News archive about antivirus software, virus threats, trojans

December 2004

U.S. Judge Refuses to Accept Guilty Plea on Spam -- Posted by Igor_Donchenko on Friday, December 24 2004
NEW YORK (Reuters) - A federal judge on Tuesday refused to accept a guilty plea from a former America Online employee accused of selling the Internet provider's customer list to a "spammer," saying he was unsure a crime had been committed.

U.S. District Judge Alvin Hellerstein stopped a hearing at which Jason Smathers was to plead guilty to conspiracy and interstate trafficking of stolen property, saying he had a "technical question" about the alleged crime.

At issue, the judge said, is whether the actions rose to the level required by a new antispam law, which states that spam must be not only annoying but deceptive. Spam is the term widely used for unsolicited commercial e-mails, often hawking products to combat sexual dysfunction or promote weight loss.

"Everybody has spamsters, but mine is a technical question," the judge said. "I don't think it's deceptive or misleading to the recipient."

The judge, who said he once used AOL but quit the provider because of the amount of spam he received, asked prosecutors to submit a legal brief by Jan. 12 with more information.

The judge also set a hearing for Jan. 28 at which time he could decide to accept the plea.

"I need to be independently satisfied that a crime has been committed," he said.

The case by federal prosecutors charges that Smathers, of Harpers Ferry, West Virginia, stole a list of 92 million customer screen names from AOL, a Time Warner Inc. unit, and sold it to an Internet marketer.

The marketer then allegedly used the list to promote his online gambling operation and sold the names to other spammers, according to prosecutors.

Smathers, 24, faces up to 15 years in prison on charges of conspiracy and interstate trafficking of stolen property, but was expected to receive a sentence closer to 18 to 24 months.

After the hearing was unexpectedly cut short, an attorney for Smathers said "everything has been thrown open now" by the judge's refusal to accept his client's plea.

"This is a new statute," the attorney, Jay Goldberg, said. "He is questioning whether the conduct here met the standard of deception."

Source: Reuters

Virus Top Twenty for November 2004 from Kaspersky Labs -- Posted by Igor_Donchenko on Thursday, December 9 2004

Ranking	Change	Virus Name	Percentage
1	+6	I-Worm.Bagle.at	21.39%
2	+12	I-Worm.Mydoom.ab	11.52%
3	-2	I-Worm.Netsky.q	8.70%
4	+4	I-Worm.Zafi.b	7.83%
5	-3	I-Worm.Netsky.aa	7.33%
6	+6	I-Worm.LovGate.w	5.69%
7	-4	I-Worm.Netsky.b	5.39%
8	new	I-Worm.Bagle.au	4.89%
9	-4	I-Worm.Bagle.z	2.90%
10	-4	I-Worm.Mydoom.m	2.60%
11	+6	I-Worm.Mydoom.r	2.17%
12	-1	I-Worm.NetSky.y	1.65%
13	new	I-Worm.Bofra.b	1.58%
14	new	I-Worm.Sober.i	1.37%
15	-5	I-Worm.NetSky.d	1.33%
16	-3	I-Worm.Mydoom.l	1.33%
17	-8	I-Worm.NetSky.t	1.21%
18	new	I-Worm.LovGate.ad	0.82%
19	-4	I-Worm.NetSky.r	0.82%
20	-4	I-Worm.Bagle.gen	0.57%
Other malicious programs (not in the Top 20)			8.89%

Bagle.at has finally made it to the top of the ratings this November. Bagle.at and Mydoom.ab appeared at the tail end of October (numbers 14 and 7 respectively), but both worms really gained ground only in November, heading the list as a result. Moreover, Mydoom.ab joins 2004 record holders for jumping 12 places.

On the whole, November marks the end of the NetSky monopoly, with 4 new worms making their first appearance to push NetSky variants aside. Bofra.b and Sober.i are undoubtedly two of the more interesting examples.

Bofra.b is based on Mydoom source code, but the alterations are significant enough to create a separate family. The naming of Bofra was a joint effort among antivirus vendors; for a long time many vendors thought that the worm was simply a new version of Mydoom. However, it was eventually agreed that the worm was a new malicious program which deserved its own name. This decision was reached because Bofra penetrates computers in a different way to Mydoom. It launches a http server on the victim machine, and a specially constructed html page is placed on this server. The htmp page is coded to exploit the IFrame buffer overflow vulnerability in Internet Explorer. The emails that Bofra sends don't have a copy of the worm attached - instead the message contains a link to an already infected machine. If the user clicks on this link, their machine will call the infected page, and Bofra will penetrate the computer.

Sober.i is another interesting novelty in this month's top twenty. Millions of users (mainly in Germany and Austria, but also in other European countries) were spammed with this latest variant of the worm, which caused a brief epidemic. This outbreak was shortlived due to errors in the worm's coding - these errors were present even when Sober first appeared at the end of 2003. This causes the worm to send meaningless data by email, instead of its own body.

Zafi.c, which was first detected in October, didn't make it into the Top Twenty. One of its forerunners, though, gained four places, and almost gained a place in the top three - shades of summer 2004, when it lead the ratings.

The Korean worm, LovGate.w has been resident in the Top Twenty for a long time. However, this month it also appeared in a new form - LovGate.ad. This variant was detected in July 2004, but up until now hasn't made the ratings. In contrast to all the other worms in this month's top twenty, it wasn't spammed, but uses a more classic propagation method - spreading initially from a small number of infected computers, then gradually picking up momentum. The fact that LovGate has taken 6th and 18th place this month is evidence of the fact that such propagation methods are still effective.

This month's top twenty is made up exclusively of email worms. However, November was a month which saw more than 40 phishing attacks, with the phishing emails being spammed widely. In terms of volume, many of these emails are almost candidates for the top twenty. This is disturbing, as such emails are sent once, in contrast to a worm which sends out millions of copies of itself - we can therefore conclude that phishing attacks are now almost comparable in scale to worm epidemics. Because of this, the next top twenty may well include some of the malicious programs used in phishing attacks.

Other malicious programs not listed here made up 8.89% of all the virus traffic. Overall, more that 200 distinct malicious programs were detected in mail traffic over the last month.

Source: http://www.kaspersky.com

Top Ten viruses most frequently detected by Panda ActiveScan in November -- Posted by Igor_Donchenko on Thursday, December 9 2004
November has been an erratic month in terms of virus activity. Although in general it has been relatively quiet, there has been some cause for concern, such as the appearance of Sober.I and the Tasin family of worms. However, Downloader.GK was once again the most active malicious code.

According to November's Top Ten, based on the data gathered by Panda ActiveScan, the free online scanner, the Downloader.GK Trojan was, for the sixth month running, the malicious code responsible for most attacks. A long way off in second place came Mhtredir.gen, the generic detection for a family of Trojans that allows attacks to take malicious action on affected systems.

Netsky.P, first detected in March of this year and which exploits an old vulnerability in Microsoft Internet Explorer, and Mabutu.A, the email worm that acts as a backdoor Trojan, were third and fourth respectively in the Top Ten.

In fifth place came Citifraud.A, a Trojan detected for the first time at the beginning of November and designed to carry out phishing attacks. As with most Trojans, and despite the fact that there has not been an epidemic as such, its activity has been intense.

Sasser.ftp, a script created by the Sasser worms to install themselves on computers via FTP, and Gaobot.gen, the generic detection for a family of worms that steal confidential data from the systems that it affects were in sixth and seventh place respectively in the ranking.

StartPage.FH -a Trojan designed to install malware on the computers it affects-, and the Bagle.BC worm were eighth and ninth in the list. Finally, Qhost.gen, a generic detection for the modifications made to the HOSTS file by various Trojans, closes this edition of the Top Ten.

Virus Name	Percentage
Trj/Downloader.GK	19.47%
Exploit/Mhtredir.gen	6.86%
W32/Netsky.P.worm	4.70%
W32/Mabutu.A.worm	4.62%
Trj/Citifraud.A	4.34%
W32/Sasser.ftp	3.54%
W32/Gaobot.gen.worm	3.27%
Trj/StartPage.FH	3.05%
W32/Bagle.BC.worm	2.98%
Trj/Qhost.gen	2.93%

The following conclusions can be drawn from the data collected by Panda ActiveScan in November:

- Use of malicious code for financial gain. Of the ten viruses in the ranking, seven could be used directly or indirectly for financial gain. This could be through selling personal data, phishing-type fraud, stealing of confidential data, or by taking remote control of users' computers.

- Significant activity of Trojans and worm/Trojans. In relation with the previous point, in November the trend that started some months ago has continued, with the prevalence of Trojans or worm/Trojans such as Mabutu.A. Both these types of malware are widely used to carry out frauds by cyber-crooks.

- Software vulnerabilities still represent a major threat. Five of the malicious code in this month's Top Ten use vulnerabilities in software installed on computers in order to carry out their malicious action. Nevertheless, the fact that none of them have been discovered recently and that there has been plenty of time to apply the patches needed to fix them, indicates that there are many users who are not updating their systems frequently enough. This is why software vulnerabilities continue to be a serious threat as they allow the propagation of a wide variety of malicious code, regardless of whether the flaw has recently been discovered or has been known for some time.

Source: http://www.pandasoftware.com

AntivirusWorld recommends:   Buy EZ Antivirus - automatic defense against the viruses eTrust EZ Antivirus detects and removes 100% of computer viruses "in the wild" - keeping you safe from virtually all known virus threats. Plus, with automatic software updates, new threats that emerge daily won't stand a chance.

	News archive

• May 2007
• April 2007
• March 2007
• February 2007
• May 2006
• April 2006
• March 2006
• January 2006
• October 2005
• September 2005
• August 2005
• July 2005
• June 2005
• May 2005
• April 2005
• March 2005
• February 2005
• January 2005
• December 2004
• November 2004
• October 2004
• September 2004
• August 2004
• July 2004
• June 2004
• May 2004
• April 2004
• March 2004
• February 2004
• January 2004
• December 2003
• November 2003
• October 2003
• September 2003
• August 2003
• July 2003
• June 2003
• May 2003
• March 2003
• February 2003
• January 2003
• December 2002
• November 2002
• October 2002
• September 2002
• August 2002
• July 2002
• June 2002
• May 2002
• April 2002
• March 2002
• February 2002