 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
September 2003
I-Worm.Swen -- Posted by Igor_Donchenko on Monday, September 29 2003
Kaspersky Labs, an information security expert, announces the detection of the network worm, I-Worm.Swen. This malicious program spreads via email, the Kazaa file sharing network and IRC channels.
Infected messages appear to have been sent from various Microsoft services, including, MS Technical Assistance, Microsoft Internet Security Section, etc. Message text advises users to install a "special patch" from Microsoft. The "patch" is included as an attachment.
Sven uses the same vulnerability in the Internet Explorer detected in March 2001 that was used by many other well-known worms, such as Klez. Thus, once Swen breaks into an undefended machine it executes itself independently of the owner.
The new malware program is written in Microsoft Visual C++ and is about 107 KB. The worm is activated in two cases: if the infected file is executed or when the email program contains the IFrame.FileDownload vulnerability. The worm then installs itself into the system and initiates propogation procedures.
When the attachment is opened the first time, a window named Microsoft Internet Update Pack appears on the screen and imitates the installation of a patch. At the same time, the malicious code blocks all firewalls and anti-virus software. Then Swen scans the file system of the infected computer and extracts all email addresses, using them to mail itself to all available addresses via a direct connection to an SMTP server. The infected letters are in HTML and include an attachment containing Swen. In some cases, the worm can send copies of itself in .zip of .rar form.
Swen propagates via the Kazaa file-sharing network by copying itself under random names in the file exchange directory in Kazaa Lite. It also creates a subdirectory in the Windows Temp folder with randomly generated file names making several copies of itself with random names as well. This directory then is then identified in the Windows system registry as the source for the file sharing system and as a result, the new files created by Swen become available to other Kazaa network users.
Finally, for spreading via IRC, the worm scans for installed mIRC clients. If these are detected then Swen modifies the script.ini file by adding its propagation procedures. Whereupon the script.ini file sends infected files from the Windows directory, to all users that connect to the now-infected IRC channel.
Source: http://www.avp.ru
|
Seventh generation of Bitdefender - first antivirus to include antidialer -- Posted by Igor_Donchenko on Tuesday, September 16 2003
BitDefender, a provider of security software and services,
introduces a new version of its flagship antivirus product, BitDefender Professional, a most complex data security solution. Much more than an AntiVirus product, BitDefender Professional ensures unmatched antivirus protection as well as data confidentiality, active content control, Internet filtering and antidialer function. The Professional Edition of BitDefender protects users' data on all levels, both in an office
environment and at home.
During the last year an increasing amount of complaints has been reported, regarding dialer programs that used computer's modems in order to dial different phone numbers. A great number of PC users discovered such programs installed on their computers without their knowledge. For
example, during the last year edition of CeBIT, whoever was visiting the website www.cebit-2002.de was, instead of obtaining information about the famous IT fair, getting a very "expensive" sex-dialer, installed in its Windows operating system. The Internet domain was not held by the fair organizer, but by a porn trader. "The priciest dialer could cost you up to 300 EUR per minute" says the editor of PC-Tip, a website from Switzerland, adding that the exhibition organizer took legal actions against the site holder.
Usually, dialers get installed on computers running with unsafe ActiveX security settings; after getting loaded into the memory, dialer programs generally become active when the computer goes into idle status for a longer time. They activate the phone line and dial different phone numbers without user's consent. The consequences of having an unknown dialer program working on a computer are always expensive, as they refer to lost money on unsolicited phone calls, damage on infected computers, time lost for repairing that harm or moral prejudice in case the specific PC is to be used by children.
More than 85% of the computer users don't use any antidialer software and the same proportion has never modified their Internet Explorer settings, so they are exposed to dialer installation through signed ActiveX controls (source: "Nutzwerk", dialerhilfe.de and computerbetrug.de).
"BitDefender previous versions were able to block dialer programs that also included malicious code behavior, meaning dialers that used dial connections in order to transmit information stored on infected computer. Such actions were detected by BitDefender on a virus definition basis" declared Bogdan Dumitru, CTO at BitDefender. "With this improved Application Firewall module, BitDefender Professional Antivirus can even detect and block viruses that use Internet dial connections, all due to its behavior blocking revolutionary technology", Bogdan concluded.
BitDefender Labs provide you with a reliable solution for this rising menace by introducing BitDefender Professional v.7 - among the first antivirus solutions in the world to include an antidialer application in its Virus Shield, permanent scanning module. This function monitors all applications attempting to access a computer modem, immediately warning the user and prompting him to choose blocking or allowing such operation.
Also, BitDefender antidialer blocks all applications trying to access certain phone numbers: the user can create antidialer rules and set them according to his necessities.
BitDefender specialists recommend users that encounter a suspect file that may attempt to access modem functions, to immediately send it to the Antivirus Lab, at virus_submission@bitdefender.com, and, in 24 hours time,
they will be provided with an answer regarding the nature of such file.
|
GFI adds Bayesian anti-spam filter to GFI MailEssentials for Exchange/SMTP 9 -- Posted by Igor_Donchenko on Tuesday, September 16 2003
GFI has launched GFI MailEssentials for Exchange/SMTP 9, its server-based anti-spam tool that now boasts a Bayesian filter, which is able to adapt automatically to the latest spamming techniques and catch a record amount of spam. Current anti-spam techniques are largely static, meaning that it is fairly easy for spammers to evade them simply by tweaking their messages. The GFI MailEssentials Bayesian filter is adaptive: it changes over time and learns spamming techniques, making it much harder to dodge.
Bayesian filtering technology increases spam detection
Bayesian filters are widely acclaimed to be the best way to tackle spam because they use statistical intelligence to analyze the content of the mail. GFI MailEssentials is among the very first products to implement this technology at server level in a reliable and effective manner. Bayesian filtering detects spam based on message content. Rather than just checking for keywords, GFI's Bayesian filter takes the whole message into consideration. Bayesian filtering is based on the mathematical principle that most events are dependent and that the probability of an event occurring in the future can be inferred from the previous occurrences of that event – the same concept is used to identify new spam messages based on the content of past spam messages.
In short, Bayesian filtering has the following advantages: - Looks at the whole message
- Adapts itself over time
- Is sensitive/adapts to the company/user
- Multilingual and international
- Uses artificial intelligence
- Hard to trick.
Bayesian filter learns from outbound mail and new spam
The GFI MailEssentials Bayesian filter can learn from spam identified by the user, as well as by downloading profiles of the latest spam from the GFI site, ensuring that it recognizes the latest spam and spamming techniques. GFI maintains the spam profile database by working with a number of spam collection organizations that continually supply spam samples. This is not a database of spam signatures (a technology that is largely useless), but a database of spam that the Bayesian filter studies and adapts to.
"The Bayesian filter is so good at catching spam because it learns over time. The filter actually improves further the longer you use it. In our tests, after just one month of using GFI MailEssentials 9, we almost completely eliminated spam with a minimal amount of false positives. We believe that GFI MailEssentials 9 is a groundbreaking contribution to the battle against spam," said Nick Galea, GFI CEO.
Source: http://www.gfi.com
New anti-spam section -- Posted by Igor_Donchenko on Tuesday, September 16 2003
We've opened a new anti-spam section. This section is quite small now, but we'll develop it with anti-spam releted issues.
|
The latest subjects used to trick users include the 9/11 attacks in New York and security patches from Microsoft -- Posted by Igor_Donchenko on Friday, September 12 2003
Once again virus writers are resorting to devious messages aimed at tricking users and spreading their creations as widely as possible. To make matters worse, latest virus technology means that messages carrying viruses may appear to have been sent from a known and trusted source, lulling unwitting victims into opening infected files and spreading the malicious code on to other computers.
The latest malicious code to resort to these sinister tactics include:
- Dumaru, Dumaru.C and Dumaru.D: the message texts refer to a Microsoft patch to prevent a supposedly dangerous virus. These viruses are easy to identify as they reach users in a message with the following characteristics:
From: Microsoft security@microsoft.com
Subject: Use this patch immediately!!
Message text:
Dear friend, use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
Attachment: PATCH.EXE
- Sobig.F, which on the one hand switches the name of the sender of the message, in the same way as worms like Klez.I, meaning that the e-mail containing the virus may appear to come from a trusted source (friend family etc.). The e-mail carrying Sobig.F also includes variable texts designed to draw the attention of the victim (e.g. “Your details”, “YOUR_DOCUMENT.PIF”, “See the attached file for details”).
Source: http://www.pandasoftware.com
|
New version of Neroma virus -- Posted by Igor_Donchenko on Saturday, September 6 2003
BitDefender, a provider of security software and services,
today warns against a new version of the virus Neroma (Win32.Neroma.B@mm). The virus spreads through Outlook e-mails and it speculates the subject of the sad anniversary of September 11.
The attachment of the e-mail is a fake GIF file, pretending to be an erotic image.
Source: http://www.bitdefender.com
|
Presumptive romanian author of msblast.f detained today -- Posted by Igor_Donchenko on Wednesday, September 3 2003
BitDefender, a provider of security software and services, announce today that the Romanian presumed creator of MsBlast.F has been detained by police forces after a short quest involving the propagation and effects of new virus variant.
Dan Dumitru Ciobanu, 24 years old, from Iasi - Romania is the alleged author of this MsBlast.F version, which he seems to have implemented within the computer network of the Iasi Technical University. Story appears to be repeating, as in the Parson case (the Minnesota teenager, author of Msblast.B): excellent academic results, scholarships during 4 of his 5 years of graduate studies.
Ciobanu was apprehended while he was working in a photo developing lab. Authorities have removed two computers from Ciobanu's home and work place. The equipment was sealed and remains to be analyzed in presence of the defendant, of the district attorney and the defendant lawyer. More information will be provided after data analysis, as the BitDefender experts are involved in further investigations.
"We were delighted with the technical details supplied by BitDefender antivirus experts, that helped us enormously in correctly identifying the suspect", stated Mr. Plai Gheorghi, Chief Inspector of the Iasi Centre for Combat Against the Organized Crime and Drug Enforcement. "The Strategic
Economical Investigation Division from the Internal Affairs Ministry expresses its gratitude for the prompt support granted by SOFTWIN's professionals", Mr. Plai Gheorghi concluded.
September 1st brought a new MsBlast version, with low spreading and risk attributes. This malware was easily tracked to a Romanian issuer, as it enclosed a few strings in native language, all dedicated to undermine Hydrotechnical University based in Iasi, Romania, and specifically one of
its professors. This variant shares the same functionality and active mechanisms as original MsBlast.A, the only differences being a change of the virus filename into enbiei.exe and the aforementioned strings remaining unused by the virus.
The quest for an author was short and rapidly undertaken by BitDefender antivirus specialists and local authorities, the first supplying the technical information that conducted to the author identification. The main point helping to the author discovery was his nickname, used as a copyright ("copywrong") name in all materials written by Dan Ciobanu.
The amazing side of this peculiar situation is that two people are to stand trial for having modified original code of MsBlast.A, but the creator of the worm is still out there. Antivirus specialists concur in saying that such altered versions are not as difficult to create as original, new ones.
In the particular circumstances entailed by the last Msblast outbreak, BitDefender experts have developed a specific feature in their antivirus scanning engines, to detect any attempt to use the Microsoft Windows DCOM-RPC vulnerability for system intrusion, successfully identifying any
possible virus replication.
Source: http://www.bitdefender.com
|
Top Ten viruses most frequently detected by Panda ActiveScan in August -- Posted by Igor_Donchenko on Wednesday, September 3 2003
In August, Blaster was recorded as the virus affecting most computers, according to the data gathered by Panda ActiveScan. This worm, which first appeared on August 12, has taken over from Bugbear.B at the top of the list of Top Ten viruses most frequently detected by Panda Software. Blaster has even infected more computers than Sobig.F, a worm that first appeared in August and which was the most widespread malicious code until now.
A ccording to the data gathered by Panda ActiveScan, Blaster caused, over the last month, more than eight percent of the incidents reported, followed by Bugbear.B (5.34%), Klez.I (3.15%); Sobig.F (3.07%) and Parite.B (2.62%). Trj/PSW.Bugbear.B, Fortnight.E, Enerkaz, Bugbear.B.Dam and Trj/JS.NoClose hold the last five positions of the Top Ten ranking for August.
The most notable development in this month’s report include:
- Indisputable dominance of Blaster, even over Sobig.F
Although Sobig.F is the most widespread malicious code ever (largely due to its capacity to send itself out every ten seconds as ‘spam’, through the computers it affects), Blaster has been the malicious code that has infected most computers.
Among the characteristics that explain Blaster’s dominance, Luis Corrons, head of Panda Software’s Virus Lab, highlights its capacity for “infecting computers without user intervention, such as opening an e-mail or a file attached to a message”. Blaster moves along the Internet searching for computers in order to attack them. When the worm finds these computers, it tries to enter the system through the communications port 135, with the aim of causing a buffer overflow.
- Spreading via vulnerabilities.
Blaster was the first worm to spread by exploiting the RPC DCOM Windows vulnerability. This type of behavior has already been successfully used by other malicious codes in the Top Ten list, such as Bugbear.B and Klez.I. These two worms also use security problems in widely used programs in order to attack as many computers as possible. Again, the presence of this viruses in the ranking, highlights the fact that many users have not applied the updates provided by manufacturers in order to solve these vulnerabilities.
- Increasing activity of Klez.I as it rises to third place from sixth in the last month’s ranking.
| Ranking | Virus Name | Percentage, % | | 1 | W32/Blaster | 8.27 | | 2 | W32/Bugbear.B | 5.34 | | 3 | W32/Klez.I | 3.15 | | 4 | W32/Sobig.F | 3.07 | | 5 | Parite.B | 2.62 | | 6 | TRj/PSW.Bugbear.B | 2.47 | | 7 | JS/Fortnight.E | 2.27 | | 8 | W32/Enerkaz | 2.05 | | 9 | W32/Bugbear.B.Dam | 1.83 | | 10 | Trj/JS.NOClose | 1.08 |
Source: http://www.pandasoftware.com
The Virus Top Twenty by Kaspersky Labs -- Posted by Igor_Donchenko on Wednesday, September 3 2003
Kaspersky Labs presents the Virus Top 20 for the month of August 2003.
The percentage shown represents the percentage of registered incidences.
| Position | Virus | Percentage by Occurrence |
|---|
| 1 | I-Worm.Sobig | 61.49% | | 2 | I-Worm.Mimail | 4.06% | | 3 | I-Worm.Tanatos | 3.49% | | 4 | Worm.Win32.Lovesan | 3.17% | | 5 | I-Worm.Klez | 1.09% | | 6 | I-Worm.Lentin | 0.67% | | 7 | Worm.P2P.SpyBot | 0.66% | | 8 | Macro.Word97.Thus | 0.60% | | 9 | Macro.Word97.Saver | 0.60% | | 10 | Backdoor.BeastDoor | 0.50% | | 11 | Backdoor.SdBot | 0.48% | | 12 | Win32.Parite | 0.41% | | 13 | VBS.Redlof | 0.36% | | 14 | Backdoor.Optix.Pro | 0.29% | | 15 | I-Worm.Roron | 0.25% | | 16 | TrojanDropper.Win32.Freshbind | 0.22% | | 17 | Worm.Win32.Muma | 0.20% | | 18 | Win32.Xorala | 0.19% | | 19 | Worm.Win32.Welchia | 0.19% | | 20 | I-Worm.Gibe | 0.19% | | Other Malicious Programs | 20.86% |
Source: http://www.avp.ru
|
