 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
March 2004
The threat of Netsky still looms large -- Posted by Igor_Donchenko on Wednesday, March 24 2004
The Netsky worm, along with Mydoom and Bagle, is one of leading players in the bizarre cyber-war that has caused a wave of viruses and their variants to plague the Internet for more than a month now.
The weapons in this particular battle have been a series of malicious code and their variants in which the creators have included offensive messages to one another in the source code of the viruses.
However, just when it seemed that the 'conflict' was cooling down, a new message has heralded the intentions of Netsky, at least, to continue infecting as many computers as possible. This is apparent from a message hidden in part of the code of the N variant of Netsky:
<*>NetDy: Thanks to the S*k*y*N*e*t alias *N*e*t*S*k*y* crew for the sourcecode.
<*>NetDy: We have rewritten *N*e*t*S*k*y.
<*>NetDy: Thats a good tactic to detroy the bagle and mydoom worms.
<*>NetDy: Our group will continue the war.
<*>NetDy: Malware writers'End'comes true.
<*>NetDy: Our Social Engineering is the best *lol* (You have no virus symantec says!).
For this reason, even though there are already 16 different variants of Netsky, it is still likely that more will appear and that some will have new and more dangerous functions.
According to Luis Corrons, head of PandaLabs, "It is still necessary to keep your guard up against the new variants that could continue to appear. Just because they are variants, doesn’t mean that they are any less dangerous than the originals. In fact the opposite is often true, as each worm tries to improve upon its predecessor by wreaking greater havoc on infected computers."
Source: http://www.pandasoftware.com
|
Viruses and newsgroups: a growing danger -- Posted by Igor_Donchenko on Thursday, March 18 2004
One of the most useful and well-known Internet services is turning into a growing threat. This service is newsgroups, or Internet forums. Through newsgroups users can discuss a wide range of issues by posting their questions, problems or replies, which can then be read by the rest of the members of the newsgroup.
Therefore, it is easy to see the why newsgroups are one of the most popular Internet services. However, some users have found another 'use' for this service: as a means of spreading viruses. Some viruses have been launched hidden in messages posted to newsgroups and from there have been distributed to users' computers.
An example of a virus that used this means of propagation is the notorious Sobig.F, which emerged in the summer of 2003 and was one of the fastest spreading viruses ever. This worm was included in messages posted in several newsgroups disguised as an erotic image. As a result, many users downloaded it and executed the file, immediately infecting their computers.
Apart from the viruses that have used newsgroups as a specific means of spreading rapidly, it is important to bear in mind that any virus can be attached to a message placed in a newsgroup. For this reason, users of this communication system should take precautions whenever they use this service.
According to Luis Corrons: "Newsgroups must be treated as another means of virus propagation. Maybe because not all users use this service, it is not given the attention that it deserves, but our experience shows that many malicious code reach computers through this means."
The types of viruses that spread most effectively through newsgroups are Trojans, as they don't usually have obvious effects and can easily install themselves on computers without the user realizing. However, this does not mean that other Internet threats cannot use this means. Dialers and spyware, for example, have found in newsgroups an excellent means of spreading rapidly and widely.
Newsgroups use a different communications protocol from that used to browse the Internet or to send and receive mail. This protocol is NNTP and it has been especially designed to allow the different messages in each group to be saved on a single host (or computer that provides information), allowing subscribers to read the new messages that are posted.
This means that users who regularly participate in newsgroups need an antivirus program that is capable of scanning NNTP; otherwise a virus would be able to get into their computers when they read a message. Similarly, if the antivirus can protect NNTP traffic, it is important to make sure that it is configured to scan it. By doing this, users can access newsgroups without any risks.
Source: http://www.pandasoftware.com
|
New intelligent Bagle.N and O worm is spreading fast -- Posted by Igor_Donchenko on Monday, March 15 2004
Today, Global Hauri assigned a medium to high risk to a new, fast spreading and intelligent variant of Bagle I-worm, 'Bagle.N and O'. The new worm is spreading with a new password protected zip file tactic, and passes undiscovered through most existing antivirus engines.
Symptoms:
Bagle.O affects all 32bit Windows system and has polymorphic encryption. This is the 15th Bagle Worm (I-Worm.Win32.Bagle.O) that has popped up following I-Worm.Win32.Bagle.N that made its debut during weekend. The Bagle.O variants seem to be created by same person, to compete with 'Netsky variants' permutations. Previous Bagle variants contained a warning message to the authors of NetSky, but the new I-Worm.Win32.Bagle.O actually kills NetSky variants. The basic function of this variant is similar to I-Worm.Win32.Bagle.N, bundled with its own SMTP engine to create and send mass virus e-mails with various subject lines, messages, and attachment names (see below). Bagle.O tries to delete the registry information of earlier NetSky variants and incapacitate a number of common antivirus and firewall applications.
Causes:
An interesting feature of this new variant is an additional 'package' inside the code file that has changed and hidden unique code inside of the password protected compression file in order to avoid detection by antivirus software. The virus contains a password with Image files (BMP, JPEG, GIF) instead of sending one with a string inside of e-mail. Because most anti virus engines are programmed to open the Zip file with a compression algorithm which is protected/armed with a password. It uses not only .zip but also RAR compression format. It is very hard to block this mechanism and to detect the password protected compression file format. So Antivirus companies have found out the specific contents and strings (indicators) inside of the password protected Zip file to detect instead of opening the Zip file with the Zip algorithm. It means antivirus companies have treated these Zip files as another virus sample to detect instead of "looking inside". The new package is the compression file in encrypted ZIP and RAR format with a password based on IMAGE that is hard to open with the antivirus engine. Bagle.N and O also utilizes the domain name inside of file for example:
Dear user of 'Domain Name of receiver' mailing system,
Our main mailing server will be temporary unavailable for next two days,
To continue receiving mail in these days you have to configure our free
auto-forwarding service.
For details see the attached file.
In order to read the attach you have to use the following password:
(Password in image)
Kind regards,
The "Receiver's Domain Name" Team http://www."Receiver's Domain Name".com
Receiving mail starts with below format:
- administration@
- management@
- noreply@
- staff@
- support@
* Variou Subject:
- Account notify
- E-mail account disabling warning.
- E-mail account security warning.
- E-mail technical support message.
- E-mail technical support warning.
- E-mail warning
- Email account utilization warning.
- Email report
- Encrypted document
- Fax Message Received
- Forum notify
- Hidden message
- Important notify
- Important notify about your e-mail account.
- Incoming message
- Notify about using the e-mail account.
- Notify about your e-mail account utilization.
- Notify from e-mail technical support.
- Protected message
- RE: Protected message
- RE: Text message
- Re: Document
- Re: Document
- Re: Hello
- Re: Hi
- Re: Incoming Fax
- Re: Incoming Message
- Re: Msg reply
- Re: Thank you!
- Re: Thanks :)
- Re: Yahoo!
- Request response
- Site changes
- Warning about your e-mail account.
* Content (Beginning) : %s is receiver's domain
- Dear user of %s,
- Dear user of "%s" mailing system,
- Dear user of e-mail server "%s",
- Dear user of %s e-mail server gateway,
- Hello user of %s e-mail server,
* Content (Body) :
- Our main mailing server will be temporary unavailable for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service.
- Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.
- We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
- Our antivirus software has detected a large amount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.
- Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.
* Additional Contents :
- Find the white rabbit.
- Follow the wabbit.
- Here is the file.
- Message is in attach
- More info in attach
- Please, have a look at the attached file.
- Read the attach.
- See attach.
- See the attached file for details.
- Your file is attached.
* Contents (Password): RAR, ZIP with image file to show
- Archive password: Image file
- Attached file is protected with the password for security reasons. Password is: Image file
- For security purposes the attached file is password protected. Password -- Image file
- For security reasons attached file is password protected. The password is Image file
- In order to read the attach you have to use the following password: Image file
- Note: Use password “Image” file to open archive.
- Password - Image file
- Password: Image file
* Contents (Ending-a) :
- The Management,
- Sincerely,
- Best wishes,
- Yours,
- Have a good day,
- Cheers,
- Kind regards,
* Contents (Ending-b) : %s is Domain name of receiver
- The %s team http://www.%s
* Attachment :
EXE,PIF or RAR,ZIP
- Attach
- Information
- Details
- Encrypted
- first_part
- Readme
- Document
- Info
- TextDocument
- Text
- details
- Gift
- text_document
Precaution:
"Despite the recent wave of viruses, email users still like to trust emails they apparently receive from a friend or colleague. We recommend users taking the habit of writing very precise subject lines. That makes it easier to distinguish between virus mails and real mails and also avoids deleting good email," said Global Hauri's CEO, Mr. Eric Kwon.
Remedy:
Editing registry:
HKEY_CURRENT_USER
\Software
\Microsoft
\Windows
\CurrentVersion
\Run
Inserting "winipd.exe" as c:\winnt\system32\winupd.exe or
c:\windows\system\winupd.exe
Extract e-mail address from those files;
- .adb
- .asp
- .cfg
- .cgi
- .dbx
- .dhtm
- .eml
- .htm
- .jsp
- .mbx
- .mdx
- .mht
- .mmf
- .msg
- .nch
- .ods
- .oft
- .php
- .pl
- .sht
- .shtm
- .stm
- .tbb
- .txt
- .uin
- .wab
- .wsh
- .xls
- .xml
Source: http://www.globalhauri.com
|
The virus password is in the image -- Posted by Igor_Donchenko on Sunday, March 14 2004
BitDefender developers today warn against a new version of the Bagle virus - Bagle.M. The new version, the same as the prior two, is using a ZIP encrypted archive, but also brings in the RAR archive. The main difference from the preceding versions consists in hiding the archive password in a GIF, BMP or JPG image.
"The author seems to have noticed some antivirus producers' strategy to read the password from the e-mail body text. BitDefender was the first to detect this version as it scans not only the e-mail body, but it also tries to find the password of the zip files using heuristics methods", says Mircea Ciubotariu, Virus Researcher at BitDefender. "I believe the use of images in social-engineering tricks could become a trend in virus writing." Mircea concluded.
The virus is still spreading through e-mail, using a very clever
social-engineering mechanism. It's a mass-mailer, file-infector,
polymorphic worm that is already spreading in the wild.
Source: http://www.bitdefender.com
|
AV-VX arms race toughens -- Posted by Igor_Donchenko on Wednesday, March 3 2004
A new virus from a successful family employs techniques never seen before. Win32.Bagle.[H-K] is the first virus in the wild ever to send itself compressed in a password-protected zip archive. This makes it almost impossible for antivirus software to uncompress the archive and check it for viruses.
Sophisticated social engineering techniques are used to persuade the receiver into opening the attachment. The user is required to first click the attachment and then input the password, which is found in the mail text. The password is randomly generated and stored in the body of the e-mail.
"To counter this new strategy, BitDefender Labs have developed an engine tasked with finding the zip password in the email text", says Viorel Canja, Head of BitDefender Labs. "To our knowledge, BitDefender clients are the only ones to enjoy this kind of protection. Most AV products could
only offer protection after the archive is extracted; that could be a little too late for inexperienced users", Viorel concluded.
The worm also threatens file sharing networks, by copying itself under various attractive names into all directories whose names contain the string "shar".
After infecting a system, the virus mails itself to all the adresses it can find and opens a backdoor on port 2745. It is set to expire on the 25-th of March 2005.
Source: http://www.bitdefender.com
|
Virus Top Twenty for February 2004 from Kaspersky Labs -- Posted by Igor_Donchenko on Wednesday, March 3 2004
| Ranking | Change | Virus Name | Percentage | | 1 | - | I-Worm.Mydoom.a | 69.21% | | 2 | new | I-Worm.Moodown.b | 18.68% | | 3 | -1 | I-Worm.Swen | 3.20% | | 4 | new | I-Worm.Mydoom.e | 2.15% | | 5 | -1 | I-Worm.Sober.c | 1.92% | | 6 | +3 | I-Worm.Sobig.f | 0.82% | | 7 | -2 | I-Worm.Mimail.a | 0.47% | | 8 | -1 | I-Worm.Klez.h | 0.44% | | 9 | +11 | I-Worm.Mimail.j | 0.30% | | 10 | new | I-Worm.Mimail.c | 0.27% | | 11 | +8 | I-Worm.Lentin.j | 0.24% | | 12 | -9 | I-Worm.Lentin.g | 0.22% | | 13 | +2 | I-Worm.Dumaru.a | 0.19% | | 14 | - | I-Worm.Lentin.m | 0.17% | | 15 | new | I-Worm.Netsky.c | 0.11% | | 16 | new | I-Worm.Bagle.b | 0.10% | | 17 | new | I-Worm.Mydoom.b | 0.10% | | 18 | re-entry | Win32.Funlove4070 | 0.10% | | 19 | -5 | Macro.Word97.Swatch.b | 0.08% | | 20 | -10 | I-Worm.Tanatos.b | 0.07% |
History was made in February 2004, which turned out to be the most active month in computer virology for the past several years. There has never been such a large number of email worms active at the same time.
First we had January's leader, Mydoom.a which stayed in first place. Even though the worm stopped propagating as of February 12, Mydoom.a retained its leading position due to the huge number of copies mailed before February 12 as well as the large number of infected machines with incorrect dates.
Next we have some new entrants that will undoubtedly play a key role in March. There are six newcomers, which is very unusual, and they belong to four different categories.
The most important newcomer is I-Worm.Moodown.b (NetSky.b) which the creator coded to disinfect machines infected by Mydoom.a, but also to interfere with antivirus programs.
The second significant newcomer is Mydoom.e. Unlike Mydoom.a, this version deletes random MS Office documents. It is highly likely that this version was based on the original Mydoom.
Our old 'friend' Mimail is now polymorphic and spreads as a polymorphic dropper. Mimail.q was the first version with this new feature and it immediately climbed to 10th position in the top twenty.
The creator of Moodown (NetSky) seems to have been encouraged by the havoc wreaked by second version; he or she made some minor changes and released a third version. Moodown.c is only 15th in the ratings, but should aggravate users for quite some time to come.
One of January's leaders, Bagle.a has left the ratings, but we do have Bagle.b to take its place. However, at the very tail end of February we also saw a slew of new Bagles: versions c through f. These versions did not make the top twenty, but we can be sure that they will cause trouble in March.
The last newcomer in the top twenty is yet another version of Mydoom - Mydoom.b. It appeared at the end of January and needed all of February to make its presence felt.
The other stars of the monthly ratings are old friends who move up and down the scale without leaving the top twenty. Swen and Sober.c refuse to yield to newer viruses and continue to hold their positions.
Win32.FunLove.4070 has returned to the top twenty. The return of this file virus is easy to explain: it mostly arrives with email worms having infected the carrier files first.
Source: http://www.kaspersky.com
|
Top Ten viruses most frequently detected by Panda ActiveScan in February -- Posted by Igor_Donchenko on Wednesday, March 3 2004
February was the worst month for viruses in the history of computing. During this month, many new viruses emerged, causing havoc in users' computers worldwide. Mydoom, Nachi, Doomjuice, Netsky, Bagle, -and their variants- haven't given users a minute's break from trying to keep their computers out of harm’s way.
Panda Software has published its ranking of the Top Ten viruses most frequently detected in February, compiled using data collected by its free, online antivirus solution, Panda ActiveScan.
The Mydoom.A worm, which hit at the end of January and caused the biggest epidemic ever seen, was by far the most damaging virus worldwide. This worm was responsible for 14.04 percent of infections.
Despite the host of new malicious code on the scene, the second most frequently detected virus was a relative old-timer, Downloader.L (5.99%), which has been around for a few months now.
Third in the ranking however was Netsky.B (5.98%). which first appeared during February. This worm's capacity to spread rapidly is demonstrated by the fact that even though it was first detected in the middle of the month, it still managed to reach a rate of more than five percent of total infections.
Another new malicious code took fourth place, the Nachi.B worm, designed to eliminate Mydoom from affected computers, but at the same time, exploit a Windows vulnerability to spread to as many computer as possible. This virus was detected by Panda ActiveScan in 4.53 percent of all positive cases.
The malicious code occupying from fifth to tenth place were all less recent examples, but which nonetheless continue to damage users' computers. These include the polymorphic Parite.B, (3.52%), and the veterans Bugbear.B (3.39%) and Klez.I (2.65%), as well as the worms Blaster.E (2.07%), Sober.C (1.96%) and Blaster (1.94%).
The following conclusions can be drawn from the data collected by Panda ActiveScan last month:
- Mydoom.A continues to demonstrate why it was capable of causing the biggest virus epidemic ever. Despite the many new viruses that appeared in February, it is still causing more damage to users’ computers than any other.
- Over half the viruses in this ranking, like Klez.I, first appeared months or even years ago. This suggests that there are still many computers that do not have effective antivirus protection installed or if they do, it is not correctly updated.
- Some of the viruses listed, such as Blaster, Blaster.E and Nachi, exploit software application vulnerabilities which their respective manufacturers fixed a few months back. The fact that they keep on appearing in this ranking indicates that users are not installing the patches that fix security flaws as often as they should do.
| Ranking | Virus Name | Percentage | | 1 | W32/Mydoom.A.worm | 14.04% | | 2 | Trj/Downloader.L | 5.99% | | 3 | W32/Netsky.B.worm | 5.98% | | 4 | W32/Nachi.B.worm | 4.53% | | 5 | W32/Parite.B | 3.52% | | 6 | W32/Bugbear.B | 3.39% | | 7 | W32/Klez.I | 2.65% | | 8 | W32/Blaster.E | 2.07% | | 9 | W32/Sober.C.worm | 1.96% | | 10 | W32/Blaster | 1.94% |
Source: http://www.pandasoftware.com
|
