 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
July 2003
Virus forecast for the second half of 2003 -- Posted by Igor_Donchenko on Friday, July 25 2003
Despite the obvious perils of predicting how virus authors will act in the near future, one thing is certain: in the second half of 2003 malicious code will continue to appear, and it will be as dangerous if not more so than what has appeared up until now.
The events of the first half of the year are as good a guide as any as to how virus activity over the next few months will shape up, and it is therefore more than likely that e-mail worms and worm/Trojans will be high on the lists of the most widespread viruses. In particular, those using ‘social-engineering’ (tricking users into accepting e-mails or running files) are likely to head the rankings of the most virulent malicious code.
Worm/Trojans represent an extremely high threat, due to the combination of rapid propagation techniques with the dangerous actions of Trojans such as stealing confidential information like passwords, bank details, client databases etc.
We can also expect creators of malicious code to exploit vulnerabilities in widely used software, as this is another tried and tested technique for attacking users’ computers. So it will be no great surprise to see creations similar to Code Red or Slammer making an appearance along with the more traditional worms and viruses that appear every day.
In addition to all the above threats, users should also be on the look out for viruses that spread directly across the Internet, i.e. without using e-mail or any of the other usual means of propagation. This kind of malicious code can be particularly problematic as demonstrated by two of the more well-known examples, Muma and Opaserv.
Luis Corrons, head of Panda Software’s Virus Laboratory explains, "Nowadays unfortunately, security awareness involves more than just knowing about the latest viruses. It is also essential to be aware of vulnerabilities in operating systems and applications which could be exploited by virus creators or hackers. By simply checking to see the latest patches released, users can close off an important avenue of infection."
Source: http://www.pandasoftware.com
|
Panda Software reports the appearance of Gruel.B, a new and extremely dangerous worm -- Posted by Igor_Donchenko on Friday, July 25 2003
Panda Software’s Virus Laboratory has detected the new Gruel.B (W32/Gruel.B) e-mail worm. This a highly damaging worm with actions including the removal of numerous key files from infected computers.
Gruel.B reaches computers in an e-mail which is easily recognized as the subject includes the phrase: “Symantec: New Serious Virus Found”, and the message text: "Norton Security Response: has detected a new virus in the Internet. For this reason we made this tool attachement, to protect your computer from this serious virus. Due to the number of submissions received from customers, Symantec Security Response has upgraded this threat to a Category 5 (Maximum ).".
The attached file, which actually contains the malicious code, is called: “Symantec_Norton_Tool.exe”.
This worm can also spread via the KaZaA file sharing application. To do so, Gruel.B copies itself as Windows XP KeyGen 2.5.exe. to shared directories used by the program.
If the file containing Gruel.B is run, a false Windows error message is displayed, with the options “Send error” and “Send and close”. If you click on the latter Gruel.B sends itself to all contacts in the Address Book and displays a new error screen, which will reappear every time users try to close it.
If you click on “Send and close”, the worm opens several Control Panel windows as well as the CD-Rom tray and displays a message from the virus author.
The worm also changes user passwords, hides the contents of the C: drive, disables the task bar and deletes numerous system files such as autoexec.bat, config.sys o command.com.
Gruel.B also generates a series of Windows Registry keys.
Source: http://www.pandasoftware.com
|
The "Webber" Trojan Program Turns Computers Into Spam Machines -- Posted by Igor_Donchenko on Friday, July 25 2003
Kaspersky Labs, an international data security software developer, reports the mass mailing of the new trojan program "Webber" (aka "Heloc"). Kaspersky Labs has already logged numerous registered reports of encounters with this malicious program.
"Webber" does its harm by installing a proxy server by which evildoers can perform distributed mass mailings of any data using the resources of infected machines. This past week Kaspersky Labs already detected three Trojan programs of this type.
"In essence, we have a situation involving the creation of an illegal, extended network that is being exploited by hackers to mass mail spam using the resources of victim computers, " commented Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Labs. "What is most troublesome is that this network can also be abused to achieve virtually any goal, including conducting hacker attacks on a global scale and DDos attacks on the Web resources of large corporations or government institutions."
"Webber" was spread over the Internet via a mass mailing conducted on July 16, 2003. The message containing "Webber" has the following subject line: "Re: Your credit application", body text in English, and a file attachment named "web.da.us.citi.heloc.pif". This file name is similar to a Web address and therefore can at times confuse users, leading them to execute the infected file. Once run, "Webber" clandestinely downloads its additional components from a remote Web-server and installs them on the now infected computer. Collateral damage attributed to this trojan includes sending to its "master" (hacker controlling the trojan) a list of passwords dug out of a victim machine's cache memory.
Source: http://www.avp.ru
|
Mylife: pretty woman, pretty worm -- Posted by Igor_Donchenko on Thursday, July 10 2003
It is sad to say, but more than once celebrities and Hollywood stars have become objects of a special concern of virus writers (Anna Kurnikova worm, for example). Now the names of Oscar winner Julia Roberts and Columbia popular singer Shakira are involved into dirty tricks to entice users to open the malicious attachment.
Virus Alert service of DialogueScience, Inc. informs on emergence of a new modification of a long known mass mailer from the MyLife family, labeled by Dr.Web® anti-virus program as Win32.HLLM.Generic.208. The worm is written in Visual Basic 6 and is UPX-packed. Only Windows users may suffer from this worm.
The worm mass spreads via e-mail positioning itself as a screen saver with spicy pictures of these stars. It may arrive to a user’s computer in two variations – with Fw: Julia Roberts or Old Shakira subjects.
To make the message more convincing the text accompanying the letter is marked as virus free as if by MCAFEE company.
========No virus detected========
MCAFEE.COM
If the curious user opens the attachment the worm copies itself to the Windows\System folder in the form of a file with *.mpeg.scr extensions (the latter is not shown in the Explorer by default) and starts sending itself to all the recipients from the local MS Outlook address book. If the system time runs between 50 and 59 minutes it makes attempts to deleted all the files on the hard drive of the infected computer.
Source: http://www.antivir.ru
|
Weekly virus report from Panda Software -- Posted by Igor_Donchenko on Wednesday, July 9 2003
This report will focus on three worms: Klexe, Scorvan and MyLife.M.
The effects of Klexe are dangerous, as it drops a Trojan that captures confidential information from the affected computer and sends it to an e-mail address. This malicious code follows the infection routine below:
- It sends an e-mail message that contains a link to a web page that passes itself off as a link for downloading an e-messenger card.
- When the user accesses the link included in the message, two files are downloaded to the computer: 'ECMSETUP1.EXE', which is the worm and is used to send out e-mail messages; and 'KL.EXE', which is the Trojan. This last file is copied as 'WINDOWS EXPLORER.EXE' to the Startup directories of the drives it can access (C:, D:, E: and F:). By doing this, Klexe ensures that it is run whenever the computer is started up.
Once it has reached the computer, Klexe displays an error message on screen and sends a copy of the message to all the contacts in the Address Book in Outlook.
The second worm analysed in this report is Scorvan, which spreads through peer-to-peer file sharing programs (P2P), such as KMD, Morpheus, Limewire, Grokster, Bearshare, Edonkey2002 and KaZaA. Once it has reached the computer, Scorvan launches the Windows calculator and when the user closes it, the worm goes memory resident.
Scorvan creates multiple copies of itself in the following directories, among others: 'morpheus\my shared folder\', '\bearshare\shared\' and '\edonkey2002\incoming\'. The names of these files are made up of two parts: It selects one of the options from a list and then adds a space followed by 'calculator.exe' or 'calc.exe'.
We are going to close this report with Mylife.M, which spreads via e-mail in a message with a subject that refers to either the actress Julia Roberts or the singer Shakira. This worm sends a copy of itself to all the contacts in the Windows Address Book. When Mylife.M is run, it simulates that the media player being opened.
Source: http://www.pandasoftware.com
|
Top Ten most frequently detected viruses by Panda ActiveScan in June -- Posted by Igor_Donchenko on Tuesday, July 8 2003
In June the ‘B’ variant of Bugbear topped the ranking of the malicious code most frequently detected by Panda ActiveScan, taking over from Klez.I which headed the Top Ten ranking of viruses detected by the Panda Software’s free online solution almost continuously since it first appeared in April 2002.
The data compiled by Panda ActiveScan shows that Bugbear.B was responsible for a total of nearly 18 percent of total recorded incidents followed by Trj/PSW.Bugbear.B (11.19%), Mapson (6.78%), Klez.I (4.33%) and Bugbear (3,9%). The bottom half of the list includes: Parite.B, Fornight.D, Enerkaz, NoClose and Bugbear.B.Dam.
The most notable development in this month’s ranking is the dominance of the Bugbear family, highlighted by:
- Bugbear.B pushing Klez.I out to fourth place in the ranking. The only other occasion on which the Klez I worm has been ousted since April 2002 was also by the predecessor of Bugbear.
- The high percentage of machines infected by Bugbear.B and PSW.Bugbear.B (17.78 and 11.19), is far greater than the percentages (around 10 percent) that normally correspond to the top places in the list.
- Four of the ten most virulent malicious code belong to the Bugbear family (including -Bugbear.B.Dam, damaged copies of Bugbear.B-).
Other recent developments include the prevalence of Mapson, which first appeared in mid-June, and the absence of Nimda from the list.
| Ranking | Virus Name | Percentage, % | | 1 | W32/Bugbear.B | 17.78 | | 2 | Trj/PSW.Bugbear.B | 11.19 | | 3 | W32/Mapson | 6.78 | | 4 | W32/Klez.I | 4.33 | | 5 | W32/Bugbear | 3.96 | | 6 | W32/Parite.B | 2.01 | | 7 | JS/Fortnight.D | 1.86 | | 8 | W32/Enerkaz | 1.82 | | 9 | Trj/JS.NoCLose | 1.76 | | 10 | W32/Bugbear.B.Dam | 1.69 |
Source: http://www.pandasoftware.com
The Virus Top Twenty from Kaspersky Labs -- Posted by Igor_Donchenko on Friday, July 4 2003
Kaspersky Labs presents the Virus Top 20 for the month of June 2003.
The percentage shown represents the percentage of registered incidences.
| Position | Virus | Percentage by Occurrence |
|---|
| 1 | I-Worm.Lentin | 32.48% | | 2 | I-Worm.Klez | 17.69% | | 3 | I-Worm.Tanatos | 16.91% | | 4 | I-Worm.Sobig | 12.01% | | 5 | Macro.Word97.Saver | 1.17% | | 6 | Macro.Word97.Thus | 1.00% | | 7 | VBS.Redlof | 0.73% | | 8 | I-Worm.Ganda | 0.53% | | 9 | Backdoor.Beastdoor | 0.31% | | 10 | Win95.CIH | 0.29% | | 11 | Backdoor.Assasin | 0.28% | | 12 | Backdoor.Optix | 0.22% | | 13 | Backdoor.SdBot.gen | 0.21% | | 14 | I-Worm Hybris | 0.20% | | 15 | Win32.Parite | 0.20% | | 16 | I-Worm.Avron | 0.20% | | 17 | I-Worm Hawawi | 0.15% | | 18 | Backdoor.Death | 0.15% | | 19 | I-Worm.Mapson | 0.14% | | 20 | Backdoor.IRC.Zcrew | 0.14% | | Other Malicious Programs | 53.35% |
Source: http://www.kaspersky.com
|
