 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
February 2002
W32.Fully.3424 -- Posted by Igor_Donchenko on Thursday, February 28 2002
W32.Fully.3424 is a Windows 32-bit virus that appears to have been written in assembly language. The virus contains several bugs and is unlikely to spread.
When W32.Fully.3424 is executed, it looks for Kernel32.dll in memory. Once the base for Kernel32.dll is found, the virus parses it to find functions that it wants to use.
Inside the virus, there are several encrypted strings. The encryption appears to be an attempt to conceal the code. The search for functions in Kernel32.dll proceeds as follows:
1. Find the list of function names that Kernel32.dll exports.
2. Encrypt the names.
3. Compare the encrypted strings to the strings that are already inside the virus.
4. If a string matches, store the address of that function in a table for later use.
Once the virus has the addresses of the functions that it needs, it searches the hard drive for executable files. The virus starts searching at C:\ for files that have the .exe extension. The virus tries to infect only the first two files that it finds. The infection routine for this virus contains several bugs, and the virus is therefore unlikely to replicate. The infection routine is as follows:
1. Attempt to open the first file that it finds.
2. Make sure that it is a Windows Portable Executable file (by looking for the PE signature within the file).
3. Verify that the file can be infected. This is done by checking several fields in the PE header and the section headers.
4. If the file can be infected, copy the viral body to the end of the file, and modify several fields in the header, including the entry point. The modification to the entry point field will cause the virus to be run directly when an infected file is executed.
After the virus has tried to infect the two files that it found, it displays the following message:
You will delete anything ? This future are not avaible !
Finally, after the virus displays the message, it jumps to a "random" location in memory. This jump appears to be an attempt to execute the original host. However, due to a bug in the viral code, this generally causes Windows to stop responding.
Source: http://www.norton.com
|
W32.HLLP.Sharpei@mm -- Posted by Igor_Donchenko on Thursday, February 28 2002
W32.HLLP.Sharpei@mm is a virus that targets .exe files under the Microsoft .NET Framework. The replication code of the virus is written in C# and compiled to MSIL. The virus also mass emails itself to all contacts in the Microsoft Outlook address book by using a VBS component. The attachment is MS02-010.exe.
The virus arrives as an email message that has the following characteristics:
Subject : Important: Windows update
Message: Hey, at work we are applying this update because it makes Windows over 50% faster and more secure. I thought I should forward it as you may like it.
Attachment: Ms02-010.exe
When the attachment is executed, the virus does the following:
It makes a copy of itself as C:\Ms02-010.exe.
It drops the file Sharp.vbs, which then performs the mass-mailing routine, sending the previously described message. Sharp.vbs then deletes itself.
NOTE: Even if you have not updated to the virus definition set that includes detection for W32.HLLP.Sharpei@mm, the Sharp.vbs fill will be detected heuristically by Norton AntiVirus as Bloodhound.VBS.Worm. Once you have updated to this definition set, it will be detected as W32.HLLP.Sharpei@mm.
After the messages are successfully sent, they are deleted from the Outlook Sent folder. As a result, you will not see the messages in Outlook. This is an attempt to hide its activity.
If Mscoree.dll is found in the \System folder, the virus creates Cs.exe in the \Windows folder, and then executes it. The virus assumes that this library is installed only when the Microsoft .NET Framework is installed. Cs.exe is a .NET executable that is written in C# and runs only in the .NET Framework.
Finally Ms02-010.exe creates the following key in the registry:
HKLM\Software\Sharp
with a string value set to the path of the .exe that was run. This will be used later as a reference from Cs.exe to the executed application. This portion of the virus code is Intel assembly, which can run on all Intel-based Win32 systems.
Cs.exe runs in the .NET Framework and looks for the "Sharp" key in the registry to get a path to the application that executed it. This portion of the code is a complete prepending virus logic written in C#. The virus copies the complete contents of Ms02-010.exe to the front of .NET executables in the \Program Files and \Windows folders.
When an infected executable is run, it attempts to mail the virus again and looks for other files to infect, as well as executing the host program after itself whenever possible. During this process, the virus uses temporary file names such as Hostcopy.exe and Temp.exe, which are then deleted.
The virus portion also creates another Sharp.vbs file that only contains code to display a message. This file is created in the \Windows Startup folder, so that it appears when you start Windows.
Cs.exe attempts to handle some exceptions, but in our test environment it produced .NET Framework error messages. However, the virus was able to infect .NET files on the system.
Source: http://www.norton.com
|
Another record year for Panda Software in 2001 -- Posted by Igor_Donchenko on Tuesday, February 26 2002
In 2001, Panda Software grew at a spectacular rate. This growth was to a large extent fueled by the global expansion of the company, with the opening of offices in 13 new countries: Bulgaria, Yugoslavia, Hungary, Poland, Russia, Malaysia, Puerto Rico, Dominican Republic, Slovenia, Malta, Uruguay, Venezuela and Ecuador.
Since the beginning of this year, Panda Software also has representatives in the UEA, Turkey, Costa Rica and the Czech Republic. These new offices bring the total number of countries in which the European multinational is present to forty-five. In addition to the countries mentioned, Panda also has offices in: Germany, Belgium, Bolivia, Canada, Chile, China, Colombia, Denmark, USA, Slovakia, Spain, Finland, France, Greece, Holland, Iran, Italy, Lithuania, Mexico, Norway, Nigeria, Peru, Portugal, UK, South Africa, Sweden and Switzerland.
This rapid development and expansion process has led to a 44 percent increase in Panda Software’s sales compared with 2000, achieving more than 35 million euros. Similarly, the sales of the company’s solutions by Internet also rose dramatically, multiplying six-fold compared to last year.
The US subsidiary of Panda Software is also expanding, with an outstanding 110 percent increase in sales in 2001. This rise was aided in part by the tough comparative review carried out by PC World USA, one of the most widely-read magazines in the world, proclaiming Panda Antivirus Platinum "Undisputed Champ" over rival antivirus products.
Between 1995 and 2000 Panda Software was one of Europe’s fastest-growing and most job-creating companies (number 57 to be precise), and was nominated for the list "Europe’s 500" compiled by GrowthPlus, the international non-profit making entrepreneurs group. In addition, 53 percent of executive posts are occupied by women and the average age of the Panda Software team is twenty-seven.
Source: http://www.pandasoftware.com
|
Mown.Demo -- Posted by Igor_Donchenko on Sunday, February 24 2002
Mown.Demo is a concept virus that demonstrates how to exploit users' natural interest in Internet sites and the fact that Windows will open and execute any executable file that contains a .com extension.
In this particular case, this demo virus was distributed as a DOS executable with the file name www.cnn.com. It can, of course, be distributed as any file name with the .com extension that is named to appear as if it were an Internet site.
The only functionality of Mown.Demo is to print the following message:
If this had been a malicious program, I would have 0wnZ3D Y00!
It seems that any line starting with 'begin' in the body of
the message is automatically decoded as uuencoded data by
MicroShaft Outlook. Give the filename a .com ending and people
think it is a web page link and not an executable file. So be
careful!
Greetings,
Michael.
Press a key to continue.
Source: http://www.norton.com
|
Yarner: Not Every Anti-Virus Is the Real McCoy -- Posted by Igor_Donchenko on Thursday, February 21 2002
Kaspersky Labs, an international data-security software developer, announces the detection of the new, highly dangerous Internet worm "Yarner" that disguises itself as the anti-virus program YAW. At this time, there have been reports of mass-infection caused by this malicious program in Germany.
Yarner skillfully hides under the guise of an official message from the popular German Web site that handles anti-virus security problems.
Yarner spreads via e-mail in attached files. An infected e-mail has the following characteristics:
The sender's address is chosen at random from the following: - Trojaner-Info [the actual e-mail of the infected computer]
or
- Trojaner-Info [webmaster@trojaner-info.de]
Attachment: YAWSETUP.EXE
Subject: Trojaner-Info Newsletter [infected computer's current date]
Body:
Hallo !
Willkomen zur neuesten Newsletter-Ausgabe der Webseite Trojaner-Info.de.
Hier die Themen im Ueberblick:
1. YAW 2.0 - Unser Dialerwarner in neuer Version
************************************
1. YAW 2.0 - Unser Dialerwarner in neuer Version
Viele haben ihn und viele moegen ihn - unseren Dialerwarner YAW. YAW ist
nun in einer brandneuen und stark erweiterten Version verfuegbar. Alle unsere
Newsletterleser bekommen ihn kostenlos zusammen mit diesem Newsletter.
Also einfach die angehaengte Datei starten und YAW 2.0 installieren. Bei Fragen
steht Ihnen der Programmierer des bislang einzigartigen Programmes Andreas Haak
unter andreas@ants-online.de zur Verf?gung. Viel Spa- mit YAW!
************************************
Das war die heutige Ausgabe mit den aktuellsten Trojaner-Info News. Wir
bedanken uns fuer eure Aufmerksamkeit und wuenschen allen Lesern noch eine
angenehme Woche.
Mit freundlichem Gruss
Thomas Tietz & Andreas Ebert
************************************
Anzahl der Subscriber: 5.966
Durchschnittliche Besuchzahl/Tag: 4.488
Diese Mail ist kein Spam ! Diesen Newsletter hast du erhalten, da du in unserer
Verteilerliste aufgenommen wurdest. Solltest du unseren Newsletter nicht selber
abonniert haben, sondern eine andere Person ohne dein Wissen, kannst du
diesen auf unseren Seiten wieder abbestellen. Oder sende uns einfach eine
entsprechende E-Mail.
************************************
Should a user not exercise caution and open the attached YAWSETUP.EXE file, and should an active anti-virus not be in use, the worm launches its infecting procedures on the victim computer and begins spreading.
Firstly, Yarner creates an additional file in the Windows directory with a random name (up to 100 symbols) and registers the file in the Windows system registry auto-run key. In this way, the worm is activated upon each system restart.
In order to send itself via e-mail, Yarner obtains access to the MS Outlook address book and scans all .PHP, .HTM, .SHTM, .CGI, .PL files in the Windows directory, and gets e-mail addresses from there. This information is copied to the files KERNEI32.DAA and KERNEI32.DAS.
Following this, the worm connects to a remote SMTP server, through which the worm sends its copies.
Yarner has exceptionally dangerous and destructive features. In one in ten cases, after having sent its e-mail copies, the worm destroys all data and information on an infected computer.
"Trojaner-Info, supposedly in whose name the infected messages are sent, is a popular German resource for solving anti-virus security problems. This service has no relationship whatsoever to this current epidemic. What is occurring now simply confirms once again that an e-mail address and a message text can be easily falsified, and with the use of this trick, a user has a malicious program thrust upon him or herself," commented Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Labs.
In connection with the latest epidemic, Kaspersky Labs once again recommends that users be absolutely careful when dealing with attached files, even if they have purportedly arrived from an anti-virus developer.
Defense procedures thwarting the Yarner Internet worm have already been added to the Kaspersky Anti-Virus database.
Source: http://www.avp.ru
|
