 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
June 2003
Virus work is a family business -- Posted by Igor_Donchenko on Monday, June 30 2003
BitDefender, a provider of security related software and services today released its monthly listing of the top ten viruses reported for June 2003. The report, denominated the "Evil Top Ten", is based on the number of virus occurrences confirmed through BitDefender Response Team tracking.
Last period has certainly been captivating in every aspect related to virus evolution and positioning.
| Ranking | Virus Name | Percentage | | 1. | Win32.BugBear.B@mm | 8.23% | | 2. | Win32.Klez.H@mm | 4.93 | | 3. | Win32.Parite.B | 3.66% | | 4. | Win32.HLLP.Hanta.A | 3.12 | | 5. | Win32.Sobig.B@mm | 2.91% | | 6. | Trojan.KeyLogger.BugBear.B | 2.71% | | 7. | Win32.P2P.Lorrin.A@mm | 1.95% | | 8. | Win32.BugBear.A@mm | 1.26% | | 9. | Win32.SoBig.C@mm | 1.23% | | 10. | Win32.Sobig.A@mm | 1.07% | | 11. | Other Viruses | 68.93% |
Apparently built on the saying "The king is dead, long live the king!", this new trend in virus making went beyond some of the wildest expectations most antivirus analysts would have stated for this period.
This certainly proved to be quite an interesting month due to the outburst of chain-virus, particularly Sobig and BugBear signed malware that did their best to make antivirus solutions worth their pay.
Let's take a look at so far considered the most lashing threat of the year: BugBear.B, belonging to buggy bears family. Incredibly interesting structure for this evil fellow: if specialists regarded the A variant as dangerous, there was and still is a lot to say about BugBear.B. Attacking systems in almost every possible way, stealing passwords and infecting files, this virus has a keen eye for corporate environment, especially financial institutions; thousands of computers are considered to get infected by BugBear.B and that is just a temporary estimation. This is dirty trick indeed, considering that an attack of this magnitude on a bank can cause million dollars damage in very little time.
We all were rather familiar to the idea of virus families, but Sobig series seems to be a more interesting issue. The Sobig saga was beginning on January 11th, with first variant - Sobig.A - high spreading mass mailer that also checked network shares. The silence lasted for only 4 months. On May 18th we assisted to the rise of Sobig.B, in its entire commonly accepted name - Sobig.B, the virus formerly known as Palyh. Still high spreading, a little bit more dangerous than Big Brother Sobig.A. And then the show began: the most interesting feature of last Sobig versions is the payload, that proclaims deactivation of viral activity within a date set by creator, which by the way is not apparently very patient with its offspring development: Sobig.B was put to sleep on May 31st...And then surprise, surprise: : the same May 31st specialists confirmed Sobig.B legacy being passed to its rightful heir, named Sobig.C, even more threatening than its predecessors... Offer available only for about a week... By now we arrived to the E version of this evil worm, but the audience rates have considerably diminished. D and E variants were not included in this evil top because of the short period since their outbreak that did not give time for a "proper" spreading level...
Source: http://www.bitdefender.com
|
A new version of the Tanatos (aka Bugbear) Internet worm has been detected -- Posted by Igor_Donchenko on Sunday, June 22 2003
Kaspersky Labs, an international data security software developer, reports the detection of a new version of the 'Tanatos' Internet worm - Tanatos b (aka Bugbear.b). The new version of this malicious program has an array of dangerous functions. Tanatos.b can infect the executable files of many programs as well as cause the leakage of confidential information. Presently, numerous incidences of infection at the hands of Tanatos.b have been registered.
The Tanatos.b Internet worm spreads via e-mail as a file attachment. The e-mail message itself can have various subjects, message texts, and file attachment names. Infection occurs when the file attachment harboring the malicious code is activated, once this happens the spreading routine is begun. There are several ways to launch the hazardous file: via the IFRAME breech in the Internet Explorer security system (which starts the worm upon message opening), manually when a user opens the infected file attachment or through local area networks.
When installing, Tanatos.b copies itself under random file names into the Windows registry auto-run keys, creates files in the Windows system directory as well as copies itself into the Windows directory and temp files directory.
Next the worm starts its spreading routine using the built-in SMTP engine. To send itself out via e-mail, Tanatos.b looks for e-mail addresses by scanning the available drives for files with the following extensions: *.ODS, .INBOX*, *.MMF, *.NCH, *.MBX, *.EML, *.TBB, *.DBX.
Tanatos.b has several dangerous functions. It infects the executable files in the Windows operation system. In the list of objects infected by Tanatos.b there are executable files from many other popular programs including: Outlook Express, Internet Explorer, WinZip, the KaZaA file sharing system, ICQ and MSN Messenger.
Additionally, the new version of Tanatos has the ability to function as a backdoor program, allowing the virus's creator to control infected machines and gain access to confidential information. To accomplish this, the worm opens port 1080, through which it can do the following: - Transfer hard drive data
- Copy, open, and delete files
- Inform about active applications and to close them
- Load files from remote computers and send keyboard log - reports to the virus author
- Setup an http server
The first version of the Tanatos Internet worm was detected in September 2002. At that time Tanatos caused a huge number of infections the world over. The worm combined the functionality of an Internet worm with that of a Trojan program, making it an exceptionally dangerous program capable of leaking out confidential information.
Tanatos.b is a Windows exe file with an approximate size of 72 kilobytes when packed with the UPX compression utility and additionally encoding. It is written in Microsoft Visual C++.
Source: http://www.kaspersky.com
|
