News archive about antivirus software, virus threats, trojans
April 2002
New Virus Hoax Terrorizes Users -- Posted by Igor_Donchenko on Tuesday, April 30 2002
Kaspersky Labs reports on the recent rumors regarding a new and dangerous virus that is purportedly carried in the file JDBGMGR.EXE - a Windows operating system file. At this time the Kaspersky Labs technical support service is receiving numerous calls regarding this supposed virus from users located in many different countries.
Actually, JDBGMGR.EXE is a standard utility (used to debug Java applications) included in most versions of Windows operating systems, including Windows 95, Windows 98, Windows NT Windows ME, Windows 2000 and Windows XP. Deleting or modifying this program may lead to functional changes in the operating system and in some instances have negative after-effects.
The file JDBGMGR.EXE itself is not a virus, but as with any exe-file it can be infected. The infamous virus Magistr is known for its "interest" in this program and often infects it. Such is the case behind the spreading of this virus hoax - the initiator of this virus hoax detected Magistr on his computer and concluded that the infected file JDBGMGR.EXE is the actual virus and he rushed to inform all his friends about it. Previously, in this very way a rumor regarding the standard Windows utility SULFNBK.EXE was spread.
Source: http://www.avp.ru
Kaspersky Labs presents the beta-version of Kaspersky Anti-Virus for MS Exchange Server 5.5/2000 -- Posted by Igor_Donchenko on Saturday, April 27 2002
Kaspersky Labs, an international data-security software developer, presents Kaspersky Anti-Virus for MS Exchange Server - a cross-platform solution for MS Exchange Server 5.5/2000 - invites you to take part in its beta testing program.
Kaspersky Anti-Virus is one of the most reliable solutions for mail servers, combining cutting edge technology for detecting and eliminating viruses with excellent customer service - 24-hour technical support and daily virus database updates. Kaspersky Labs' technology leadership is constantly confirmed by independent tests and a full collection of certificates presented by prestigious testing organizations.
A distinguishing feature of Kaspersky Anti-Virus for MS Exchange Server version 4.2 is its transparent support of MS Exchange 5.5/2000. Its cross-platform properties save clients time and effort when integrating this solution with most popular email systems. Kaspersky Anti-Virus for MS Exchange 5.5/2000 provides a complete check of both incoming and outgoing mail traffic. If infected email is detected, the program is able to delete them, block them, move them to a secure "quarantine" folder or cure the infections - guaranteeing that end users receive only "clean" mail.
Special features of Kaspersky Anti-Virus for MS Exchange permit control over workstation message distribution - blocking messages from an infected machine and informing administrators about the problem. The interface is fully integrated into Microsoft Management as well as into the Kaspersky Network Control Center and the Kaspersky Control Center, thus allowing Kaspersky Anti-Virus to be controlled from any, even remotely located, computer - from where it is possible to centrally change anti-virus settings, compile a component task list, assign and set user rights to access programs and to automatically update the anti-virus database via the Internet. In addition to these capabilities other functions have been enhanced.
Source: http://www.avp.ru
Klez.H is Capable of Revealing Confidential Information -- Posted by Igor_Donchenko on Monday, April 22 2002
Kaspersky Labs reports the beginning of a large-scale epidemic, first exposed on April 17, attributed to the Internet-worm Klez.H. This dangerous virus currently accounts for over 70% of all infections from malicious programs and this number continues to rise. Presently the spread of this epidemic has affected practically all countries.
Klez.H poses a special threat: the worm scans the disks of an infected computer and depending on a set of conditions attaches a file to each infected email it distributes. Klez.H selects this file from the infected computer's disk storage and looks for files with the following extensions:
The result being the possible leakage of important confidential information, the consequences of which cannot be foretold. In a similar fashion, near the end of 2001, the Internet-worm SirCam made public classified documents from a score of government institutions representing different countries from around the world. "In contrast to earlier versions, Klez.H does not have the ability to destroy stored data. Instead Klez.H maintains its threat from its ability to, unsanctioned, mail out files from the infected computer,"- commented Eugene Kaspersky, Kaspersky Labs Head of Anti-Virus Research - "Under these conditions Klez.H poses a greater threat to corporate clients for which an information leak can have unpredictable consequences."
The speed at which Klez.H has spread demonstrates that the majority of users have ignored the advice to install the Internet Explorer security patch that will protect a computer from any version of Klez as well as from future modifications of it. In addition users do not regularly update anti-virus program databases. The consequence of this lax behavior is the Klez.H has a good chance to achieve a large-scale epidemic just like another infamous version of this worm - Klez.E, which already for several months has confidently taken first place in the list of most wide-spread viruses.
Source: http://www.avp.ru
Warning! A new version of the I-worm "KLEZ" is spreading across the Internet -- Posted by Igor_Donchenko on Wednesday, April 17 2002
Kaspersky Labs announces the exposure of a new modified version of the "Klez" Internet-worm - Klez.h, already resulting in numerous computer infections in many countries including Japan, China, Austria and the Czech Republic.
To gain entry to a computer the worm exploits a vulnerability in the Internet Explorer security system (the IFRAME vulnerability). Due to this Klez is able to imperceptibly infect computers immediately after the infected message is read. This special feature practically discounts the human factor and many times over raises the effectiveness of Klez.h to infect and to spread.
Source: http://www.kaspersky.com
Kaspersky Labs and Ritlabs introduce anti-virus protection for The Bat! e-mail program -- Posted by Igor_Donchenko on Tuesday, April 16 2002
Kaspersky Labs, an international data-security software developer and Ritlabs (www.ritlabs.com), a developer of mail systems and software enabling full control over transmitted data, announce the introduction of anti-virus filtration for the popular email program The Bat! Thanks to the joint effort users of The Bat! now have automatic virus checking for all incoming and outgoing messages at the moment they are received or sent.
Nowadays e-mail is the main source for virus threats - 90% of all registered incidents occur using electronic mail. This fact makes mandatory the development of adequate protection. The integration of Kaspersky Anti-Virus with The Bat! represents an important step by giving the users of one of the world's most popular e-mail clients (The Bat! has over five million users world-wide) the ability to automatically check all their electronic correspondence. Kaspersky Anti-Virus automatically checks all the components of incoming and outgoing messages, including attachments (archived or compressed), messages contained on any nesting level, OLE objects and the e-mail body text itself. Thus, all the e-mail on a user's computer will be already checked for viruses.
Kaspersky Anti-Virus ensures protection from over 60,000 malicious programs of all types, including computer viruses, network worms and trojan horses. The anti-virus database is updated daily allowing protection against even the latest information security threats.
The Bat! offers users a full set of functions necessary to conveniently, quickly and safely process electronic mail. The program is known for its high level of automation for creating messages, multi-lingual support, compatibility with all the most widely used protocols and a wide array of options for the dependable defense against unauthorized access to transmitted data. "The integration of Kaspersky Anti-Virus is an important addition to the unique features of The Bat! - this allows users to easily work with e-mail, while helping to maximize workplace virus protection", said Sergey Demchenko, Ritlabs General Director.
For compatibility between The Bat! and Kaspersky Anti-Virus one must use Kaspersky Anti-Virus Personal Pro 4.0 or Anti-Virus Business Optimal and The Bat! or The Bat! Pro version 1.60 or higher.
Source: http://www.kaspersky.com
Top Ten viruses detected in March by Panda ActiveScan -- Posted by Igor_Donchenko on Monday, April 15 2002
Klez.F, Fbound.C and Badtrans.B were the viruses causing most infections last month
Computer virus activity in March was characterized by the persistence of existing malicious code rather than the appearance of new epidemics, according to a list drawn up by Panda Software of the ten viruses most frequently detected by the company’s free, on-line antivirus, Panda ActiveScan.
Klez.F, a worm that runs automatically when the message carrying it is viewed in the preview pane, was responsible for more than 23 percent of infections and topped the March ranking.
The dynamic Fbound.C. worm, capable of adapting the subject field to the O/S language, also figured highly in the list. The effectiveness of this malicious code stems from its ability to send itself to other users by connecting directly to the mail server.
The now infamous Badtrans.B was less prevalent than in previous months, but still held third place in the ranking with more than eight percent of cases. Like Klez.F, this is a worm that runs automatically when the message is viewed in the preview pane. This is no doubt why it has always figured among the most virulent code in Panda’s rankings.
SirCam another notorious infector that uses large doses of cunning to trick users into running its code was also found to be the culprit in around eight percent of cases.
Nimda and Magistr.B. are still out and about. Despite a notable reduction in the activity of these two viruses, their frequent appearance in the Panda Top Ten is an indication of the effectiveness with which these viruses spread.
The March monthly ranking was completed by Hai, Help, Mylife.B and the highly destructive Disemboweler.
Position
Virus
Frequency
1
W32/Klez.F
23.33
2
W32/Fbound.C
10.18
3
W32/Badtrans.B
8.48
4
W32/Sircam
7.89
5
Nimda
4.62
6
W32/Magistr.B@mm
4.03
7
W32/Hai
3.56
8
VBS/Help
3.48
9
W32/MyLife.B
2.71
10
W32/Disemboweler
2.54
Panda Software reports the appearance of the new worm, W32/Explorer. -- Posted by Igor_Donchenko on Wednesday, April 10 2002
Panda Software has released information on the new virus W32/Explorer. This is a worm written in Borland Delphi and which not only spreads via e-mail, but can also spread to other machines via a web server and web page created on the affected computer.
The worm comes in a file called psecure20x-cgi-install.version6.01.bin.hx.com, attached to an e-mail message with the following subject: ".".
If the user clicks on this file, the worm creates a file of 0 bytes called IPHIST.DAT in the same directory that it runs from. At the same time, it generates EXPLORER.EXE –which is really a copy of W32/Explorer- in the Windows/System directory. Once this is done, the worm deletes the file from the folder it was run from and goes memory resident, installing its own web server on the victim’s computer.
W32/Explorer also sends messages through IRC with the text FREE PORN: http://free:porn@x.x.x.x:8180 ( x.x.x.x is the IP address of the computer affected by the worm).
This is also trying to trick users into downloading the worm onto their machines. Finally, it creates an entry in the Windows registry in order to run on every system startup.
W32.Maldal.J -- Posted by Igor_Donchenko on Monday, April 8 2002
W32.Maldal.J is a mass-mailing worm that also logs keystrokes. It sends an email message to all addresses that it finds in the Microsoft Outlook address book, the MSN Messenger list, and in .html files on the infected computer. The email message contains an HTML link to a file named FixerData.exe. FixerData.exe then downloads the file Data.exe from particular Web site and then runs it. Data.exe is the mass-mailing component of W32.Maldal.J.
If W32.Maldal.J is executed, it does the following:
It displays the following message:
It copies itself to the \%Windows%\System folder and then overwrites the original file with a text file that contains the full path and file name of the worm. The worm then tracks open windows and stores keystrokes in the file \%Windows%\system\.txt.
For example, if the original worm file name is C:\Temp\Test.exe, the worm copies itself to C:\%Windows%\System\Test.exe and then overwrites the file C:\Temp\Test.exe with a text file that contains the string "C:\Temp\Test.exe". The log file for the keystrokes is C:\%Windows%\System\Test.txt.
NOTE: %Windows% is a variable. The worm locates the \Windows folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location.
The worm emails this text file to the virus writer.
Next, It searches the computer for email addresses contained in the Microsoft Outlook address book, the MSN Messenger list, and in .html files, and sends email to those that it finds. This email has the following characteristics:
Message: The message is one of the following: I've got this surprise for you ;) I know what you need at this **** time.
Have fun and don't forget :P YOU KNOW WHAT I MEAN ! bye
or Dear User, McAfee.com has recieved an alert from you. We believe that you are infected with W32/ZaCker.Trojan@MM. This High Risk virus allows hackers to control your PC. To clean and protect your PC from the virus :
For more information about the virus :
Sincerely, McAfee.com Copyright 2002 McAfee.com Corporation / All Rights Reserved.
NOTE: The actions described in the email message could not be reproduced in the Symantec Security Response lab environment.
ICSA Extends Kaspersky Labs' Certification -- Posted by Igor_Donchenko on Friday, April 5 2002
Kaspersky Labs, a leading international data-security software developer, announces the prolongation of its prestigious International Computer Security Association (ICSA) certification for its Windows 2000 anti-virus solutions.
The results of vigorous tests conducted by ICSA confirm Kaspersky Anti-Virus software's compliance with the very highest world-class standards and have earned Kaspersky Labs the renewal of its certification.
ICSA is a respected authority in the field of information security software testing and certification. The association works to help computer users navigate the diverse offerings available in information security software by ensuring the highest quality in the products it selects to certify.
Kaspersky Labs' products have successfully met the standards of ICSA certification starting from the company's inception in 1997. Kaspersky Anti-Virus for Windows 2000 offers solutions for all user categories including: home, small and middle size business and corporate.
The Virus Top Twenty for March 2002 from Kaspersky Lab -- Posted by Igor_Donchenko on Monday, April 1 2002
Kaspersky Lab presents the Virus Top Twenty for March 2002.
eTrust EZ Antivirus detects and removes 100% of computer viruses "in the wild" - keeping you safe from virtually all known virus threats. Plus, with automatic software updates, new threats that emerge daily won't stand a chance.
