 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
November 2002
Kaspersky Labs presents the Virus Top 20 for the month of October. -- Posted by Igor_Donchenko on Friday, November 8 2002
The percentage shown represents the percentage of registered incidences.
| Position | Virus | Percentage by occurrence |
|---|
| 1 | I-Worm.Tanatos | 44.9% | | 2 | I-Worm.Lentin | 21.6% | | 3 | I-Worm.Klez | 14.0% | | 4 | Macro.Word97.Thus | 3.1% | | 5 | I-Worm.Hybris | 1.1% | | 6 | I-Worm.Magistr | 1.0% | | 7 | Macro.Win97.Marker | 1.0% | | 8 | I-Worm.Sircam | 0.7% | | 9 | Macro.Word97.Flop | 0.7% | | 10 | Macro.Word97.Ethan | 0.5% | | 11 | Macro.Word97.TheSecond | 0.5% | | 12 | Macro.Word97.Onex | 0.4% | | 13 | Macro.Word97.Story | 0.3% | | 14 | I-Worm.Cervivec | 0.3% | | 15 | Joke.Win32.Train | 0.3% | | 16 | Backdoor.Death | 0.3% | | 17 | Macro.Word97.Dig | 0.3% | | 18 | Macro.Word97.Melissa | 0.3% | | 19 | Trojan.PSW.Gip.113 | 0.2% | | 20 | Trojan.Win32.Erase2002 | 0.2% |
|
Your Mobile Phone Is Safe - Don't believe virus hoaxes -- Posted by Igor_Donchenko on Friday, November 8 2002
Kaspersky Labs brings attention to the spread of a rumor among Internet users regarding a new computer virus that infects mobile telephones and renders them junk. The message being sent around looks as follows:
If you receive a phone call and your mobile phone displays ACE-? on the screen DON'T ANSWER THIS CALL - END THE CALL IMMEDIATELY. IF YOU ANSWER THE CALL, YOUR PHONE WILL BE INFECTED BY THIS VIRUS.
This virus will erase all IMEI and IMSI information from both your phone and your SIM card, which will make your phone unable to connect with the telephone network.
You will have to buy a new phone. This information has been confirmed by both Motorola and Nokia. There are over 3 million mobile phones being infected by this virus in USA now. You can also check this news in the CNN web site.
Please forward this piece of information to all your friends.
Kaspersky Labs reports that this virus does not exist, thereby classifying "Ace-?" with other such virus rumors as a hoax. We recommend users refrain from further spreading this unfounded virus rumor and to in turn inform colleagues and friends that this is actually a "non-existent" or "hoax" virus.
Source: http://www.avp.ru
|
Network Worm "Roron" - Red Alert! -- Posted by Igor_Donchenko on Friday, November 8 2002
Kaspersky Labs, an international data security software developer, reports the appearance of a new network worm named "Roron", constructed in Bulgaria. Presently six variations of the worm have already been detected and have been credited with infecting computers in many regions including the U.S.A., Russia and a slew of European countries.
Destructive functions and features include a built-in back-door intended for unsanctioned remote control of victim computers and the ability to spread via many communication channels - all of which places this worm in an especially high danger category.
"Roron" spreads using several data transfer channels: via email as an attached file, via local area networks and the KaZaA file-sharing network. Systems become infected only if a user manually launches (opens) the file containing the worm that was received via one of the aforementioned sources. When penetrating a computer, "Roron" creates a copy of itself in the Windows system directory and Program Files and then registers one of these files in the system registry's auto-run key. In this way the worm ensures its activation the each time the system is booted. Sometimes, when infecting, the worm displays a false warning:
WinZip Self-Extractor License Confirmation
Your version of WinZip Self-Extractor is not licensed, or the license
information is missing or corrupted. Please contact the program vendor
or the web site (www.WinZip.com) for additional information.
After the infection routine is complete, "Roron" activates its spreading routines: - To spread via e-mail it clandestinely creates a message that may have different subjects, texts and attached file names. Then it sends this message to the recipients whose adresses it found in the InBox folder of the infected computer.
- To spread via local area networks the worm searches available network resources, allocates those having file-sharing resources and copies itself under a random name. This way "Roron" may spawn its copies to the public file servers that may lead other network users to download these files and infect their own machines.
- To spread via the KaZaA network the worm searches for KaZaA file-sharing folders where it inserts its copy, thus making it available for download by other KaZaA users.
"Roron" carries a very impressive armory of extremely dangerous payload and backdoor functions. In case the infected computer has a mIRC client installed (software used to access Internet Relay Chat (IRC) channels) the worm infects it with a backdoor component. This allows a mal-intended person to gain unauthorized remote control over the infected computer: unnoticed a malefactor can download, upload, execute files, send out e-mail messages on behalf of the user, etc. The backdoor component also carries a feature for performing DoS-attacks (Denial of Service) from the infected computer launched against other computers specified by the hacker. Therefore, if "Roron" causes a global outbreak infecting the high number of systems such as Tanatos (BugBear) or Lentin (Yaha), it may enable hackers to perform massive distributed DoS-attacks even more powerful than the huge attack occurring two weeks ago when 13 Internet "backbone" servers were attacked, ultimately bringing nine of them temporarily down.
"Roron" also destroys data stored on hard drives. This payload is activated when at least one of the following conditions is fulfilled:- the current system date is the 9th or 19th (regardless of the current month)
- one of the worm's core components is deleted (WINFILE.DLL)
- the worm's Windows system registry keys are deleted
randomly, depending on the worm's internal counter
"Roron" also searches for some anti-virus software programs in the operating memory and deactivates them. In addition the worm tries to delete this anti-virus software from the hard drive.
Search: http://www.avp.ru/
|
