 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
June 2002
BAT.Beckow.B@mm -- Posted by Igor_Donchenko on Thursday, June 27 2002
BAT.Beckow.B@mm is a worm that sends itself to all addresses in the Microsoft Outlook Address Book. It also propagates through IRC. It attempts to copy itself to drive A, overwrite .reg, .vbs, .bat, .ifk, .pif, and .lnk files, and delete files that are associated with several antivirus programs.
When BAT.Beckow.Worm runs, it does the following:
It creates these files in the folder that contains the worm: - Anderson.reg
- Denilson.vbs
- Vx.vbs (the primary worm file)
It also creates the following files:- C:\This_Is_Just_A_Simple_Worm_By_Galaxynet_IRC_#VX\Ronaldo.jpg.bat (the primary worm file)
- C:\Lucio.vbs (the worm component that performs the email routine)
- C:\Marcos.bat (the primary worm file)
- \%Windows%\Dida.bat
- \%Windows%\Kaka.bat
- \%Windows%\Carlos.vbs
- \%Windows%\Chmxc.bat
- \%Windows%\Paulista.bat
- \%Windows%\Silva.bat
- \%Windows%\System\Wini.bat (the primary worm file)
- \%Windows%\Startm~1\Programs\StartUp\Kleberson.bat (the primary worm file)
- A:\Cafu.bat (the primary worm file)
NOTE: %Windows% is a variable. The worm locates the \Windows folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location.
The worm then sends itself to all contacts in the Outlook Address Book. The email message has the following characteristics:
Subject: (The subject line is empty.)
Message: Trashing Turkey Tactics!! Fresh From Brazil Coach!!
Attachment: Marcos.bat
The worm then renames the C:\Autoexec.bat file to C:\Cafu.bat and overwrites .reg, .vbs, .bat, .ifk, .pif, and .lnk files in various locations on the computer.
This worm is also an IRC worm. It attempts to find an mIRC installation on the computer and replace the Script.ini file with a script that propagates the worm. The name of the attachment that it tries to send to IRC users is C:\This_Is_Just_A_Simple_Worm_By_Galaxynet_IRC_#VX\ronaldo.jpg.bat.
To evade detection, the worm tries to delete the following files from various antivirus software:- C:\Prlandgra~1\Kasper~1\Avp32.exe
- C:\Prlandgra~1\Norton~1\*.exe
- C:\Prlandgra~1\Trojan~1\Tc.exe
- C:\Prlandgra\Norton~1\S32integ.dll
- C:\Progra\F-Prot95\Fpwm32.dll
- C:\Progra \Mcafee\Scan.dat
- C:\Prlandgra\Tbav\Tbav.dat
- C:\Progra\Avpersonal\Antivir.vdf
- C:\Tbavw95\Tbscan.sig
NOTE: The previous paths are hardcoded into the worm.
Due to bugs in the worm, some functions do not work correctly; however, the mass-mailing function does work.
Finally, this worm displays the following message:
Brazil shall win the World Cup 2002!!
Source: http://www.norton.com
W32.Skren.A@mm -- Posted by Igor_Donchenko on Thursday, June 27 2002
W32.Skren.A@mm is a mass-mailing worm that spreads to all contacts in the Microsoft Outlook Address Book. It arrives as the attachment KellyOsbourne.com.gz.
When W32.Skren.A@mm runs, it does the following:
It sends itself to all contacts in the Microsoft Outlook Address Book. The email has the following characteristics:
Subject: Check Out This Cool Screensaver
Attachment: KellyOsbourne.com.gz
NOTE: The above e-mail characteristics could not be reproduced in the lab environment.
The worm copies itself to C:\KellyOsbourne.com.
It also drops the file C:\Gz.exe, which is a compression utility that the worm uses to compress itself and create the file C:\KellyOsbourne.com.gz
Source: http://www.norton.com
|
W32.Yaha.E@mm -- Posted by Igor_Donchenko on Tuesday, June 18 2002
W32.Yaha.E@mm is a mass-mailing worm that sends itself to all email addresses that exist in the Microsoft Windows Address Book, the MSN Messenger List, the Yahoo Pager list, the ICQ list, and files that have extensions that contain the letters ht. The worm randomly chooses the subject and body of the email message. Depending upon the name of the Recycled folder, the worm either copies itself to that folder or to the %Windows% folder.
The name of the file that the worm creates consists of six randomly generated numbers.
If W32.Yaha.E@mm runs, it does the following:
It attempts to send itself to all email addresses that exist in the Windows Address Book file, the MSN Messenger List, the Yahoo Pager list, the ICQ list, and files with extensions that contain the letters ht. The email addresses are then stored in the file \%Windows%\.dll
For example, if the six random numbers are 123456, then the file name will be \%Windows%\123456123456.dll.
NOTE: %Windows% is a variable. The worm locates the \Windows folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location.
The worm masks its activity by displaying the several strings of text, and then causing the Windows desktop to appear to shake. This is done to make it look like a screen saver. The displayed text strings are:- U r so cute today #!#!
- True Love never ends
- I like U very much!!!
- U r My Best Friend
In addition to the mass-mailing routine, the worm does the following:
It randomly uses the "Incorrect MIME header" exploit, which allows automatic execution of the worm on unpatched systems.
Depending upon the name of the Recycled folder, the worm copies itself to either that folder or to the \%Windows folder. The file name consists of six random numbers.
The worm configures itself to execute each time that an .exe file is executed by changing the default value of the registry key
HKEY_LOCAL_MACHINE \ Software \ Classes \ exefile \ shell \ open \ command
to
[WormName]" %1 %*
It also creates a randomly named text file in the Windows folder; for example, [Random File Name].txt. The file contains the following text:
w32.yAHa.D
aUThor :H^H,h2h@achayans.com
oRigIN :inDia,kERala(gODs oWn cOUntrY)
kANagaaa ,mANdi pEnnee nJan Ninne sNEhikkunnuu..
oRu sITe kITTiyirunnegggil.. hACk CHEyyyamayirunnuuu..
Source: http://www.norton.com
|
Backdoor.Crat -- Posted by Igor_Donchenko on Thursday, June 13 2002
Backdoor.Crat allows a hacker to remotely control an infected computer. It is written in the Delphi program language and compressed with Ezip.
When Backdoor.Crat runs, it does the following:
It copies itself to the %System% folder. The exact file names and port numbers that it uses may vary from version to version, because the hacker who creates this Backdoor Trojan can choose any desired file name. For example, the file name can be Winload.exe.
NOTE: %System% is a variable. The worm locates the \Windows\System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.
It adds the value
WinDLL C:\%System%\
to the registry key
HKEY_LOCAL_MACHINE \ Software \ Microsoft
\ Windows \ CurrentVersion \ Run
Possible Trojan functions
When the hacker creates the Backdoor.Crat server file, there are many functions that can be added. For example, it can be programmed to:- Choose the ports that are used by the backdoor Trojan to communicate with the hacker. By default, it uses port 956 for direct control and port 9561 for file transfer.
- Use different notification methods to send information to the hacker about the compromised computer. For example, it attempts to open an HTTP connection to a Web server chosen by the hacker and post the victim's information to a script file at that Web server. The information may include:
- Notification that the victim is online
- The connection port
- The upload/download port
- The victim computer's system date and time
If Backdoor.Crat is run, it allows the hacker to remotely take control over the compromised computer, and can include:- Fully control the file system
- Upload to and download from the host computer
- Rename/delete/list/run files of the hacker's choice
- Display messages
- View the screen
- Log keystrokes
- Clear CMOS
- Perform annoying actions, such as:
- Change various desktop settings (wallpaper, icons, hide the clock, and so on)
- Manipulate the mouse
- Open and close the CD-ROM drive
- Turn the monitor on and off
- Enable/disable CMOS beep
Source: http://www.norton.com
|
BAT.WCup@mm -- Posted by Igor_Donchenko on Thursday, June 13 2002
Bat.WCup@mm is a batch file that creates a mass-mailing script and drops numerous files. It also deletes program files belonging to several antivirus programs. If BAT.WCup@mm is run, it may affect the startup of the operating system.
It arrives as the following email message:
Subject: WorldCup News!
Message: Read me for more world cup news!
Attachment: Worldcup_score.vbs.
If you receive this email message, delete it without opening the attachment.
Source: http://www.norton.com
|
Top Ten viruses detected by Panda ActiveScan in May -- Posted by Igor_Donchenko on Sunday, June 9 2002
Panda Software has published the Top Ten viruses detected and eliminated by the free online scanner, Panda ActiveScan, in May.
According to data compiled from ActiveScan, the Klez.I worm was, for the second month running, the most virulent malicious code in May. This worm, which runs automatically when the message carrying it is viewed in the preview pane and has a rapid rate of propagation, has been detected by Panda ActiveScan in 20.3% of cases.
This figure makes the detection rate of the other malicious code a lot lower than in previous months. In second place in the ranking is Elkern.C –closely associated with the Klez worm-, which accounted for 5.9% of infections. In third place is Klez.F, which was responsible for 3.4% of attacks.
This leading group is followed by other malicious code which have been detected less frequently by Panda ActiveScan. This group includes the persistent Help virus (3.0%), which has been around for over a year, Sircam (2.7%) and the veteran Hybris (2.5%), which has refused to be dropped from the ranking since October 2000.
| Position | Virus | % frequency |
|---|
| 1 | W32/Klez.I | 20.3% | | 2 | W32/Elkern | 5.9% | | 3 | W32/Klez.F | 3.4% | | 4 | VBS/Help | 3.0% | | 5 | W32/Sircam | 2.7% | | 6 | W32/Hybris | 2.5% | | 7 | W32/Nimda | 2.4% | | 8 | W32/Magistr.B | 2.1% | | 9 | W32/Disemboweler | 2.1% | | 10 | W32/Badtrans.B | 1.9% |
Kaspersky Virus Top Twenty - May -- Posted by Igor_Donchenko on Sunday, June 9 2002
The latest monthly installment of the Kaspersky Virus Top 20 is here.
| Position | Virus | Percentage by occurrence |
|---|
| 1 | I-Worm.Klez | 96.49% | | 2 | Win95.CIH | 0.84% | | 3 | I-Worm.BadtransII | 0.52% | | 4 | I-Worm.Hybris | 0.30% | | 5 | Trojan.PSW.Delf | 0.24% | | 6 | I-Worm.Sircam | 0.21% | | 7 | Win32.Elkern.c | 0.16% | | 8 | Macro.Word.Cap | 0.13% | | 9 | Win32.FunLove | 0.09% | | 10 | I-Worm.Magistr | 0.07% | | 11 | Backdoor.NetBuie | 0.06% | | 12 | Macro.Word97.Thus | 0.05% | | 13 | Trojan.PSW.Gip | 0.04% | | 14 | I-Worm.HappyTime | 0.03% | | 15 | I-Worm.Cervivec | 0.03% | | 16 | Trojan.Downloader.Web.Down | 0.03% | | 17 | I-Worm.Gibe | 0.03% | | 18 | Trojan.PSW.M2 | 0.02% | | 19 | Macro.Word97.Flop | 0.02% | | 20 | Trojan.PSW.Spion | 0.02% |
Source: http://www.avp.ru
|
Panda Software reports the appearance of WorldCup, an e-mail worm using the soccer finals in Japan and Korea as bait -- Posted by Igor_Donchenko on Wednesday, June 5 2002
Panda Software has reported the appearance of VBS/Chick.F (alias WorldCup), a new variant of the Chick virus that uses the subject of the soccer World Cup finals to trick users into running an infected file.
WorldCup is designed to spread both via e-mail and also through the popular mIRC chat application.
The e-mail message containing the virus has the subject: "RE:Korea Japan Results", while the text inside reads: "Takes a look at these results... Regards". The attached file that carries the worm is called: Koreajapan.chm.
If the user runs this file, a screen is displayed telling the user that Active X controls need to be installed in order to view the content of the file. If the user accepts, the worm will launch its payload.
It first sends itself to the first entry in the address book. However, by adding an entry to the Windows registry, it ensures that this is only done once in each infected computer.
WorldCup also searches for the MIRC.INI file, and on finding it creates the file SCRIPT.INI in order to spread via IRC. The worm also copies itself to the Windows directory under the name Koreajapan.chm.
Finally, a screen is displayed purporting to be an application for viewing the World Cup results.
Source: http://www.pandasoftware.com
|
|
