 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
August 2002
Once Again A Virus Targets The KaZaA Network - Duload -- Posted by Igor_Donchenko on Thursday, August 29 2002
Kaspersky Labs reports the detection of the network worm Duload, which is spreading across the KaZaA file-exchange network. Presently Kaspersky Labs has already received several registered instances of infection in Italy.
The worm itself is a Windows (PE EXE) application written in Visual Basic. Currently two modifications of the Duload worm are known, each having a different file size: - Worm.P2P.Duload.a - 18432 bytes
- Worm.P2P.Duload.b - 7680 bytes (Compressed with the UPX utility)
If the infected attachment is accidentally opened "Duload" copies itself to the Windows system directory under the name "SystemConfig.exe" and modifies the system registry so that this file automatically loads each time Windows is started.
Next, the Duload worm creates a folder in the Windows directory called "Media" and copies itself to this directory under 39 different names. Such as:- Pamela Anderson And Tommy Lee Home Video.exe
- Alicia Silverstone Payboy Nude.exe
- Kama Sutra Tetris.exe
- Soldier Of Fortune 2 Mutiplayer Serial Hack.exe
- The Sims Game Crack.exe
- Warcraft 3 Battle.net Crack.exe
"Duload" then once again modifies the system registry in order to make the "Media" folder accessible to all other KaZaA network users.
One modification of the worm (Worm.P2P.Duload.a) also downloads from an Internet site several Trojan programs designed to establish the unauthorized remote management of victim computers.
The defense against "Duload" has already been added to the Kaspersky Labs Anti-virus database.
Source: http://www.avp.ru
|
Trojan Horse Masquerades As Kaspersky Anti-Virus -- Posted by Igor_Donchenko on Thursday, August 29 2002
Kaspersky Labs warns computer users of a massive mailing of the Trojan-style malicious program, TrojanDownloader.Win32.Apher. Presently there have already been several registered reports of infection.
The Trojan is sent out by an anonymous evildoer using an anonymous e-mail address from a public access e-mail service. The messages themselves have a spoofed address showing the sender as info@microsoft.com. The infected message has the following attributes:
From: info@microsoft.com
Subject: Protect Your NetWare with Kaspersky Anti-Virus
Attachment: AAprices.exe
Kaspersky Labs, an international data-security software developer, announces the official release of Kaspersky Anti-Virus 4.0. "We are pleased to present the latest version of our anti-virus product. The unique technology, updated design, and perfected administering system integrated into Kaspersky Anti-Virus 4.0 is the result of many years of work dedicated to improving the ease of working with the program and increasing computer defense reliability," said Natalya Kaspersky, Kaspersky Labs CEO. The new Kaspersky Anti-Virus version (Personal Pro, Personal, Lite) fully supports the Microsoft Windows XP operating system. Amongst this versions latest innovations are: a complete user interface upgrade corresponding to Tree Chart technology; perfected system installation that allows for the saving the configuration of previously installed versions, and a quarantine feature for isolating infected and suspicious objects; expanded treatment of infected archived files; an added function for the treatment of Microsoft Outlook Express and objects upon system start up and also a memory scanning of active applications; and simplified operating features for disk recovery.
Best regards,
If you have any questions
please call
+1(866) 7280-290
If the attached file is accidentally opened "Apher" automatically initiates a connection with a remote web site. From this site a utility enabling the control of the virus "Backdoor.Death.25" is loaded on the infected machine. In turn, this program permits the evildoer to clandestinely manage an infected computer, to view and send out confidential information, and create, copy and delete files in addition to much more.
The defense against "Apher" has already been added to the Kaspersky Anti-Virus database.
Source: http://www.avp.ru
|
Backdoor.Cabro -- Posted by Igor_Donchenko on Tuesday, August 20 2002
Backdoor.Cabro allows unauthorized access to the infected computer.
Backdoor.Cabro is a server that is used for backdoor access to a compromised computer. The port that is used for access is configured upon infection. It gathers configuration information, such as the registered owner, organization, product ID, and serial number. It also launches IRC bots if an IRC program is installed.
When Backdoor.Cabro runs, it copies itself as %windir%\ASDAPI.exe and runs as a service.
NOTE: %windir% is a variable. The worm locates the Windows main installation folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location.
The Trojan adds the value
LoadPowerProfile windir%\ASDAPI.exe
to the registry keys
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunServices
so that the Trojan will run when you start Windows.
It also creates a new registry key or modifies the existing value if the key is already present.
Source: http://www.norton.com
|
Trojan.Adnap -- Posted by Igor_Donchenko on Tuesday, August 20 2002
Trojan.Adnap tries to spoof another vendor's antivirus program and connect to a Web page at www.geocities.com.
When Trojan.Adnap runs, it uses TCP/IP port 20480 to connect to a Web page that is hosted by www.geocities.com.
It adds the following line to the Autoexec.bat file:
@copy C:\Windows\FPanda.exe
NOTE: The C:\Windows path and the file name are hard-coded in the Trojan.
The Trojan adds these values:
APVXD C:\Windows\FPanda
APVXDWin
to the registry key
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
so that it runs when you start Windows.
Source: http://www.norton.com
W32.Mortag -- Posted by Igor_Donchenko on Wednesday, August 14 2002
W32.Mortag is a password-stealing virus that is written in Visual Basic. When W32.Mortag is executed it will display the following fake error Message:
It copies itself as %System%Wind32reg.dll.exe.
It creates %System%\Winsck32.sys.txt. This file is where the virus will log keystrokes. The virus then sends the log file to the author of the worm using it's own SMTP engine.
The virus copies itself as A:\MortalGame.html.exe.
It also adds the value
Win32reg.dll C:\Windows\System\Wind32reg.dll.exe
to the registry key
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ RunServices
so that the virus runs every time that you start Windows.
Source: http://www.norton.com
The Virus Top Twenty for July 2002 from Kaspersky Labs -- Posted by Igor_Donchenko on Monday, August 12 2002
Kaspersky Labs presents the Virus Top 20 for the month of July.
| Position | Virus | Percentage by occurrence |
|---|
| 1 | I-Worm.Klez | 84.28% | | 2 | I-Worm.Lentin | 9.24% | | 3 | Win95.CIH | 0.93% | | 4 | I-Worm.Frethem | 0.9% | | 5 | I-Worm.Desos | 0.28% | | 6 | Win32.FunLove | 0.15% | | 7 | I-Worm.Hybris.b | 0.12% | | 8 | I-Worm.BadtransII | 0.1% | | 9 | I-Worm.Magistr | 0.09% | | 10 | Win32.Elkern.c | 0.07% | | 11 | I-Worm.HappyTime | 0.07% | | 12 | I-Worm.Kitro | 0.06% | | 13 | Win32.Kriz | 0.05% | | 14 | Macro.Word97.Thus | 0.05% | | 15 | Backdoor.VB | 0.05% | | 16 | I-Worm.Duni | 0.03% | | 17 | Backdoor.CyberSpy | 0.03% | | 18 | Backdoor.Casus | 0.03% | | 19 | Win95.Tecata | 0.03% | | 20 | Macro.Word97.Nori | 0.03% |
Source: http://www.avp.ru
|
