 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
October 2002
Opasoft is Back and More Dangerous Than Ever -- Posted by Igor_Donchenko on Wednesday, October 23 2002
Kaspersky Labs, an international data-security software developer, announces the detection of a new modification of the network worm "Opasoft" (also known as "Opaserv" and "Brasil"). Kaspersky Labs has already recorded numerous registered infections at the hands of this dangerous program.
The main distinctions marking this new "Opasoft" modification are that it is compressed with the UPX file packing utility and encrypted with the PCPEC utility. The result being the shortened length of the file bearing the worm and an altered external appearance, however, the worm's functionality has not changed. The new modification's actions almost fully correspond to those of the original version. Thanks to its unique technology for unpacking files, Kaspersky Anti-Virus is the only anti-virus program that protects computers from the new Opasoft modification without requiring an update of anti-virus database signatures. All Kaspersky Anti-Virus products correctly define the type of compression used to extract the real content of the files and dig out the malicious program. Therefore, Kaspersky Anti-Virus users were protected against this Opasoft modification even before it appeared.
Archive and compression utilities present considerable problems for modern computer virology. For this reason, in order to make malicious code unrecognizable for anti-virus programs it is enough to pack it with a compression utility and not make any actual alterations. Due to this, anti-virus developers must add to their virus databases a way to detect compressed versions, a procedure that can sometimes take several days - a delay that could give plenty of time for a malicious program to penetrate computers and cause irreparable harm.
Source: http://www.avp.ru/
|
Save Your "Virtual Machine"! -- Posted by Igor_Donchenko on Wednesday, October 23 2002
Kaspersky Labs, an international data-security software developer, reports the detection of the Trojan horse "Netdex", which exploits a vulnerability in the security system of the Microsoft Virtual Machine. Doing this allows the "Trojan" to clandestinely infect computers with malicious code and run it.
An analysis of the program shows that, most likely, it is of Russian origin. In particular the program has some text written in the Russian language and a link to a domain from a Russian zone. At this time, Kaspersky Labs has received only a few confirmed infections at the hands of "Netdex" and has already undertaken the necessary measures to thwart it spreading into a global outbreak.
"Netdex" is a complex multi-component malicious program that penetrates computers of those users who are visiting an infected Web site. Using a vulnerability in the Microsoft Virtual Machine security system ("Microsoft VM ActiveX Component" Vulnerability), the Web site infects victim computers with a malicious script program that drops the "Netdex" main components. These components, in turn, install on victim computers a backdoor Trojan program (a utility designed for unauthorized remote administration), which permits an ill-intended intruder to imperceptibly control infected systems and perform such functions as the creation, deletion and copying of files, sending of emails, displaying of system messages on the monitor and so on. The specific backdoor commands to be executed by "Netdex" are loaded from the same Web site.
Kaspersky Labs has taken the necessary steps to close the malicious Web site, and in doing so, has liquidated "Netdex's" main breeding ground for infection. However, this does not mean that computers, lacking the patch fixing the Microsoft Virtual Machine vulnerability, face no threat. "Firstly, the malefactors behind "Netdex" can simply open another similar site or sites, thanks to many locations for hosting anonymously authored Web pages. Secondly, the damaging script program from the infected web site may be sent out via email. Finally, "Netdex" has the ability to update itself, therefore the author of the Trojan program can redirect already infected computers by executing commands from a different Web site", commented Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Labs.
Source: http://www.avp.ru/
|
A Worm with a "Trojan" In Its Pocket -- Posted by Igor_Donchenko on Monday, October 7 2002
Kaspersky Labs, an international data-security software developer, announces the detection of a new Internet worm called Tanatos (also known as "BugBear"), which is currently spreading via email and local are networks and is busy hijacking confidential information from infected computers.
Presently Kaspersky Labs has already received confirmation of Tanatos infections in the UK and other countries.
Tanatos is a Windows attachment about 50 KB in size (it is packed by the UPX compression utility) and written in Microsoft Visual C++. The worm is spreading via email attachment files with differing headings, body texts, file attachment names and even formats, all of which make it harder to identify infected email messages from their external properties. Infected messages consistently have plain text or HTML format. With the plain text version users must actively open the attached file, thereby letting the worm loose. With the HTML version, after the worm arrives in the inbox of potential victims, Tanatos waits for its email message to be read (for example, in the preview window), once this occurs, by exploiting the "IFRAME" vulnerability in the Windows Explorer's security system, it secretly launches itself and infects the machine.
To spread over local area networks, the Tanatos worm goes through all network access resources and searches for the Windows system auto-run directory where it copies itself so that it will execute the next time the infected computer is booted. This function can only work if there is a general write permission enabled in the directory.
After activation, "Tanatos" registers itself in the system registry auto-run key so that its malicious code will activate each time Windows is booted. Tanatos also contains a Trojan horse function that makes it an exceptionally dangerous program by creating a system breach and exposing confidential data. In part, Tanatos sets a keyboard "bug" that records all keyboard actions, including system passwords, to a specified file (KEYLOGGER.DLL) in the Windows system directory. Another interesting particularity of this worm is its attempts to close active processes, especially anti-virus programs and personal firewalls.
Full control over infected computers: On infected machines those who control the Tanatos worm can dictate file downloading, transferring, copying, deleting, executing and can also force processes to abort etc. To carry out these operations Tanatos secretly opens the HTTP server and presents its "master(s)" a Web interface with which to control an infected system.
Potential victims of Tanatos are computers hosting the Klez worm, as both worms exploit the "IFRAME" vulnerability in the Windows Explorer security system. "When taking into account the fact that Klez, to this day, still maintains first place in the list of most widespread virus programs, it is possible to expect Tanatos to do its share of damage as well", commented Dennis Zenkin, Head of Corporate Communications for Kaspersky Labs.
Source: http://www.avp.ru
|
"Opasoft" Causes The Second Virus Epidemic This Week -- Posted by Igor_Donchenko on Monday, October 7 2002
Kaspersky Labs, an international data-security software developer, announces the emergence of already the second virus epidemic this week. This time, the multi-component program Opasoft combines the characteristics of a network worm and a Trojan program designed to gain unauthorized remote control of infected computers. At this time the Kaspersky Labs round-the-clock technical support service has received confirmed reports of "Opasoft" infections in Russia, France, Germany, the UK, Korea among other countries with the amount of events on the increase.
"Opasoft" spreads through and between local area networks. After penetrating a computer the worm copies itself to the Windows system directory under the name "SCRSVR.EXE". In order to launch itself upon operating system restart, "Opasoft" registers this file in the Windows registry auto-run key, and additionally modifies the WIN.INI initialization file.
"Opasoft's" Trojan component is designed to accomplish unauthorized remote control of infected machines. Specifically, the "Opasoft" worm connects to the www.opasoft.com Web site, where it downloads its updated versions (if there are any) and launches on the infected computer malicious script programs. The indicated web site is already closed, therefore the described Trojan functions are no longer operative.
Source: http://www.avp.ru
|
Virus Top Twenty from Kaspersky Labs -- Posted by Igor_Donchenko on Monday, October 7 2002
Kaspersky Labs presents the Virus Top 20 for the month of September.
| Position | Virus | Percentage by occurrence |
|---|
| 1 | I-Worm.Klez | 72.93% | | 2 | I-Worm.Lentin | 23.62% | | 3 | Win95.CIH | 0.27% | | 4 | Trojan.Win32.Filecoder | 0.17% | | 5 | Macro.Word97.Thus | 0.13% | | 6 | I-Worm.Sircam | 0.13% | | 7 | I-Worm.Magistr | 0.11% | | 8 | Macro.Word97.Flop | 0.04% | | 9 | I-Worm.Cervivec | 0.04% | | 10 | I-Worm.Hybris | 0.03% | | 11 | Backdoor.Death | 0.03% | | 12 | Macro.Word97.Ethan | 0.03% | | 13 | Win32.FunLove | 0.02% | | 14 | Macro.Win97.Marker | 0.02% | | 15 | Macro.Word97.TheSecond | 0.02% | | 16 | Trojan.PSW.M2 | 0.01% | | 17 | Backdoor.Antilam | 0.01% | | 18 | Worm.Linux.Slapper | 0.01% | | 19 | Palm.Phage | 0.01% | | 20 | Nuker.Win32.Nabber | 0.01% |
|
