 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
February 2004
Three-in-one! Shampoo? No, just computer viruses... -- Posted by Igor_Donchenko on Sunday, February 29 2004
BitDefender developers today launched warnings about three new versions of the Bagle computer virus, a strain that made the rounds of the computer world during the last week.
“We can see a clear evolution in the virus’ development" says Daniel Ionita, Virus Researcher at BitDefender. “The virus writer seems to have a lot of time today, especially for giving a hard-time to antivirus producers. Still, as our analysis squad got all the versions today, we were able to produce quick antidotes for all BitDefender users”, Daniel concluded.
BitDefender researchers revealed some technical differences from the first virus strains:
- the date when the virus was scheduled to stop all activity is now March 24, 2004
- the attachments of the sent messages are one of the following:
“Subj”
“Request”
“Empty”
“Response”
“Everything inside the attach”
“Look it through”
Name of the files dropped have changed:
doc.exe is now called ii455nj4.exe
readme.exe is now called i1ru74n4.exe
readme.exeopen is now called i1ru74n4.exeopen
ondo.exe is now called godo.exe.
Note that the size of the file "i1ru74n4.exe" now varies, the virus adds random bytes as overlay to the file.
- mutex name is the same as that of the C@mm variant: "imain_mutex"
- the user used to connect to the same pages is now named "oclivity".
- registry keys have changed:
HKCU\Software\DateTime4, with the only subkey "frun = 1".
HKCU\Software\Microsoft\Windows\CurrentVersion\Run, with the subkey
"rate.exe = C:\Windows\System\i1ru74n4.exe"
Source: http://www.bitdefender.com
|
'Bizex' worm attacks ICQ users -- Posted by Igor_Donchenko on Tuesday, February 24 2004
Kaspersky Labs has issued a warming that Bizex, a new network worm has been detected, which has caused the first global epidemic among users of ICQ, the Internet instant messaging system.
The ICQ message is sent to victim computers issuing an invitation to visit the hacker web-site 'jokeworld'. If the user visits this site, cartoons from the popular series 'Joecartoon' are shown to disguise the true nature of the site. At the same time, a Java virus imperceptibly penetrates the victim system; this virus uses a loophole in ICQ to secretly send a link to the site named above to all contacts in the computer owner's ICQ, as from the owner.
Kaspersky Labs recommends users that if they received a link to the 'jokeworld' site to delete it immediately. Users should under no circumstances visit the site.
Description:
This worm uses the Internet instant messaging system ICQ to spread via the Internet.
The worm sends ICQ users a message with a URL, which is linked to a file which contains procedures to automatically download and execute the malicious component of the worm on the victim computer.
On connecting to the site
http://www.jokeworld.xxx/xxx.html
(x here is used to replace certain characters) the CHM-exploit-a is used. The result of this is that a specially constructed CHM file will be automatically executed on the victim computer. This file contains another file named 'iefucker.html'; this file contains TrojanDropper, a type of Trojan written in script language. This Trojan extracts a file named WinUpdate.exe from itself to a range of system directories.
In Windows 2000 and Windows XP:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinUpdate.exe
and in Windows 98:
c:\windows\Start Menu\Programs\Startup\WinUpdate.exe
WinUpdate.exe is a Trojan program of the TrojanDownloader group, which downloads the main component of the worm from a remote site, and writes it to the temporary directory under the name aptgetupd.exe.
This file gains access to the ICQ contact list and sends the above link to all addresses found. Additionally, this component of the worm has a theft function which enables it to steal a range of financial information. More detailed information on this function will be available in the near future.
Source: http://www.kaspersky.com
|
Virus Hackers in Competition -- Posted by Igor_Donchenko on Thursday, February 19 2004
Today Global Hauri, publisher of antivirus software solutions, announced another version of, Win32/Netsky.worm.22016, also known as Netsky.b. It is a destructive worm with its own SMTP engine and spreads via email by mailing itself to addresses found on the victim's machine. The worm manipulates the registry to restart when computer reboots up and aims to disable anti-virus applications. Oddly enough,
this virus tries to remove Mydoom and Mydoom.b worm from the registry to clean out “My Doom’ registry information...
“This is not just another virus, that’s an open competition between hackers. We are going to see more B and C versions of existing viruses and worm. It’s like a new product release, the hackers add new sophisticated features.” explained Eric Kwon, CEO of Global Hauri.“
This virus creates ‘serices.exe’ and ’40.zip’ under the “Windows” folder to confuse users of ‘SERVICES.EXE’. This worm spreads thru P2P, e-mail and Share Folder, taking e-mail address out of the PC mail list.
The subject of e-mail is,
Hello
hi
fake
information
read it immediately
something for you
stolen
unknown
warning
- Message:
anything ok?
do you?
what does it mean?
ok
i'm waiting
my hero
here
is that true?
is that your name?
is that your account?
i wait for a reply!
is that from you?
you are a bad writer
I have your password!
something about you!
kill the writer of this document!
i hope it is not true!
your name is wrong
i found this document about you
yes, really?
that is bad
here it is
read the details.
here is the document.
read it immediately
see you
greetings
stuff about you?
something is going wrong!
information about you
about me
from the chatter
here, the serials
here, the introduction
here, the cheats
that's funny
reply
take it easy
why?
thats wrong
misc
something is going wrong
something is fool
you earn money
you feel the same
you try to steal
you are bad
Source: http://www.globalhauri.com
|
New mass-mailer is upon us -- Posted by Igor_Donchenko on Tuesday, February 17 2004
Bagle.B - a mass mailer worm - is now cruising at some speed along the information highways and back roads of our planet. The virus is in the wild and probably spreading. BitDefender Labs have detected infections in France and Germany, but there will likely be more to follow.
"Just like Bagle.A, this nasty has a lot of potential. Exactly as much as the original, actually, since few changes appear to have been made. Even the e-mail text has changed little. This minimalist approach to social engineering has worked once before. I wouldn't be surprised if it works again" declared Patrick Vicol, virus researcher for BitDefender Labs. Initial analysis shows that it was probably authored by the same person or group that coded Bagle.A.
There are some interesting details of this virus that might help to point out who the author may be. It sends notifications to various German bulletin boards, which may be an indication that the author or authors are German, as was the case with the author(s) of Sober.C. One other interesting fact is that This version is issued one month to the day after the first one made the rounds, which may suggest an orderly release cycle, an indication of an organized production process, or just a penchant for a particular date on the part of the author.
Source: http://www.bitdefender.com
|
Bagle.B - with Greetings from Holland -- Posted by Igor_Donchenko on Tuesday, February 17 2004
Today, Global Hauri assigned a medium to high risk to a new, fast spreading variant of Bagle I-worm, a.k.a. W32/Bagle.b@MM and W32.Alua@mm. This worm randomly creates e-mail from .WAB - .TXT, - .HTM, or - .HTML. Bagle.B is spoofing the address of the sender, easily misleading recipients to believe the infected message came from a reliable source.
Symptoms of infection/ Virus briefing: - Open sound recorder (sndrec32.exe)
- Creating au.exe in system folder of windows
- Open tcp/8866 port and keeps it as listens status, so possible to be remotely controlled.
- Send requests for getting HTTP thru tcp/80 to several, mainly German websites
www.strato.de/1.php
www.strato.de/2.php
www.47df.de/wbboard/1.php
www.intern.games-ring.de/2.php
- Modify the registry to re-start on booting.
- HKEY_LOCAL_MACHINE\
SOFTWARE\
Microsoft\
Windows\
CurrentVersion\
Run
File Name: au.exe
- It stops spreading on 2/25/04
“There are many e-mail viruses rushing into cyber world, the problem is that variants of different worm generated. If you run an updated antivirus engine, Bagle.B should not be a problem. However, just putting it in quarantine is not enough, it needs to be destroyed to prevent re-infection,” said Global Hauri's CEO, Mr. Eric Kwon. “Global Hauri has already updated its definition for this virus to detect and destroy the
virus, however please don’t open suspicious e-mail.”
Source: http://www.globalhauri.com
|
MailFrontier Introduces the First Integrated Anti-Spam, Anti-Fraud, Anti-Virus and Policy Management Suite -- Posted by Igor_Donchenko on Monday, February 16 2004
MailFrontier introduced today at DEMO 2004 MailFrontier Enterprise Gateway 3.0, the first integrated anti-spam, anti-fraud, anti-virus and policy management enterprise software suite, providing a comprehensive messaging security solution. MailFrontier Enterprise Gateway 3.0 is also the only enterprise-scale solution with a distributed architecture enabling IT departments to filter email at the perimeter of the corporation, while keeping management, settings, quarantine, and all user access within the secure corporate network.
"New and emerging threats to business email communication continue to cripple enterprise productivity, increase corporate liability, and raise costs," said Pavni Diwanji, CEO and co-founder of MailFrontier. "Our enterprise customers have asked for comprehensive and integrated threat protection from spam, fraud and viruses, as well as consistent policy management. MailFrontier Enterprise Gateway 3.0 meets the needs of even the most demanding enterprise environment, offering the industry's most complete, and tightly integrated messaging security system available today."
MailFrontier Enterprise Gateway 3.0 Platform
Building upon MailFrontier's best-of-breed anti-spam solution, and Directory Harvest Attack and Dictionary Attack protection, MailFrontier Enterprise Gateway 3.0 now offers virus and fraud protection, as well as advanced policy management capabilities. Available by the end of this quarter, key new features in MailFrontier Enterprise
Gateway 3.0 include:
- Anti-spam – MailFrontier has upgraded its best-of-breed anti-spam engine to address evolving spammer tricks. The newest of these techniques has been dubbed "ScrabbleSpam" by MailFrontier. By keeping the first and last letters of a word in place while scrambling some of the in-between letters randomly, spammers can write messages that the human mind reads and understands but that devastate spam filters. MailFrontier has pioneered the use of Lexigraphical Distancing™ to identify and filter out "ScrabbleSpam."
- Anti-fraud – Fraudsters use email messages to steal highly sensitive corporate information and are exceedingly difficult to discern. MailFrontier Enterprise Gateway 3.0 is the only product that identifies and quarantines fraudulent emails. In addition, the suite contains a rich feature set that includes the ability to copy IT and security organizations on fraudulent
emails entering the enterprise and to provide proactive fraud notifications to educate users and inform IT when a new type of fraud has appeared in the world at large but perhaps not yet in their corporate enterprise.
- Anti-virus – MailFrontier provides the only solution that couples a top-tier anti-virus engine with live user community input to instantly capture new virus outbreaks. As seen with Sobig, tremendous volumes of bounced emails can be a secondary, and often more harmful, result of viruses. MailFrontier Enterprise Gateway leverages its community-based dynamic signatures to automatically capture these bounce floods.
- Policy management – MailFrontier provides a robust and flexible, web-based, interface for the rapid creation of email rules – whether to prevent large file attachments, copy human resources on offensive language, or any other enterprise policy requirement. Users can be auto-notified of quarantined email and given the option to view and retrieve these messages.
The MailFrontier Enterprise Gateway solution is architected to be flexible down to the user level. Filter settings, access rights, delegates, message management, and language blocking are just some of the options that can be configured to a set of defaults for the corporation and then customized for an individual or, now in version 3.0, for a group of users. An IT director can choose to offer end users, or groups of end users, particular options that empower users and eliminate help desk inquiries, while retaining administrative control at the IT level.
A critical requirement to eliminating system management, MailFrontier Enterprise Gateway 3.0 seamlessly integrates with enterprise customers' directory (LDAP) server. As users are added to the directory server, new user accounts are automatically created in MailFrontier Enterprise Gateway 3.0 with the same user names and passwords, email aliases are mapped, and user and group policies are transferred.
MailFrontier is focused on restoring trust in email and eliminating email forgery through strong domain authentication. The company is extending its leadership in email protection by leveraging its reputation database, which includes more than 20 million domains, and adding support for SPF and other domain authentication methods.
"We continue to see enterprise email hygiene purchase decisions driven largely by an immediate requirement to block spam, virus-infected messages and fraudulent email," said Matt Cain, senior vice president at META Group. "But increasingly we believe organizations will look for tightly integrated solutions that meet a broad range of email hygiene needs and create overall operational efficiencies and low ownership costs for ensuring a hygienic message system."
Source: http://www.mailfrontier.com
|
Updated anti-spam solution from Cirrus Techvue -- Posted by Igor_Donchenko on Friday, February 13 2004
Cirrus Techvue has released version 3.1 of Spam Sleuth that incorporates several new analysers and an enhanced Web interface. Spam Sleuth's extensible architecture allows for simply plugging in additional analysers as the nature of spam changes, making for rapid reaction to fresh spam-filter evasion techniques from the spammers. However, even the best spam filters run the risk of blocking legitimate mail, which could have consequences ranging from minor annoyance to a serious problem if the mail was truly important. Spam Sleuth can safeguard against this with an analyser it has had from the first release: the Turing Test.
The Turing Test consists of an immediate challenge that is sent to an unrecognised sender if the mail looks suspect. The sender immediately gets a polite request to click on a link and fill in a simple edit box with a few characters. Once they have done this, their mail is released, and, optionally, they can be added to the Friends list so as not to be challenged in future. The entire process completes in seconds, and effectively ensures that legitimate mail from a human sender is not quarantined.
Colyn Dee, director of Cirrus Techvue, explained: "Virtually all spam comes from automated systems that spit out literally millions of e-mails a day, and usually from bogus e-mail addresses. In most cases, the challenges sent to spam will not reach a valid address, and the message will in due course be deleted without every wasting the intended recipient's time. Even if the return address is valid, the spammers will not take the time to respond to the Turing Test - it's just not worth their while to do it manually, and it cannot be automated."
"The recent spate of e-mail-borne attacks, such as MyDoom, would have fizzled out if decent anti-spam software were widely deployed," he continued. "Spam filtering does not replace virus filtering, but adds to it and can make it several times more efficient - an important consideration for the larger businesses where anti-virus servers are often the bottleneck in the e-mail system."
Source: http://www.cirrus.co.za
|
Website promising "do not e-mail registry" is spam scam: US agency -- Posted by Igor_Donchenko on Friday, February 13 2004
WASHINGTON (AFP) - A website promoting a purported registry to stop unsolicited e-mail, or spam, is in fact a sham that probably harvests e-mail address for more spam, US regulators said.
"There is no 'National Do Not E-mail Registry'," the Federal Trade Commission said, warning that a website at unsub.us tricks Internet users into providing their addresses.
The site "mimics the language, look, and navigation of the website for the National Do Not Call Registry, which is aimed at stopping telemarketing calls.
"The FTC is concerned that the unsub.us site could be part of a high-tech scam that uses a deceptive website to trick consumers into disclosing their e-mail address or other sensitive personal information," the agency said.
"This site may be a ruse to collect valid e-mail addresses to sell to spammers. The result could be even more spam for consumers who sign up for this 'registry.' Or it may be even worse -- some scammers have collected information through bogus web sites like this one that mimic those of legitimate organizations, and then used the information to commit identity theft."
|
Watch out for amorous viruses and Mydoom backdoors -- Posted by Igor_Donchenko on Friday, February 13 2004
Every year, as Valentine's Day approaches, there is a marked increase in the amount of e-mails containing graphic applications or romantic messages. "This situation is often exploited by virus writers to create malicious code designed to trick users into running the file containing the virus," says Luis Corrons, head of PandaLabs.
Worms that have recently appeared using this technique include Mimail.S, which is sent in a message with the text: "my dear", "my dearest", or "my darling". Others include the veteran Klez.I worm, which varies the subject of the message it is sent in. This characteristic, which makes it particularly difficult for users to identify infected messages, generates the subject phrase from words that it gleans from files on the computer it has infected. "Around this time of year, users often have files stored on their computers with some kind of romantic reference, which could mean that Klez.I could appear disguised in some kind of romantic message," says Corrons.
To prevent unwanted encounters with 'amorous' viruses, Panda Software advises users to take precautions, especially at a time when new malicious code could take advantage of the holes created in computers infected by Mydoom. According to Corrons, "The A and B variants of Doomjuice, DoomHunter.A and Mitglieder.A, which have appeared this week and use the ports opened by Mydoom.A and Mydoom.B in infected computers, will probably not be isolated cases, and are likely to be followed by a string of copycats taking advantage of the lack of awareness among users to infect as many computers as possible."
Source: http://www.pandasoftware.com
|
Doomjuice Saga Continues -- Posted by Igor_Donchenko on Friday, February 13 2004
Kaspersky Labs, an information security software developer, has detected a second version of the Internet worm Doomjuice - Doomjuice.b. It propagates using the same methods as the original Doomjuice: both worms scan the Internet for computers infected either by Mydoom.a or Mydoom.b. Doomjuice uses port 3127, breached earlier by Mydoom, to install copies of itself, which the Trojan component of Mydoom then launches.
However, Doomjuice.b differs from the previous version in that Doomjuice.b has been created solely to conduct a DoS attack on the Microsoft site. The worm first copies itself into the Windows directory under the name regedit.exe and then registers this file in the system registry auto-run key. Once installation is complete Doomjuice checks the system date. The DoS attack will be launched in any month of any year except January, excluding dates between the 8th and 12th of the month. If the system date meets these requirements, Doomjuice sends multiple get requests to port 80 on www.microsoft.com.
The author of Doomjuice.b uses a server request technique previously unknown for Internet worms: the worm's request mimics the Internet Explorer request text. As a result, requests from infected computers may not be blocked, as this technique makes it more difficult to distinguish between valid requests and ones generated by Doomjuice.b. This feature potentially increases the destructive capabilities of the worm. If Doomjuice.b becomes wide-spread, Microsoft may need to implement some of the security measures intended for such eventualities.
Source: http://www.kaspersky.com
|
Author of Mydoom produces a new worm threatening Microsoft -- Posted by Igor_Donchenko on Friday, February 13 2004
Kaspersky Labs has detected Doomjuice, a potentially dangerous new Internet worm. Doomjuice was first detected on 9th February; it has already infected more than 100,000 computers across the world and is continuing to spread rapidly. According to Kaspersky Labs analysts, Doomjuice was written by the same person as Mydoom, possibly the most destructive virus ever, to cover the virus writer's tracks. Furthermore, this new Internet worm uses computers infected by Mydoom.a to organize an DDoS attack on the Microsoft website.
The progagation method used by Doomjuice explains the rapid spread of the worm. It uses computers already infected by Mydoom.a and Mydoom.b to spread via the Internet. The worm penetrates computers via TCP port 3127, opened by the Trojan component of Mydoom in order to receive remote commands. If the infected computer answers the request sent by the worm, Doomjuice connects and sends a copy of itself to the victim machine. The Trojan installed by Mydoom then executes the file.
Once launched, the worm copies itself to the Windows system directory under the name Intrenat.exe and registers this file in the system registry auto-run key. This ensures that the malicious program is launched every time the computer is restarted. Doomjuice then executes its prime function: it extracts a file named 'sync-src-1.00.tbz' and copies this file to the root directory, the Windows directory, the Windows system directory and to user directories in Documents and Settings. This file is a TAR archive which contains the complete source code of Mydoom.a. The goal seems to be to spread Mydoom even further, thus making it increasingly difficult to identify the original author.
Doomjuice is also programmed to carry out a DoS attack on the Microsoft site. Prior to 12th February, this will be a modified attack; the worm sends a single GET request to port 80, and repeats this at random intervals. However, after 12th February, the worm will launch a full-scale attack on the site. Given the number of computers originally infected by Mydoom, if Doomjuice continues to spread successfully, it could present a potential threat to Microsoft.
"The author of Doomjuice is not only making it difficult to trace the creator of Mydoom, but also making the source code of Mydoom.a available for everyone whose machine is infected by Doomjuice. Anyone with basic programming skills can use the Mydoom.a source code to created a clone," comments Eugene Kaspersky, Kaspersky Labs' Head of Anti-virus Research, "In fact, I think that we may be seeing a large number of Mydoom clones in the wild very soon".
Source: http://www.kaspersky.com
|
Global Hauri issues warning for new functions of Welchia.B -- Posted by Igor_Donchenko on Friday, February 13 2004
Today Global Hauri, publisher of antivirus software solutions, announced another Welchia worm, W32/Nachi.worm.b or W32.Welchia.B. Last year's Welchia attempted to resolve Blaster problem by exploiting the same vulnerabilities.
"Despite the fact that this new Welchia variant is not as harmful as My.Doom, the increased traffic on the web is harmful for everyone whose business depends on the Internet. The Welchia worms results in decreased network speed and it destroys files," explained Eric Kwon, CEO of Global Hauri. "Virus writers seem to play good cop – bad cop, however."
Once infected machines with English, Chinese or Korean versions of Windows, the worm tries to download and install a patch from Microsoft's Windows Update Web site. The worm also attempts to remove W32.Mydoom.A@mm and W32.Mydoom.B@mm worms. W32.Welchia.B.Worm exploits multiple vulnerabilities, including: The DCOM RPC vulnerability using
TCP port 135. The worm specifically targets Windows XP machines using this exploit. The worm also targets machines running Microsoft IIS 5.0 using the WebDav vulnerability on TCP port 80.. The worm's use of this exploit will impact Windows 2000 systems and may effect Windows NT/XP systems.
Source: http://www.globalhauri.com
|
Viruses and TCP/IP ports: a dangerous combination -- Posted by Igor_Donchenko on Wednesday, February 4 2004
More and more virus writers are creating viruses that use communications ports. Examples of this kind of malicious code are the recent Mydoom.A, Mydoom.B, Bagle.A, or other viruses like Blaster, Nachi.A or Bugbear.B.
This strategy is one of the most versatile and beneficial to achieving the aims of hackers. It can be used to drop viruses into computers directly through the Internet, without needing to use e-mail or any of the other means of transmission normally used. Similarly, it can be used to steal confidential information from the computer and send it directly to the virus author, to launch denial of service attacks against other servers, or even to gain remote control of computers.
This tactic doesn't represent a problem for antivirus programs, as they can detect the malicious code in question, even those that enter computers via the Internet. However, the difference is that the latter are not detected as they enter the computer, but when they are actually installed, i.e., when they create or modify a file, when they launch a process in memory, etc.
The biggest danger with these viruses is that a new malicious code could appear and get into computers before users had the chance to update their antivirus protection. In this case, computers would be unprotected against the malicious use of communication ports.
Even in these situations, a virus that attacks TCP/IP ports is a problem whose solution is easily available to all users: firewalls. These devices analyze the traffic transferred through communication ports and if suspicious or unsolicited data is transferred, the firewall closes the corresponding ports.
In computer networks over a certain size, a computer dedicated to this task is generally used. For small and medium-sized businesses or home users, a good solution is a personal firewall, which is a small program that controls TCP/IP ports.
For this reason, in order to protect computers against the actions carried out by malicious code, something more than just antivirus protection is needed. The best solution is a product that combines antivirus protection with a firewall, or even better, a security suite that that also protects against other Internet threats, such as spam or dialers.
Source: http://www.pandasoftware.com
|
|
