 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
September 2002
The Most Virulent Worm in Existence Just Keeps Going -- Posted by Igor_Donchenko on Tuesday, September 17 2002
Panda Software, an antivirus software developer, has just released its list of the most virulent malicious codes active in the month of August. The data was gathered and compiled from Panda ActiveScan, the company's free online antivirus software.
The summer month of August has been comparatively calm in terms of new virus outbreaks. However, this has not prevented already active viruses from wreaking havoc on computer users worldwide, as this summer's victims will attest.
For the fifth month running, the Klez.I worm has topped the list as the most virulent malicious code in existence, having been detected as the culprit in more than 20 percent of positive cases. Its success is no doubt due to its ability to spread rapidly via e-mail, and to exploit a vulnerability in Microsoft's Internet Explorer, which allows it to run automatically when viewed in the Preview Pane.
After Klez.I comes another worm, Grade.A, which is responsible for more than 13 percent of cases tracked by Panda ActiveScan. Users should be on their guard for this particularly nasty virus, as it can delete essential system files.
The third notorious suspect making the list was Dadinu, which spreads by sending itself as an e-mail to all contacts in the Microsoft Messenger Address Book. It made an appearance in just over 10 percent of the cases.
Other malicious code detected by Panda ActiveScan in August included VBS/Grade.A (6.23%); the polymorphic Elkern.C (4.89%); Nimda (4.89%); Help (3.79%); Nimda.D (3.30%); and the tenacious Sircam (3.12%), and Magistr.B (2.99%).
| Position | Virus | % frequency |
|---|
| 1 | W32/Klez.I | 20.74% | | 2 | W32/Grade.A | 13.79% | | 3 | W32/Dadinu | 10.52% | | 4 | VBS/Grade.A | 10.16% | | 5 | W32/Elkern.C | 6.23% | | 6 | W32/Nimda | 4.89% | | 7 | VBS/Help | 3.79% | | 8 | W32/Nimda.D | 3.30% | | 9 | W32/Sircam | 3.12% | | 10 | W32/Magistr.B | 2.99% |
Source: http://www.pandasecurity.com
|
Morris Worm: Life After Death -- Posted by Igor_Donchenko on Tuesday, September 17 2002
Kaspersky Labs, an international data-security software-development company, warns about the detection of a new dangerous Internet-worm called "Slapper", which infects computers running Linux operating system and uses the source code spreading technology that was used in the notorious Morris Worm in 1988.
Up to date, Kaspersky Labs has received no user reports that this malicious program has been detected "in-the-wild". However a detailed analysis of the worm confirms its high potential to cause a global virus outbreak and therefore poses a threat to Linux users.
To find a victim, "Slapper" scans computers connected to the Internet and chooses those that are running the Linux operating system and have an Apache Web-server installed. After detecting such a computer, the worm stealthily uploads its copy by exploiting the OpenSSL security breach (buffer overflow). The main distinctive feature of "Slapper" is that the uploaded worm copy is in the source code, not in an already compiled executable package. After the uploading is competed, the worm uses the locally installed C compiler (gcc) to produce an executable copy of the worm and then launches it. Such an original method provides "Slapper" compatibility with all Linux types regardless of the distribution manufacturer and version of the kernel. This method was invented in November 1988 and was applied for the first time in notorious Morris Worm that succeeded to infect more than 6000 companies worldwide (including NASA Research Institute) resulting in $96 million loss. Until now, this method of spreading source code has never been used.
"It is quite possible that "Slapper" will initiate a new wave of multi-platform malware development, which will be able to infect not only Linux, but Windows, Unix and other operating systems simultaneously. This is obvious because C compilers can be found on every commonly used platform as well as security breaches through which malware will "worm" on victim computers," said Eugene Kaspersky, Head of Anti-Virus Research for Kaspersky Labs. "The worm's other side effect will be the appearance of its numerous clones. To create a modified version, a person will only need to apply the necessary changes to the source code that will be available everywhere in the Internet. With this in mind we have already started the development of the applicable add-on to the heuristic technology integrated in Kaspersky Anti-Virus that will allow us to catch even unknown Slapper-style worms," he added.
In addition, "Slapper" also poses a threat to the data confidentiality on the infected computers. The worm contains backdoor-features (unauthorized remote administration) that can allow a malicious person to perform certain unwanted actions, such as the execution of remote commands, data theft, implication in distributed DoS-attack, etc.
Source: http://www.avp.ru
|
Virus Top Twenty from Kaspersky Labs - August -- Posted by Igor_Donchenko on Friday, September 13 2002
Kaspersky Labs presents the Virus Top 20 for the month of August.
The percentage shown represents the percentage of registered incidences.
| Position | Virus | Percentage by occurrence |
|---|
| 1 | I-Worm.Klez | 76.45% | | 2 | I-Worm.Lentin | 21.66% | | 3 | Win95.CIH | 0.45% | | 4 | Abba | 0.24% | | 5 | I-Worm.Hybris | 0.10% | | 6 | Win32.FunLove | 0.07% | | 7 | I-Worm.Sircam | 0.03% | | 8 | I-Worm.Magistr | 0.01% | | 9 | Win95.Tecata | 0.01% | | 10 | Backdoor.Antilam | 0.01% | | 11 | I-Worm.HappyTime | 0.01% | | 12 | Trojan.Win32.Filecoder | 0.01% | | 13 | Armageddon | 0.01% | | 14 | Backdoor.Arcanum | 0.01% | | 15 | Attention | 0.01% | | 16 | I-Worm.BadtransII | 0.01% | | 17 | Backdoor.Cabrotor | 0.01% | | 18 | Trojan.PSW.Stealth | 0.01% | | 19 | Backdoor.Death | 0.01% | | 20 | Trojan.JS.Seeker | 0.01% |
|
Photo with Trojan -- Posted by Igor_Donchenko on Friday, September 13 2002
Kaspersky Labs reports the detection of a Trojan horse, FireAnvil, embedded in a commercial product from US company, Firehand Technologies Corporation.
"Firehand Ember Millennium" is a software program for viewing and editing graphic files and is sold via Internet on the site www.firehand.com. Trojan subprograms have been detected in two files of the product:
Ember32.exe - the main file of the product fireutil.dll - library
The program is activated when the text "czy czy" is entered in the field "Registered User ID".
Registered User ID: [_________]
Registration Key: [_________]
As the Trojan program is activated the following message is displayed:
CrAcKiNg SoFtWaRe! PlEaSe WaIt!
Then FireAnvil searches for the Windows system directory and writes the following text into the registry of all of the files within the directory:
CzY CrAcKiNg CrUe! We CrACk EvErYtHiNg!
As a result of the program's destructive function, when activated, all of the files of the Windows system directory are destroyed with no possibility of restoring them.
"Unfortunately, this is not the only instance where a software product has been marketed without checking it thoroughly for hidden "trojans". On the other hand, this is additional proof for the perfidy of the latest generation malware, which is sometimes very hard to detect. Hopefully, this incident will force all software developers to pay more attention to the security problems of their users," says Eugene Kaspersky, Head of Anti-Virus Research of Kaspersky Labs.
Source: http://www.avp.ru
|
|
