 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
December 2002
Panda Software reports the appearance of the Lagel.A worm -- Posted by Igor_Donchenko on Monday, December 9 2002
Panda Software’s Virus Laboratory has been receiving reports of incidents caused by Lagel.A (W32/Lagel.A), a new worm that spreads via e-mail. The antivirus software developer advises users to treat all messages received with caution.
Lagel.A sends itself out in an e-mail with the attached file "iLLeGal.exe". If this file is run, the worm carries out the following actions on the affected computer: - It displays several messages on the screen.
- It inserts entries in the Windows Registry in order to ensure it is run every time Windows is started up.
- It creates the following files:
- %sysdir%\Mplayer.exe. This is run on every Windows start-up.
- %sysdir%\iLLeGal.exe, which contains the worm’s code.
- %sysdir%\Mmails.dll, which contains the e-mail addresses the worm obtains from the system.
- %sysdir%\SMTP.ocx. This file is used by Lagel.A to send out the messages that carry it.
The Virus Top Twenty for November 2002 -- Posted by Igor_Donchenko on Thursday, December 5 2002
Kaspersky Labs presents the Virus Top 20 for the month of November.
The percentage shown represents the percentage of registered incidences.
| Position | Virus | Percentage by occurrence |
|---|
| 1 | I-Worm.Lentin | 27.7% | | 2 | I-Worm.Klez | 23.4% | | 3 | I-Worm.Tanatos | 3.2% | | 4 | Macro.Word97.Thus | 2.5% | | 5 | I-Worm.Bridex | 1.4% | | 6 | Worm.Win32.Opasoft | 1.3% | | 7 | Macro.Win97.Marker | 1.3% | | 8 | I-Worm.Hybris | 1.3% | | 9 | Macro.Word.Cap | 1.0% | | 10 | Win32.Elkern | 0.8% | | 11 | Macro.Word97.VMPC | 0.8% | | 12 | Macro.Word97.Flop | 0.8% | | 13 | Win32.FunLove | 0.6% | | 14 | I-Worm.Magistr | 0.6% | | 15 | Macro.Word97.Saver | 0.6% | | 16 | Win95.Spaces | 0.6% | | 17 | Macro.Word97.TheSecond | 0.5% | | 18 | I-Worm.KakWorm | 0.5% | | 19 | I-Worm.Winevar | 0.5% | | 20 | Macro.Word97.Claud | 0.5% |
"Korean" Worm getting faster in spreading -- Posted by Igor_Donchenko on Thursday, December 5 2002
Kaspersky Labs is warning all users against the new Internet worm "Winevar" (also known as "Korean Worm"). This malicious program was detected last week.
Winevar spreads through e-mail. An infected message can have different subjects, bodies and names of attached files. For instance:
When the worm gets into a potential victim's e-mail box, it tries to penetrate the computer unnoticed, using the following vulnerabilities in the MS Internet Explorer security system: - Microsoft VM ActiveX Component
- IFRAME Vulnerability
Thus allowing an infection of the computer immediately upon reading the message.
Having penetrated a system, the worm modifies Windows booting files to activate upon system restart and to initiate its spread. Therefore it scans all HTM and DBX files found on the computer and extracts e-mail addresses. To these addresses the worm sends its copies using a direct connection to the default SMTP e-mail server.
Winevar has several extremely dangerous payloads, which can lead to the irrecoverable loss of data. Firstly, the worm removes anti-virus programs, debuggers and firewalls form the memory and from the disks. In some cases Winevar can also delete all other files on the computer. Secondly, the worm infects the computer with the virus Win32.Funlove. Thirdly, Winevar carries out DoS-attacks on Symantec's Web-site by launching an endless cycle of HTTP-requests sent to it.
Source: http://www.kaspersky.com
|
