 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
March 2002
MyLife: starting your system in the morning may turn into a nightmare… -- Posted by Igor_Donchenko on Friday, March 29 2002
The last week witnessed in its second half some reports about one more mail worm spreading over the Internet – “MyLife". Doctor Web antivirus was able to detect it with its heuristic analyser and on Friday morning (March 22) the respective record was added to Doctor Web’s virus database.
According to our sources, the virus has begun spreading from Australia. It is still difficult to tell whether the worm will spread widely: there are only a few cases of infection. The method used by the worm to spread around the WWW has much in common with its “brothers-in-arms”: having infected the computer it dispatches itself to all the addresses found in the MS Outlook address book. But there is one destructive property of the virus wich may result in great troubles for careless users.
Having infected the computer (it happens only if the user launches the malicious application by double clicking the attachement icon of the mail), the worm saves its copy in the %WINDOWS%\ system directory (%WINDOWS% is a directory where Windows is installed) under the name of cari.scr. This extension is generally used by screen savers which are executable and therefore can be started by the system. At the same time, the virus adds the followng item to the Windows registry autorun section - HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run – win="%SYSTEM%\cari.scr". Thus, at the next system start up, the virus gets reactivated and questions the system clock: “What time is it now?”. But as a matter of fact, the question is: “What hour is it now?” If the current hour is equal to 8, i.e. if the system was started between 8:00 and 8:59 AM, the virus starts deleting files using the following masks: - C:\*.*
- D:\*.*
- E:\*.*
- F:\*.*
Besides, the virus removes the following files in different Windows system directories: *.SYS, *.VXD, *.OCX, *.NLS. It is easy to guess that such actions, if they are successful, result in empty root directories of the correspondent discs, and also in the lack of a number of system files. Too high a price for the carelessness, isn’t it?.
What to do?
To check whether your computer has been infected, check the Windows system directory for the file under the name of “cari.scr”. Having found it, delete the file. After that, you have to remove any reference to it in the Windows registry. To do it, run the program regedit.exe and move to the section HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run. Find the following record in the right panel: win=C:\WINDOWS\SYSTEM\cari.scr and remove it.
Source: http://www.dialognauka.ru
|
Panda Software jointly sponsor the 7th Annual Computer Virus Prevalence Survey produced by ICSA Labs -- Posted by Igor_Donchenko on Wednesday, March 27 2002
The newly released ICSA Labs 7th Annual Computer Virus Prevalence Survey, jointly sponsored by Panda Software, has revealed that more than 80% of viruses use e-mail as the principal means of propagation.
The survey, carried out between January 2000 and August 2001, includes data on the overall frequency of incidents, the most commonly detected viruses and the extent to which users are now protecting themselves against these types of threats.
The report recorded nearly 1.2 million virus incidents and noted a monthly increase of 20 case per 1000 in the number of computers affected by malicious code.
E-mail is still by far the most common means of propagation used by viruses, although there has been an increase in the use of more sophisticated infection techniques. Web servers have now become a favorite target for virus writers, as demonstrated by Nimda and Code red. Nimda alone was responsible for 68 percent of total incidents recorded by the survey, largely due to its ability to spread through multiple infection channels.
The ICSA Labs report also observed that of the companies taking part in the survey, 28 percent suffered attacks involving more than 25 servers or PCs. These figures represent a drop with respect to those of earlier surveys.
Finally, the report looked at how companies are dealing with the threat of malicious code. In comparison with previous surveys, the results were also encouraging. Some 90 percent of participating companies claimed to have all of their computers protected with some kind of antivirus software, whilst 84 percent had protection for mail servers. However, only just over half the companies had protection for firewalls and just 45 percent had implemented antivirus protection in proxy servers.
Source: http://www.pandasoftware.com
|
DrWeb update -- Posted by Igor_Donchenko on Friday, March 22 2002
A patched version (4.27c) of DrWeb32 family of antivirus products, including programs for Windows 95/98/Me/NT/2000/XP, DOS/386, OS/2, Novell NetWare, was released on March 19, 2002.
The following major improvements were made to the previous version. - Errors while parsing mail files corrected.
- Heuristic analyzer for finding BACKDOOR.Trojan, written on Visual Basic, was realised.
W32.Delalot.B.Trojan -- Posted by Igor_Donchenko on Wednesday, March 20 2002
W32.Delalot.B.Trojan is a Trojan horse that attempts to delete all files on all hard drives.
f W32.Delalot.B.Trojan is executed, it first attempts to delete all files in all folders and subfolders on all hard drives. Then it drops the text file Piracy.txt into the root folder and displays the message: 
Source: http://www.norton.com
I-Worm.Zircon: New Virus is rapidly spreading on the Internet -- Posted by Igor_Donchenko on Thursday, March 14 2002
Kaspersky Labs reports the detection of the Internet-worm known as I-Worm.Zircon.c. At this time it is known that infections from this dangerous virus have occurred in several countries.
Zircon.c spreads via e-mail in the form of an e-mail message with the attachment "patch.exe". The message subject field may contain in English the word "Important" or one of seventeen variations in Japanese. Which subject one receives depends on the recipient's e-mail address. If an address ends with ".jp" the worm uses a subject written in Japanese, while all others receive the line "Important".
The body of the message is blank but contains an attachment - the executable file "patch.exe", which stores the damaging code.
The worm is activated only if a user launches this program file. Zircon.c is a worm that activates only once - it does not install itself into the system and does not repeatedly launch itself (except in cases where a user repeatedly opens the infected attachment).
If the worm is launched, it sends itself to all the users in the Outlook address book by using the SMTP server, which it automatically connects with and manages.
Source: http://www.avp.ru
Top Ten viruses detected by Panda ActiveScan in February -- Posted by Igor_Donchenko on Wednesday, March 13 2002
Despite February being a relatively quiet month in terms of new viruses, users around the world have still suffered the effects of attacks by malicious code. Panda Software has produced a list of the top ten infectors during the last month in line with data produced by the company’s online virus scanner, Panda ActiveScan. | Position | Virus | Percentage by occurrence |
|---|
| 1 | W32/Badtrans.b | 21,31% | | 2 | W32/Klez.f | 19,29% | | 3 | W32/Sircam | 6,19% | | 4 | W32/Nimda | 5,37% | | 5 | W32/Disemboweler | 4,55% | | 6 | W32/MY PARTY | 4,11% | | 7 | W32/Hybris | 3,83% | | 8 | W32/Hai | 2,52% | | 9 | Magistr.B | 2,30% | | 10 | VBS/Help | 1,81% |
|
W32.MyLife@mm -- Posted by Igor_Donchenko on Monday, March 11 2002
W32.MyLife@mm is a simple mass-mailer that sends itself to all contacts in the Microsoft Outlook address book. The worm is a compiled Visual Basic executable that has been compressed. It attempts to delete files that have the extensions .com, .sys, .ini, .exe, .sys, .vxd, .exe, or .dll. (This could not be reproduced in a controlled test environment.)
If W32.MyLife@mm is executed, it does the following:
It sends itself to all contacts in the Microsoft Outlook address book.The email has the following characteristics:
Subject: my life ohhhhhhhhhhhhh
Message:
Hiiiii
How are youuuuuuuu? look to the digital picture it's my love
vvvery verrrry ffffunny :-)
my life = my car
my car = my house
Attachment: My Life.scr
It copies itself to C:\Windows\System\My Life.scr.
It adds the value
stmgr C:\WINDOWS\SYSTEM\My Life.scr
to the registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Upon execution it also displays the following picture:
Finally, it attempts to delete files that have the extensions .com, .sys, .ini, .exe, .sys, .vxd, .exe, or .dll. (This could not be reproduced in a controlled test environment.)
Source: http://www.norton.com
DrWeb32 update -- Posted by Igor_Donchenko on Wednesday, March 6 2002
A patched version (4.27b) of DrWeb32 family of antivirus products, including programs for Windows 95/98/Me/NT/2000/XP, DOS/386, OS/2, Novell NetWare, was released on March 4, 2002.
Please note that users of version 4.27a must install this patch package to be protected against Klez warm which has been one of the most dangerous and wide-spread warm viruses lately.
The following major improvements were made to the previous version: - errors while scanning archive files when you run short of memory; while scanning corrupted RAR-archives and files with extremely long pathnames corrected;
- in the GUI version for Windows (both DrWeb and Spider Guard) the repeated scanning of deleted (removed) files corrected;
- in the GUI version some errors of curing files when Spider is active corrected;
- in console versions (Windows, DOS/386, OS/2) virus neutralization reporting errors corrected;
Source: http://www.dialognauka.ru
W32.Alerta.Trojan -- Posted by Igor_Donchenko on Tuesday, March 5 2002
W32.Alerta.Trojan is a Trojan that displays messages in Spanish. The messages have a pink background that covers the entire Windows desktop.
When W32.Alerta.Trojan is executed it does the following: - It copies itself as \Windows\Alerta.exe.
- Next, it adds the value Shellh32 C:\windows\alerta.exe to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that it runs when you start Windows.
- Then the Trojan creates these files:
- \Windows\SPFC.bmp. Its size is about 1407 KB. It is a bitmap that the Trojan uses to set the background of the Windows desktop.
- \Windows\Shellh32.dll. Its size is about 11 bytes. It is a text file that contains dots (....).
- Next, it modifies Win.ini by changing the following line in the [Desktop] section: Wallpaper=C:\Windows\SPFC.bmp
- Next, the Trojan displays the graphical message
Alerta
on a flashing red background.
Spanish messages are then displayed over a pink background that covers the Windows desktop.
- Finally, the Trojan locks the keyboard and moves the cursor from left to right.
Source: http://www.norton.com
The Virus Top Twenty for February 2002 from Kaspersky Lab -- Posted by Igor_Donchenko on Monday, March 4 2002
Kaspersky Lab presents the Virus Top Twenty for February 2002. In order to read about each virus in detail, simply click on the respective virus' name.
| Position | Virus | Percentage by occurrence |
|---|
| 1 | I-Worm.Klez | 61.5% | | 2 | I-Worm.BadtransII | 28.5% | | 3 | I-Worm.Sircam | 1.5% | | 4 | I-Worm.Hybris | 1.4% | | 5 | I-Worm.Aliz | 1.2% | | 6 | I-Worm.Magistr | 0.7% | | 7 | CodeRed | 0.6% | | 8 | Macro.Word97.Thus | 0.4% | | 9 | I-Worm.Petik | 0.4% | | 10 | Backdoor.Death | 0.3% | | 11 | I-Worm.Nimda | 0.2% | | 12 | I-Worm.Anset | 0.1% | | 13 | I-Worm.Myparty | 0.1% | | 14 | I-Worm.GOPworm | 0.1% | | 15 | Trojan.PSW.Phreaker | 0.1% | | 16 | Trojan.PSW.Hooker | 0.1% | | 17 | Win32.FunLove | 0.1% | | 18 | Win32.HLLW.Bezilom | 0.1% | | 19 | JS.Trojan.Seeker | 0.1% | | 20 | Macro.Word97.TheSecond | 0.1% |
|
W32.Palco.A -- Posted by Igor_Donchenko on Friday, March 1 2002
W32.Palco.A is a virus that attempts to disguise itself as an "anti-malicious macro" macro. When it is executed, the virus inserts a macro module into the Normal.dot file. This macro module inserts two components into Microsoft Word documents as they are closed: an executable component of the virus and a macro component that runs the executable component. The executable component of the virus is detected as W32.Paclo.A. Both macro modules are detected as W97M.Palco.A.
This method of spreading has previously been used by viruses such as W32.Beast.56230.
W32.Palco.A is a simple virus that is written in Visual Basic. The virus has been packed with a runtime compression program. The unpacked size of the virus is approximately 27 KB.
When this virus is executed, it performs the following actions:
1. It finds the Microsoft Word global template file, Normal.dot.
2. It inserts a macro module into the Normal.dot file. This macro module executes when documents are closed.
3. It displays the message:
anti-malicious macros version 1.0 installed
When the macro module inside Normal.dot is executed, it performs the following actions:
1. It creates the file Xploit.txt on the root of drive C.
2. It copies the viral macro module from the Xploit.txt file into the active document.
3. It inserts the executable component of the virus into the active document. The viral macro module that was inserted in step 2 will automatically cause this executable component to run when an infected document is opened in Microsoft Word.
Source: http://www.norton.com
|
|
