 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
May 2002
Antivirus program Doctor Web for The Bat! -- Posted by Igor_Donchenko on Tuesday, May 28 2002
This program is an antivirus module (plug-in), which can be hooked to the popular e-mail client The Bat!. To maintain additional e-mail antivirus protection with this module it is necessary to have Doctor Web for Windows version 4.27 or 4.28 and The Bat! version 1.60 or later installed on the computer.
This software plug-in is a release candidate version, designed to be run and tested by experienced users only. At present only English language interface is supported.
Source: http://www.dialognauka.ru
|
The international antivirus developer has now opened offices in Thailand and Latvia -- Posted by Igor_Donchenko on Friday, May 24 2002
Panda Software has now opened offices in Thailand and Latvia, reinforcing its presence in the fast developing markets of Southeast Asia and Eastern Europe.
Both countries are witnessing rapid growth in the use of new technologies, with the inherent increase in the threat from malicious code that this entails. By reinforcing its infrastructure in these regions, Panda Software aims to provide the most advanced antivirus protection to as many users as possible.
Since the beginning of the year, Panda Software has also opened new offices in Turkey, United Arab Emirates, Romania, Costa Rica and the Czech Republic.
With these latest additions, Panda Software is now represented in more than 45 countries around the world with offices in: Belgium, Bolivia, Bulgaria, Canada, Chile, China, Colombia, Denmark, Dominican Republic, Ecuador, Finland, France, Germany, Ghana, Greece, Guatemala, Holland, Hungary, Iran, Israel, Italy, Jordan, Lithuania, Malaysia, Malta, Mexico, Norway, Nigeria, Peru, Poland, Portugal, Puerto Rico, Slovakia, Slovenia, Spain, South Africa, Sweden, Switzerland, UK, United States, Uruguay and Venezuela.
Source: http://www.pandasoftware.com
|
"Spida" Worm Threatens MS SQL Servers -- Posted by Igor_Donchenko on Friday, May 24 2002
SQLSpida.A is a computer worm that replicates between systems running Microsoft SQL Server software. The worm works by exploiting a weak password that is the default installation choice for the "sa" (system administrator) SQL account. It begins by scanning the Internet for machines running the MS SQL Service on the TCP port 1433 and then tries to initiate a connection with the server, logging into the "sa" account. If this succeeds, the worm adds a new Windows NT user named
sqlagentcmdexec
in the remote machine, sets a random password for the account and includes it in the Administrators and Domain Admins groups.
Next, the worm maps the administrative share from the remote machine and attempts to copy itself into the system32 subdirectory of the Windows installation folder. SQLSpida takes care to close the vulnerability that allowed it to infect the system by setting a non-empty password for the "sa" account, then it simply launches itself on the remote machine.
The following comments can be seen inside the worm code:
"SQL Access v2.0" "Created 2001-2002 by Digital Spider"
Technical Details
To attack remote servers, the SQLSpida uses an exploit tool originally known as sqlpoke, which claims to be written by someone going by the handle Xaphan.
The main entry point for the worm is a Java Script file that generates random IP address classes, here it attempts to search for vulnerable machines with the modified sqlpoke tool. When a potentially vulnerable system is found, a batch file is run which connects to the remote machine and copies the worm code.
It's also interesting to note that the worm attempts to collect both login passwords and list the databases from the SQL server, then mail them to one of the three possible addresses presumably belonging to the author.
Source: http://www.avp.ru
|
Panda Software reports the appearance of Kazoa, a worm designed for the Kazaa file sharing application -- Posted by Igor_Donchenko on Tuesday, May 21 2002
Panda Software has reported the appearance of Kazoa, a new worm designed using the popular file sharing application Kazaa.
To do this, the worm uses the name of a computer game, film or music file to disguise itself and trick users into downlading the worm to their computers.
When the file containing the worm is run, Kazoa copies itself to the %Windir%\System folder with the name EXPLORER.SCR, and displays an error message.
At the same time, Kazoa generates an entry in the Windows registry to ensure it is run on system startups.
Finally, the worm begins to create copies of itself in the system. In fact, Kazoa generates 3,083 files with names generated from a predetermined list, including:
Age of Empires 2-Spiel-full-downloader.exe.
Jurasik Park 3-divx-full-downloader.exe.
South Park Vol. 1-divx-full-downloader.exe
Star wars Episode 1-Filme-full-downloader.exe
Although this worm does not appear to be particularly dangerous Panda Software’s still advises users to be on their guard and treat all e-mails received with caution.
Source: http://www.pandasoftware.com
|
Kaspersky Labs Becomes First Anti-Virus Software Developer to Partner with internet.com -- Posted by Igor_Donchenko on Wednesday, May 15 2002
May 14, 2002 - Cambridge, United Kingdom) -- Kaspersky Labs, an international data-security software developer, and INT Media Group, one of the largest international Internet holdings and owner of the well-known internet.com Network of Web resources, today announced an agreement to jointly promote and sell Kaspersky Labs' products.
Without adequate computer virus defense, in several years time, the Internet may turn into more a means for spreading dangerous rather than useful information. With this danger in mind, the collaborative effort with internet.com allows both companies to join forces in fighting the virus threat - to more effectively inform users about virus epidemics and to make available appropriate means of protection.
Presently the internet.com Network comprises 150 Web sites of various orientations and nearly 300 themed discussion groups and mailing lists located the world over, including the U.S., Germany, Japan, Australia and more. The internet.com Network's cumulative monthly audience is over 22 million users generating nearly 225 million page views. The online portal of Web sites is divided into 16 channels including Internet News, Ecommerce/Marketing, Linux/Open Source Resources, Windows IT Resources, ASP and ISP Resources, and more. As a result, the maximum amount of user interests are covered, thereby, to the fullest extent possible, visitors' needs are satisfied.
The agreement provides for the development of a joint advertising and marketing campaign designed to utilize internet.com's resources to promote and sell Kaspersky Labs products.
"We are grateful to internet.com for choosing Kaspersky Labs to be their first anti-virus software partner and are confident that our combined effort with allow us to more effectively battle the growing virus threat", said Vsevolod Ivanov, Kaspersky Labs Sales and Marketing Director.
Source: http://www.avp.ru
|
Top Ten viruses detected by Panda ActiveScan in April -- Posted by Igor_Donchenko on Tuesday, May 14 2002
The I and F variants of the Klez worm caused more than 60 percent of attacks last month according to data compiled from Panda ActiveScan.
| Position | Virus | % frequency |
|---|
| 1 | W32/Klez.I | 43.5% | | 2 | W32/Klez.F | 16.7% | | 3 | W32/Sircam | 3.8% | | 4 | Nimda | 2.9% | | 5 | W32/Badtrans.B | 2.5% | | 6 | W32/Magistr.B@mm | 1.8% | | 7 | JS/Trojan.Seeker | 1.5% | | 8 | VBS/Help | 1.4% | | 9 | W32/Disemboweler | 1.3% | | 10 | W32/Hai | 1.3% |
The Virus Top Twenty for April 2002 from Kaspersky Lab -- Posted by Igor_Donchenko on Tuesday, May 14 2002
Kaspersky Lab presents the Virus Top Twenty for April 2002.
| Position | Virus | Percentage by occurrence |
|---|
| 1 | I-Worm.Klez | 94.5% | | 2 | I-Worm.BadtransII | 1.5% | | 3 | Win32.Elkern.c | 0.6% | | 4 | I Worm.Sircam | 0.6% | | 5 | I-Worm.HappyTime | 0.4% | | 6 | I-Worm.LoveLetter | 0.3% | | 7 | I-Worm.Hybris | 0.2% | | 8 | Win95.CIH | 0.2% | | 9 | I-Worm.Cervivec | 0.2% | | 10 | Trojan.PSW.Delf | 0.1% | | 11 | Trojan.PSW.Gip | 0.1% | | 12 | I-Worm.Magistr | 0.1% | | 13 | Macro.Word97.Thus | 0.1% | | 14 | I-Worm.Gibe | 0.1% | | 15 | I-Worm.Nimda | 0.1% | | 16 | I-Worm.Stator | 0.1% | | 17 | JS.Trojan.Seeker | 0.1% | | 18 | Backdoor.Death | 0.1% | | 19 | IIS-Worm.CodeRed | 0.1% | | 20 | Backdoor.Osirdoor | 0.1% |
|
Kaspersky Labs extends its product line for handheld computers. -- Posted by Igor_Donchenko on Wednesday, May 8 2002
Kaspersky Labs, an international data-security software developer, presents the first beta-version of Kaspersky™ Security for the Pocket PC - a new security system for the Pocket PC handheld computers.
Kaspersky™ Security for the Pocket PC allows for the creation of special data repositories that are protected with the cryptographic algorithms RC4 or XOR. The encoding of data stored in a secret folder on the Pocket PC prevents unauthorized access to protected information without the use of a password (for example: information is still protected when a Pocket PC memory chip is placed into another Pocket PC device). For additional protection data is decoded only when it is accessed by software applications, once accomplished the data is immediately, in real time, encoded again. By employing these data protection methods users are able to control unauthorized access to their confidential data and to prevent information loss or leaks.
Kaspersky™ Security for the Pocket PC is compatible with the Pocket PC 2000/2002 (Windows CE 3.0) operating system and may be used on computers with MIPS and StrongARM processors such as the Casio E-125, E-200, EM-500, Compaq iPAQ 36xx, 38xx, HP Jornada 56x etc.
Source: http://www.avp.ru
|
The fourth of May is the second anniversary of the appearance of the world’s most costly computer virus epidemic -- Posted by Igor_Donchenko on Tuesday, May 7 2002
Two years ago last week, computer users around the world first started receiving e-mails with the now infamous ‘I Love You’ subject title which heralded the arrival of a computer virus that caused financial losses of around 10,000 million euros, according to Computer Economics. Not even Code Red and Sircam together, which last year had a combined impact of over 4,000 million euros, came close to the economic and psychological effect caused by this most virulent worm, alias VBS/LoveLetter.
In a matter of hours, this devastating e-mail worm and its variants had managed to infect more than 3 million computers around the globe. The virulence of this malicious code can be attributed to a series of factors: - Its use of what has been dubbed ‘social engineering’. Both the subject of the email and the name of the attached file -"LOVE-LETTER-FOR-YOU.TXT.VBS" - containing the worm appealed to users’ curiosity. Especially as in many cases the e-mail was apparently sent from friends or colleagues of the victim.
- The appearance, in rapid succession, of more than 30 variants helped fuel confusion and spread the virus even further. The variants differed from the original in the text of the messages, the names of attached files, the web pages to which they connected, the file extensions affected and that, with one exception, they didn’t download a Trojan from the Internet.
- Its enormous capacity to propagate through IRC and e-mail, sending itself out to all users in the victim’s address book.
- A general lack of awareness among users about the need for effective and up-to-date antivirus protection.
Today, two years on, new, damaging viruses are continually appearing. In addition to the cunning use of social engineering, many of today’s viruses are also designed to exploit vulnerabilities in common applications, and experts believe that in the future, there will be an increase in the use of new and more sophisticated channels for entering victims’ computers. For this reason, users should always be on their guard and take certain basic measures to ensure that these threats are kept at bay.- Scan all e-mails received before opening. Using a reliable antivirus, scan all mail received, even if it seemingly comes from a reliable and trusted source.
- Use a good antivirus, with daily updates and which is capable of detecting and eliminating all the latest viruses. The antivirus should also include permanent tech support services, to resolve virus problems or questions about the functionality of the antivirus itself; rapid response to new viruses and alert services.
Source: http://www.pandasoftware.com
|
Panda Software reports the appearance of Chick.D, a new e-mail worm -- Posted by Igor_Donchenko on Tuesday, May 7 2002
Panda Software has reported the appearance of Chick.D, a new e-mail worm. This new variant of the Chick virus spreads both via e-mail and IRC.
Chick.D uses what has been dubbed ‘social engineering’ to trick users into running the virus on their computers. In this case, both the message subject and text give the false impression that the attached file contains information about Bill Gates.
The worm is actually in the attached file –called Mocosoft.chm- and the e-mail has the subject title: FWD : The life of bill gates.
If users click on the file, Chick.D displays a dialog box asking for acceptance of ActiveX controls.
If the user accepts, the worm is sent to the third entry in the Windows address book. It also creates the file Mocosoft.chm in the Windows directory. Additionally, if the mIRC application is installed on the machine, the worm also creates the file Script.ini.
Chick.D also creates an entry in the Windows registry to ensure that it is only resent once from each infected computer.
When the worm has finished delivering its payload, it displays a series of screens including one with the nicknames of the authors of the virus.
Source: http://www.pandasoftware.com
|
VBS.Kagra: porn-star in the "wild"! -- Posted by Igor_Donchenko on Thursday, May 2 2002
The Virus Monitoring Service of DialogueScience,Inc. warns all Internet users of a new dangerous virus VBS.Kagra (also known as VBS/Horty-A,VBS.Kagra.A@mm,VBS/Horty.A@mm) already spotted in the “wild”. By now no signs of its mass propagation in Internet have been registered, still its destructive ability deserves close attention. The worm propagates via e-mail as a letter with the attached file JENNA-JAMESON-FREE-SUPERFUCK.TXT.vbs, pretending to contain links to web-sites of a famous porn-star Jenna Jameson, making careless and curious users fall in that trap.
Virus Description
This new worm is a script program written in Visual Basic, it infects computers with Windows OS. Its copies are propagated by e-mail.
Infection procedure
Having infected the system the worm emails itself to the addresses found in Microsoft Outlook Address Book. The infected message received by the user is accompanied by the following eloquent title:
Jenna Jameson pornostar free superfuck+photo addresses"
The message displayed tricks the user to double click the file attached to the letter to enjoy in full the beauty of the porn-star. The method used by the virus author is quite trivial: to relax the user’s vigilance, the file name is written in capital letters, habitual “.TXT” extension including. Actually, comparatively invisible “.vbs” extension is a real extension of this file - extension of a script-program written in Visual Basic. To confuse a curious user an ordinary Notepad is opened after a double click on the attached file and some message is displayed. Thus the worm becomes executed due to user’s negligence.
Infection symptoms
Symptoms of infection with VBS.Kagra virus are as follows: - The presence of files Kernel32.vbs and JENNA-JAMESON-FREE-SUPERFUCK.TXT.vbs in Windows folder (for example C:\Windows)
- ALEXIA.TXT.vbs file in Windows System directory (for example C:\Windows\System)
- x-FUCK.TXT.vbs in the root directory (C:\) - this indicates that the worm might have been initially launched from floppy disk A:\ or B:\.
- The presence of the following key in the registry HKLM\Software\Microsoft\Windows\CurrenVersion\Run\WUpdate = kernel32.vbs (which allows the virus run at the system restart)
- The presence of the following key in the registry HKLM\Software\WUpdate = [any number not greater than 5]
The latter registry key is used by the virus in order to count the number of its mailing times. According to DialogueScience specialists, the worm emails itself from the infected computer not more than five times and after that the propagation stops. This explains the fact that the present virus will not spread in the Internet as widely as Win32.HLLM.Klez.4.
Attention! Danger!
When activated on May 13th the worm makes attempts to delete all the files in Windows folder. If the worm is run on the May 12th the following message box is displayed on the screen: "Your PC has been hacked by KaGra[ATZI virus ver 2.1]".
Source: http://www.dialognauka.ru
|
