worm that spreads through the instant messaging program MSN Messenger. To do this, it sends a message with the text "jaja look a that" and a link to file called '', which passes itself off as a Windows Media Player file. The file has a double extension, which is hidden from users if the option to hide the extension of known file types is enabled.

When this file is run, the worm ends a series of processes related to antivirus and firewall tools, leaving the computer vulnerable to other attacks. It also disables access to operating system administration tools, such as Control Panel, Registry Editor, Task Manager and System Restore. Finally, BlackAngel.B shuts down the affected computer, resulting in the loss of any information that had not been saved.

Banker.DJH is a Trojan that steals confidential information from affected computers. To do this, it monitors the web pages accessed by users and if it detects that they access web pages of certain banking entities, it collects the data entered. What's more, it steals information about the email accounts on the computer.

In order to hide its actions, this Trojan disables the Windows file protection feature and modifies the files userinit.exe and sfc_os.dll. Banker.DJH cannot spread through its own means, but requires the user to open an infected file received via email, downloaded from a web page, or through instant messaging programs or P2P networks.

Xorpix.O is a Trojan that converts the affected computer into a proxy server. What's more, it opens a random port to notify the attacker that the computer is available. It cannot spread through it own means, but requires the user to carry out an action in order to spread, such as opening a file attached to an email or running infected files downloaded from the Internet, FTP servers or P2P networks.

When it is run, Xorpix.O injects itself into the system process winlogon.exe and creates a process called iexplore.exe to pass itself off as an instance of Internet Explorer. Similarly, it creates a series of entries in the Registry to ensure it is run whenever the operating system starts up.

Detnat.A is a virus that infects PE (Portable executable) files that are not compressed. It uses a packed algorithm so that the infected file maintains its original size and a polymorphic routine to encrypt the data differently in each infection. Detnat.A spreads across the shared network resources to which it gains access. Similarly, it requires user intervention to infect computers, such as opening files attached to email messages or downloaded from the Internet or other means.

This week, Microsoft has published 12 security bulletins about a series of vulnerabilities, of which 8 are classified as critical, detected in different applications and components of its operating system: MS06-21, MS06-22, MS06-23, MS06-24 MS06-25, MS06-26 MS06-27, MS06-28 MS06-29, MS06-30, MS06-31 and MS06-32.

The affected programs include Internet Explorer, Windows Media Player and several versions of Microsoft Word and PowerPoint. If these vulnerabilities are exploited successfully, a remote attacker could gain total control of the affected computer.

For this reason, it is recommendable to download the security patches that fix these vulnerabilities from Microsoft's website.

Wednesday, June 14, 2006

12 Microsoft Security Patches Released

Yesterday, like every second Tuesday of each
month, Microsoft published a set of security bulletins and patches which
it has rated as "Critical", "Important", and "Moderate".

The critical bulletins are those from MS06-021 to MS06-28. The content
of these bulletins is the following:

- Cumulative security update for Internet Explorer, which resolves eight
newly discovered vulnerabilities in the Microsoft browser.
- Fixed a vulnerability in ART Image Rendering for Windows Server 2003,
XP, 98 and Millennium Edition.
- Fixed a vulnerability in Microsoft Jscript, affecting Windows 2000,
Server 2003, XP, 98 and ME.
- Security update for Microsoft Windows Media Player. For Windows Media
Player 9, 10 and Windows Media Player for Windows XP.
- Fixed two vulnerabilities in the Routing and Remote Access service in
Windows 2000, Server 2003 and XP.
- Security update for the graphics rendering engine in Windows 2000,
Server 2003 and XP.
- Fixed a vulnerability regarding remote code execution in Microsoft
Word versions 2000, 2002 and 2003.
- Fixed a vulnerability regarding remote code execution in PowerPoint
versions 2000, 2002 y 2003.

Microsoft rates as "Important" bulletins MS06-029, MS06-030 and

- Security update for Microsoft Exchange Server running Outlook Web
Access for Exchange 2000 and Server 2003.
- Fixed two vulnerabilities in Server Message Block (SMB) for Windows
2000, Server 2003 and XP.
- Security update for a vulnerability in TCP/IP in Windows 2000, Server
2003 and XP.

Finally, bulletin MS06-031 is categorized as "Moderate"

- Fixed a vulnerability in the Windows 2000 RPC service that could allow

We can't underline enough the seriousness of these problems, and reminds users
that they should install the updates as soon as possible. In this case,
it is particularly important, because by allowing programs to be
installed, these vulnerabilities are the perfect scenario for falling
victim to new malware dedicated to cyber-crime.

You can find all the information about these bulletins at:

Tuesday, June 13, 2006

Black Angel Worm - New MSN Virus Variant

PandaLabs reports about the new BlackAngel.B worm variant.

It's a worm that spreads via Microsoft MSN Messenger, and has been detected today, 6/13/2006. Its main features are:

- File name: fantasma.avi.exe.
- Icon: uses the same icon that Windows Media Player.
- Size: 385,024 bytes.
- Programmed with Visual Basic.

It sends one of the following messages to all Messenger contacts:

"jaja look a that http://<>/"
"mira este video http://<>/ jaja"

PandaLabs has already detected some incidences caused by BlackAngel.B and warns about the danger of this worm.

Apart from sending copies, it stops security programs and deletes certain files from the operating system.

Computer Security Alert

Computer Virus Alert