 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
August 2004
A new virus, Bagle.AM, menaces the Internet -- Posted by Igor_Donchenko on Friday, August 13 2004
Over the last few hours a new variant of the infamous Bagle virus, which first appeared in January this year, has started to spread and infect numerous users. The large number of incidents reported involving Bagle.AM (also known as Bagle.AQ and Bagle.AC) has prompted Panda Software to declare an Amber Alert.
Luis Corrons, head of PandaLabs explains: "Bagle.AM is one of a long line of worms that first emerged seven months ago. In addition to its use of social engineering to trick users into accepting a file supposedly containing prices or passwords, it also combines other infection methods. The number of incidents could increase over the next few hours, and this situation is all the more dangerous as at this time of year, there are many users around the world with free time to enjoy the Internet."
Bagle.AM spreads via e-mail and sends a 6 KB ZIP file including a hidden .EXE file and an HTML file with the same name. If a user runs the HTML file, it will launch the .EXE file.
This .EXE file copies itself to the system and creates the following registry keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run win_upd2.exe =
%systemdir%\WINdirect.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run win_upd2.exe =
%systemdir%\WINdirect.exe
Bagle.AM also creates and executes a 11,776 byte DLL
file in %systemdir%\_dll.exe which stops all processes with the
following names:
FIREWALL.EXE
ATUPDATER.EXE
winxp.exe
sys_xp.exe
sysxp.exe
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
In addition, it will try to download a fake JPG file from several URLs.
This is in fact another .EXE file including the rest of the Bagle.AM worm, which will spread via e-mail when executed.
Source: http://www.pandasoftware.com
|
Evolution of computer viruses (part 9) -- Posted by Igor_Donchenko on Friday, August 13 2004
The present edition in the series about the evolution of computer viruses looks at the future. Until very recently, this would have been no easy task, but recent developments, and in particular the latest epidemics, have made it quite clear the direction in which the creators of malicious code are heading.
The new threats
"Blended threats" and "Flash threats" are terms that are still not widely known but that perfectly describe the viruses that are sure to start appearing over the next few years.
In fact, blended threats are not new, they are becoming an increasingly common feature among the new viral fauna emerging every day. This can be seen with worms that download Trojans, like Mydoom, or even Trojans that download all types of malware onto the computers they infect.
These kinds of malicious code are likely to continue appearing, especially as they have proven to be a highly useful tool for the growing cyber-delinquent community. A blended threat doesn't just rapidly infect multiple computers; it can also be used to steal confidential information such as bank or credit card details.
Flash threats
However, it is not just combined threats that will make the headlines over the next few years. They will probably be joined by others that won’t be limited to causing massive infections, but will also create the need for a general change of strategy for protecting against computer viruses: Flash threats.
For some time now, the creators of computer viruses have been striving to make their creations spread both as rapidly and widely as possible. And unfortunately, on occasions, they have achieved this. So, by using techniques such as software vulnerability exploits, some malicious code have been able to infect hundreds of thousands of computers in a matter of hours. The global epidemics caused by Red Code, Blaster and Sasser are all prime examples of this kind of threat.
This kind of infection is the virus authors' response to the improved security measures that many users are now implementing. Many email worms or macro viruses would now find it difficult to infect computers with antiviruses installed and updated. For this reason, virus creators now have to work against the clock, that is, prevent users form taking the necessary action to stop infections from new viruses.
Exploiting vulnerabilities has been a particularly successful strategy to this end. In fact, on some occasions, the vulnerability allows the malicious code to enter systems directly, without the need to use traditional propagation channels like email.
It is likely that these types of virus will continue to appear and that their creators will be continually honing their skills, leading to the appearance of viruses even faster than those mentioned above.
Source: http://www.pandasoftware.com
|
Virus Top Twenty for July 2004 from Kaspersky Labs -- Posted by Igor_Donchenko on Friday, August 13 2004
| Ranking | Change | Virus Name | Percentage | | 1 | no change | I-Worm.Zafi.b | 57.41% | | 2 | no change | I-Worm.Netsky.aa | 11.71% | | 3 | no change | I-Worm.Netsky.b | 10.72% | | 4 | no change | I-Worm.Netsky.q | 2.94% | | 5 | no change | I-Worm.Bagle.z | 2.34% | | 6 | +3 | I-Worm.Netsky.t | 2.08% | | 7 | no change | I-Worm.NetSky.y | 1.72% | | 8 | -2 | I-Worm.Netsky.d | 1.25% | | 9 | -1 | I-Worm.Lovgate.w | 1.18% | | 10 | new | I-Worm.Bagle.gen | 0.75% | | 11 | +4 | I-Worm.Netsky.o | 0.40% | | 12 | new | I-Worm.Bagle.ah | 0.35% | | 13 | re-entry | I-Worm.Sobig.f | 0.31% | | 14 | new | Backdoor.Rbot.gen | 0.28% | | 15 | new | I-Worm.Bagle.ai | 0.27% | | 16 | -2 | I-Worm.Mydoom.g | 0.26% | | 17 | +3 | I-Worm.Netsky.m | 0.25% | | 18 | -7 | I-Worm.Netsky.r | 0.25% | | 19 | re-entry | I-Worm.Mydoom.e | 0.24% | | 20 | -8 | I-Worm.Swen | 0.24% | | Other malicious programs (not in the Top 20) | 5.07% |
Antivirus professionals have long known that viruses come in waves; June, July and December are usually down times. Maybe it's because virus writers are people too - they too take vacations and if they go away, they may even forget to take their computers along.
July 2004 confirms this theory, with very few changes from the June ratings. The top five viruses are identical to the top five in June; only the percentages have changed. Zafi.b is the absolute leader this summer with 57%, this figure making it the second most frequent virus of the year. Only Mydoom.a is ahead of Zafi.b with a recording-breaking almost 80%.
Zafi.b is a paradox - an average worm, with nothing interesting in the code or the social engineering methods used to trick users into opening infected attachments. And yet it has beat many more technologically advanced viruses. Certainly changing the language of the incoming email in accordance with the recipient's country is a novel idea. However this is Zafi.b's only interesting feature. Perhaps Zafi's dominance can be explained by the fact that users have relaxed now that summer is in full swing and are being less cautious about opening attachments.
There are very few new entries to the Top Twenty: Bagle.gen leads the way. Bagle.gen is a catchall for all Bagle variants that propagate as password protected attachments. There are also several new versions of Bagle which were most likely released by copycat coders after Bagle.aa appeared complete with the Bagle source code inside. Bagle.ai and Bagle.ah make a modest first appearance, but we are likely to see more remakes of this particular malicious oldie.
14th place is occupied by Backdoor.Rbot.gen, a catchall for 30 or so similar backdoors. This is worth remarking on as these programs are not the email worms which everyone has become so used to over the past few months. These backdoors use various Windows vulnerabilities to give the sender full control over infected machines. Rbot variants accept commands to send copies of themselves via email, which probably accounts for the appearance of this backdoor in the virus top twenty.
And finally, like the Phoenix rising from the ashes, Sobig.f has not only returned, but even jumped immediately to number 13. This program last made an appearance in the Top Twenty in February this year.
Other malware continued to make up a significant amount of traffic for the third month in a row. In total, over 1000 different viruses were detected in July, over 3 times more than in June.
Source: http://www.kaspersky.com
|
