 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
May 2004
Panda Software warns of two new variants of the Bobax worm -- Posted by Igor_Donchenko on Thursday, May 20 2004
PandaLabs has detected variants B and C of the Bobax worm, two new malicious codes which join Bobax.A, discovered some days ago. As a result, the probability of computers being infected by one of the Bobax worms has increased considerably.
Like the Sasser family of worms, the three Bobax variants exploit the Windows LSASS vulnerability to spread. These worms try to access a large number of IP addresses to see if the computers they belong to have the LSASS vulnerability.
If that is the case, Bobax sends instructions to the affected computer to download a copy of the worm. Also, when any of the Bobax worms exploits the LSASS vulnerability, a buffer overrun is produced that causes the affected system to restart.
Even though the LSASS vulnerability affects only Windows XP and 2000 systems, Bobax and its variants can also spread to the other Windows platforms. However, in the latter case, the worms do not automatically spread to computers, but the user must run a file that contains a Bobax specimen for the system to be infected.
Once installed on a computer, the Bobax worms open several random communication ports, which could allow a remote user to use the affected system as an SMTP server for sending mail. In this way, targeted computers could become ‘zombies’ for sending spam.
PandaLabs has also detected e-mails carrying the new Trojan Ldpinch.W. Even though this is not an extremely dangerous malicious code, it takes advantage of headline news -the Iraq conflict-, to trick users and infect their computers.
The message that carries Ldpinch.W has the following characteristics:
Subject:
Important news about our soldiers in IRAQ!!!
Message:
Seven officers was lost today,
follow the link to get the full story.
[Internet address]
Attached file:
IMPORTANT INFORMATION.ZIP, which in turn contains the file IMPORTANT INFORMATION.SCR.
The Internet address shown in the message includes information on the Iraq war. However, if the user runs the attached file, Ldpinch.W will be installed on the computer.
This Trojan is designed to steal confidential information from the system and send it to a predetermined e-mail address. In this way, the virus creator could use the stolen data in a fraudulent manner.
In order to prevent your computer from falling victim to any of the Bobax worms or Ldpinch.W, Panda Software advises users to tighten security measures and keep their antiviruses updated.
In order to avoid attacks from Bobax or its variants it is necessary to install the Microsoft patch that fixes the LSASS vulnerability.
Source: http://www.pandasoftware.com
|
Dabber worm feeds on Sasser-infected computers, Sophos reports -- Posted by Igor_Donchenko on Saturday, May 15 2004
Sophos has advised computer users about a new internet worm which hunts for computers infected by the widespread Sasser worm, and then infects them by exploiting a security vulnerability in Sasser's code.
The W32/Dabber-A worm searches for computers that have already been infected by variants of the Sassser worm. Dabber uploads itself to the infected computers it discovers by exploiting a vulnerability in the FTP server code run by the Sasser worm.
"We're used to hearing about worms exploiting security holes in software code written by operating system and firewall vendors, but in this case it's the Sasser worm's code which contains the bug and can allow Dabber to break in," said Graham Cluley, senior technology consultant for Sophos. "If recently arrested German student Sven Jaschan really did write Sasser he should be sent to the bottom of the class for leaving this bug in his code."
Sophos does not believe Dabber will become as widespread as the Sasser worm family, as users have acted to clean-up their computers and ensure proper firewall and anti-virus protection is in place.
"All home users and businesses should ensure their systems are properly defended with up-to-date anti-virus software, strong firewalls and the latest security patches from Microsoft," continued Cluley.
Source: http://www.sophos.com
|
Suspected Agobot Trojan author arrested in Germany, Sophos comments -- Posted by Igor_Donchenko on Saturday, May 15 2004
According to media reports, a 21-year-old German man was arrested and charged under the country's computer sabotage law for creating malicious computer code. Admitting responsibility for creating the Agobot Trojan, the suspect was apprehended in the southern town of Waldshut on Friday 7 May.
The suspect's computer hardware and software were also confiscated and will be closely examined by the authorities. Five other Germans were also charged in connection with the distribution of these Trojan programs.
"The Agobot family of Trojans is huge, with variants allowing unauthorised and remote access to a infected computer," said Carole Theriault, security consultant at Sophos. "The first version of this Trojan is almost 20 months old, and we hope that with these arrests, we'll be seeing the last of them."
"However, it is difficult to confirm at this time whether this suspect is the author of all the Agobot variants. The code was reportedly available online, and in that case, anybody could have downloaded it, tweaked it and distributed a version of it," explained Theriault.
German authorities told reporters that there was no link between this arrest and the arrest of Sven Jaschan, the 18-year-old German from Rotenburg in northern Germany, who was charged late last week in connection with the Sasser worm.
Source: http://www.sophos.com
|
Author caught, worm still at large -- Posted by Igor_Donchenko on Tuesday, May 11 2004
A new variant of Sasser reached BitDefender Labs today. Sasser.F was compiled and released after the author of Sasser.A was arrested, prompting speculation that the author may either have distributed the source code or not been alone in creating the malware.
The new variant has the mutex name changed to "billgate", probably as a reaction to the aid given to German police by Microsoft workers.
"It is definitely a patched version of Sasser.A. Whoever released this had no access to the source code. I think the "VX team" theory is pretty much shot down in flames at this point." declared Sorin Victor Dudea, Head of Virus Research at BitDefender Labs.
Source: http://www.bitdefender.com
|
Sasser epidemic collateral damage -- Posted by Igor_Donchenko on Friday, May 7 2004
As Sasser continues to spread, the number of organizations affected by the virus continues to rise. These include governmental institutions the world over, such as the European Commission –where 1,200 computers have been affected-, the University of Massachusetts, banking IT systems, travel booking services and companies such as British Airways. In addition to the direct damage caused by Sasser in corporate environments, production is also lost as machines are brought up-to date and the Microsoft patch applied to correct the vulnerability that the worm is exploiting.
Other victims include all those who simply can't use their computers as systems infected by variants of Sasser restart every 60 seconds. This means that there is no time to eliminate the virus from the computer and download the Microsoft patch. One way that users can get round this is by first putting the system clock back, as described below: - When the window is displayed saying that the system will restart, double-click on the time displayed at the bottom of the screen.
- Once the time settings window opens, put the clock back a few hours.
With respect to the extent of the epidemic, Luis Corrons, head of PandaLabs explains that, "Many users have been installing the patch released by Microsoft to fix the flaw that this worm exploits, which is an indication of increased awareness among the public and should help contain the spread of Sasser. New variants may appear so users should stay on the alert and make sure they have a good updated antivirus."
Source: http://www.pandasoftware.com
Top ten viruses and hoaxes reported to Sophos in April 2004 -- Posted by Igor_Donchenko on Friday, May 7 2004
Sophos has revealed the top ten viruses and hoaxes causing problems for businesses around the world.
The report, which examines virus and hoax reports in the month of April 2004, shows four new viruses have entered the chart, with Netsky variants taking seven places.
The top ten viruses in April 2004 were as follows:
| Ranking | Virus Name | Percentage | | 1 | W32/Netsky-P | 23.2% | | 2 | W32/Netsky-B | 20.2% | | 3 | W32/Netsky-D | 16.8% | | 4 | W32/Netsky-C | 5.0% | | 5 | W32/Netsky-Q | 2.8% | | 6 | W32/Sober-F | 1.1% | | 7 | W32/Netsky-J | 0.8% | | 8 | W32/Bagle-Zip | 0.6% | | 9 | W32/Gibe-F | 0.2% | | 10 | W32/Netsky-T | 0.2% |
"Several Netsky strains continued to cause serious difficulties for unprotected computer users throughout the month of April. With the author of the original Netsky worm claiming to have shared the viral code, it's possible that copycats might be getting their paws dirty by sending out new Netsky variants," said Carole Theriault, security consultant, Sophos. "Although this flurry of virus activity sounds like a nightmare, with automatically updated anti-virus protection at the gateway and on the desktop, these nasties can be stopped regardless of how they try to infiltrate the network. Not only does this protect individual computers, but it also helps slow down the rate of infection, which is good for all of us."
Source: http://www.sophos.com
Monthly virus top ten from BitDefender -- Posted by Igor_Donchenko on Friday, May 7 2004
This month has been, sadly, far from uneventful, with variant after variant of Netsky and Bagle pouring through mail servers everywhere.
The newer versions of Bagle seem to lack some of the bite of the first few, but Netsky P seems to be going strong, with Q variant expected to make a big(-ish) splash over the next few days.
Surprisingly enough, the Blaster virus seems to be fading away, and has dropped sharply to the eleventh spot in our top. Its Nemesis, Welchia.B, seems on the rise, though.
An interesting, if unfortunate development is the rise in preeminence of a host of backdoors, trojans and illegal adware programs. While no version alone accounts for a lot of infections, the various iterations of the Agobot.3 theme have chalked up enough infected items to first place in our monthly top ten.
| Ranking | Virus Name | Percentage | | 1 | Backdoor.Agobot.3.Gen | 25.02% | | 2 | Win32.Worm.Welchia.B | 24.13% | | 3 | Win32.Netsky.P@mm | 19.93% | | 4 | Win32.NetSky.D@mm | 19.19% | | 5 | Win32.Netsky.B@mm | 4.26% | | 6 | Win32.Netsky.C@mm | 2.98% | | 7 | Win32.NetSky.Q@mm | 2.79% | | 8 | Win32.Bagle.U@mm | 0.89% | | 9 | Win32.Mydoom.F@mm | 0.38% | | 10 | Win32.Bagle.V@mm | 0.38% |
Source: http://www.bitdefender.com
|
Top Ten viruses most frequently detected by Panda ActiveScan in April -- Posted by Igor_Donchenko on Friday, May 7 2004
The effects of the wave of viruses that began in February, and continues to be felt by computer users around the world, can be seen in the data gathered by the Panda ActiveScan free, online scanner. Five variants of Netsky alone were among the most frequently detected viruses in April.
Netsky.P, responsible for 15.29% of infections, topped the April ranking of malicious code. This could largely be due to its ability to spread, not just via e-mail, but also through peer-to-peer file sharing applications. Netsky.P also exploits the Iframe vulnerability in Internet Explorer to run automatically on victims' computers.
Some way behind Netsky.P came the D variant of Netsky followed in turn by the Downloader.L Trojan, which continues to infect a considerable number of computers month after month.
After these came Netsky.B, Nachi.B and Netsky.C, three more viruses associated with the current wave of malicious code. However, the Revop.F Trojan -first detected at the beginning of March-, has gradually becoming more of a menace and was recorded in seventh place in last month's list. This malicious code downloads adware onto the victim’s computer.
Bagle.pwdzip -also related to the recent plague- was in eighth place, although this figure represents the detection of all variants of Bagle that could reach computers in password-protected .zip files.
Ninth place was held by the oldest virus in the Top Ten, the polymorphic Parite.B, which due to its multiple means of infections, has appeared consistently in the list of malicious code detected by Panda ActiveScan. Last month’s ranking was completed by Netsky.Q.
| Ranking | Virus Name | Percentage | | 1 | W32/Netsky.P.worm | 15.29% | | 2 | W32/Netsky.D.worm | 8.00% | | 3 | Trj/Downloader.L | 6.95% | | 4 | W32/Netsky.B.worm | 6.29% | | 5 | W32/Nachi.B.worm | 5.91% | | 6 | W32/Netsky.C.worm | 3.72% | | 7 | Trj/Revop.F | 3.52% | | 8 | W32/Bagle.pwdzip | 2.58% | | 9 | W32/Parite.B | 2.41% | | 10 | W32/Netsky.Q.worm | 2.35% |
The following conclusions can be drawn from the data collected by Panda ActiveScan last month:- Seven of the viruses in the list are worms that have been unleashed as part of the current 'cyberwar' between various groups of virus creators. Netsky, designed to eliminate the Mydoom, Bagle and Mimail worms from infected computers, is clearly dominating the 'battle'.
- Many users are still not applying the patches released by vendors to fix common software vulnerabilities. This is highlighted by the presence of Netsky.P at the head of list, as this worm exploits the Iframe vulnerability, first discovered and resolved more than two years ago.
Source: http://www.pandasoftware.com
|
BitDefender takes the sass out of Sasser -- Posted by Igor_Donchenko on Wednesday, May 5 2004
PC Welt, the leading German IT and computing magazine, continues the series of articles about reaction times. BitDefender Labs have established a tradition of speed, which was confirmed yet again in the latest outbreak
How fast antivirus producers can react to new epidemics is, simply put, a measure of how safe their customers are. BitDefender antivirus researchers proved once again that they care about their users, by one of the first four companies in the world to issue a Sasser.A signature, within an hour of the best performance (at 07:30 GMT).
The Sasser.A worm was itself plagued with coding errors, which prevented it from spreading effectively, leading its author to release another variant the very same day. Fortunately, BitDefender Labs were the very first to issue a signature update for the Sasser.B, at 17:35 GMT.
BitDefender has released a clean-up tool for Sasser on May 1st 2004. Microsoft has issued its first version of a Sasser clean-up tool on May 2nd 2004.
Source: http://www.bitdefender.com
|
New Virus Epidemic caused by Sasser A and B poses threat this week -- Posted by Igor_Donchenko on Monday, May 3 2004
Four years to the date after the worldwide virus LoveLetter epidemic struck, we are before another great virus whose effects could reach historic dimensions. After the appearance of the Sasser.A, the Sasser.B has taken the top spot as the worm virus most detected and disinfected by Panda ActiveScan. Technical support teams from Panda are assisting users worldwide who have been affected by both of these worm viruses. "The most affected groups are the large computer pools which, despite upgrading their antivirus programs daily, will continue to be attacked until the system is installed with the latest patch by Microsoft. In these cases, the task is arduous and those in charge must correct it unit by unit if they want the problem to be fully solved," says Luis Corrons of PandaLabs.
"Compared to other active viruses which have appeared on weekends, when activity is low – doubly so now that May 1st is a holiday in many countries --, this one has positioned itself as one of the quickest-spreading and virulent ones. All these signs make for a dark forecast for the beginning of the week when it is expected that the number of incidents will soar at the beginning of the work day," adds Luis Corrons.
In addition, we expect there to appear new variants in the coming days, just as we have seen occur over the last few months. "It seems that another attack combined with simultaneous different variants is on the way," adds Corrons. "What’s more, large companies which have remote users that go on line via virtual networks or which work with laptops without corporate firewall protection may go online on Monday and find themselves affected by the virus even though they have the patch installed and the antivirus upgraded, due to the fact that both variants use the TCP 445 port to spread and this port is the one used to share folders and printers on the Internet."
This circumstance, coupled with the vulnerability which Sasser.A and B take advantage of, means practically all Microsoft systems will be affected, making millions of computers exposed to infection by this worm virus. “Users may be infected without even knowing it, the only symptom being that the computer will restart every time the user tries to go on line. Advanced users will detect the intrusion that Sasser creates in the register, the file avserve.exe that it creates in the Windows folder or in some cases it could appear in a Windows menu warning of problems with LSA Shell or errors in Isass.exe." adds Luis Corrons.
Its behavior is similar to Blaster, which appeared on August 10, 2003. Since the date of the alert, 26 days passed before someone took advantage of it. But in Sassers case, only three days have gone by since Microsoft publicly announced the solution. As for Blaster, in the early moments of the attack, that is Monday August 11, it affected 2.5% of the computers analyzed by ActiveScan worldwide. This variant of Sasser is nearing 3% in just 24 hours.
Source: http://www.pandasoftware.com
|
Worm.Win32.Sasser.b -- Posted by Igor_Donchenko on Sunday, May 2 2004
Kaspersky Labs has detected Worm.Win32.Sasser.b, which attacks computers running Windows. The worm spreads via the Internet, using a vulnerability in Microsoft Windows LSASS Service, described in Microsoft Security Bulletin MS04-011.
The vulnerability is described in Microsoft Security Bulletin MS04-011, which can be found here
The worm is written in C/C++ using Visual C compiler. It is approximately 15KB in size, and packed using ZiPack.
Propagation
When launching, the worm registers itself in the system registry autorun key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run]
avserve2.exe = %WINDIR%\avserve2.exe
The worm scans IP addresses, searching for computers which have the vulnerability described in MS04-011. A vulnerable computer will launch the command packet "cmd.exe" on TCP port 9996, and will then accept commands to download and launch copies of the worm.
Downloading is carried out via FTP protocol.
In order to do this the worm launches an FTP server on TCP port 5554 and on request from the victim computer loads a copy of itself. The copy of the worm will be loaded under the name "_up.exe", where "_" is a random number.
Source: http://www.viruslist.com
|
Worm.Win32.Sasser.a -- Posted by Igor_Donchenko on Sunday, May 2 2004
Kaspersky Labs has detected Worm.Win32.Sasser.a, which attacks computers running Windows.
This worm spreads via the Internet using a vulnerability in the Microsoft Windows LSASS service. The vulnerability is described in Microsoft Security Bulletin MS04-011, which can be found here.
The worm is written in C/C++ using Visual C compiler. It is approximately 15KB in size, and packed using ZiPack.
Propagation
When launching, the worm registers itself in the system registry autorun key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run]
avserve.exe = %WINDIR%\avserve.exe
The worm scans IP addresses, searching for computers which have the vulnerability described in MS04-011. A vulnerable computer will launch the command packet "cmd.exe" on TCP port 9996, and will then accept commands to download and launch copies of the worm.
Downloading is carried out via FTP protocol.
In order to do this the worm launches an FTP server on TCP port 5554 and on request from the victim computer loads a copy of itself. The copy of the worm will be loaded under the name "_up.exe", where "_" is a random number.
Source: http://www.viruslist.com
|
Sasser internet worm attacks unpatched PCs -- Posted by Igor_Donchenko on Sunday, May 2 2004
Sophos researchers have warned computer users to protect themselves against the W32/Sasser-A worm, which spreads across the internet exploiting a critical security vulnerability in Microsoft's Windows operating system.
The new worm exploits the LSASS vulnerability first reported by Microsoft on 13 April in Microsoft Security Bulletin MS04-011.
"The Sasser worm spreads in a similar way to last year's serious Blaster outbreak, in so much as it travels via the internet exploiting security holes in Microsoft's software and does not use email," said Graham Cluley, senior technology consultant for Sophos. "At the moment it's not travelling as fast as Blaster did, but computers which are not properly protected with anti-virus updates, firewalls and Microsoft's security patch are asking for trouble."
The security vulnerability, which Microsoft has described as "critical", is said to affect the following Microsoft software: - Microsoft Windows NT Workstation 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
- Microsoft Windows 2000 Service Pack 2
- Microsoft Windows 2000 Service Pack 3
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP
- Microsoft Windows XP Service Pack 1
- Microsoft Windows XP 64-Bit Edition Service Pack 1
- Microsoft Windows XP 64-Bit Edition Version 2003
- Microsoft Windows Server 2003
- Microsoft Windows Server 2003 64-Bit Edition
- Microsoft NetMeeting
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition (SE)
- Microsoft Windows Millennium Edition (ME)
However, the Sasser worm is only capable of successfully infecting Windows XP and Windows 2000 systems.
"System administrators should note that Sasser doesn't spread by email - so internet email scanning services will not be able to detect this worm, and an absence of reports at your email gateway does not mean you can rest on your laurels," said Graham Cluley. "Companies should deploy the patch from Microsoft, ensure their firewall is set up correctly and update the anti-virus on their desktop and servers."
"Home users are particularly vulnerable to attacks like this, because they are often not running the latest anti-virus protection, haven't downloaded the latest security patches from Microsoft, and may not be running a personal firewall," continued Cluley. "All computer users should ensure their systems are properly protected from internet attacks like Sasser."
Source: http://www.sophos.com
|
