Virus alerts for March 2005 Current virus alerts here. |
We stock the most efficient anti virus program which checks for updates hourly
Contact Us for a one month free antivirus trial.
March 25, 2005 New Jeans - WORM_JEANS.AWORM_JEANS.A is a memory-resident worm that attempts to propagate via email with itself as an attachment, using its own Simple Mail Transfer Protocol (SMTP) engine. It may use a polymorphic engine to drop a file containing the source code of the worm, and then recompile it to produce a different appearance. While the inclusion of source code in the worm is not new behavior (BAGLE variants included this), the recompilation of the dropped source code is. This "courier virus" behavior is described as the worm being able to carry within itself, its whole source code and eventually dropping and recompiling it in the infected computer to create new variants of itself. It infects computers running Windows 98, ME, NT, 2000, and XP. Upon execution, the worm drops a copy of itself as INCUBATOR.SCR in the Windows folder or BIGFISH.SCR in the Windows system folder. It creates registry entries that allow it to automatically execute at every system startup. It also adds registry entries such that when certain applications are executed, this worm runs instead of the programs selected. This worm attempts to propagate via email. It searches for target email addresses in files with the following file name extensions: * .asp It retrieves SMTP servers in the system registry, and then attempts to send a copy of itself as an attachment using its own SMTP engine. The email message that it attempts From: Don Quijote y Sancho Panza Subject: juas juas cuidadin con el attachhhhrrrr!!!!! Message body: juas juas juas peaso de bicho que lleva el attach!!! juas juas!!! ;D Attachment: soyunpeasodebichooooooo.scr This worm may also display a message box with the following: Win32.Genome coded by ValleZ/29a Contact Us for a one month free antivirus trial. Top 10 Most Prevalent Global Malware 1. HTML_NETSKY.P March 18, 2005 Antispyware Killer - steals information related to online banking Web sites - TROJ_ASH.A TROJ_ASH.A is a destructive, memory-resident Trojan that terminates and deletes all files related to Microsoft Windows Antispyware. It also steals information related to online banking Web sites, by monitoring a user's Internet transactions at certain online banking sites. It runs on Windows 95, 98, ME, NT, 2000, and XP. This memory-resident Trojan arrives in a system as the file ASH.DLL, in the Windows system folder. It may also be downloaded by the user from the Internet. Before installation, the Trojan checks whether Microsoft Windows Antispyware is installed. If found, it attempts to terminate and delete all files related to this application. This Trojan steals information related to online banking Web sites, by monitoring the user’s Internet transactions and waiting for the user to access the following online banking sites: * https://ibank.barclays.co.uk When the Trojan detects visits to any of these banking sites, it displays a spoofed .HTML page to trick the user into entering their account information. The stolen data is then sent to a remote user. The Trojan then drops the following log files in the Windows folder, to store the information it gathers from the user: * Email.log In addition to gathering user IDs and passwords, it also gathers email addresses found in the user's system. It gathers email addresses from files with the following extensions: * .*ht* This Trojan also terminates certain processes, and modifies the HOSTS files. These HOSTS files contain the mappings of IP addresses to host names. This file is loaded into the computer’s memory at startup. Windows checks this file before it connects to a requested Web site. If a requested Web site is listed in the HOSTS file, any attempt to connect to this site is redirected back to the local machine (which is your computer’s IP address). It also blocks other applications from connecting to the Internet, as long the Web site that it attempts to connect to, is listed in the HOSTS file. HOSTS files are useful for blocking ads, banners, cookies, and known malicious Web sites. However, this technique is now being employed by various malware to prevent users from accessing antivirus and security related Web sites. This Trojan adds many lines in the system's HOSTS file, preventing a user from accessing many authentic Web sites. Contact Us for a one month free antivirus trial. Top 10 Most Prevalent Global Malware 1. HTML_NETSKY.P March 12, 2005 WORM ASSIRAL - WORM_FATSO.A This non-destructive, memory-resident worm propagates via MSN messenger and eMule peer-to-peer file sharing application. It is capable of redirecting infected users to a certain Web site, whenever the user accesses Web sites associated with antivirus and security companies. It may also terminate certain running processes and prevent these processes from executing while this worm is resident in memory. This worm also opens a text file, which is a message allegedly addressed to the author of WORM_ASSIRAL.A, the self-proclaimed creator of anti-BROPIA worms. As a payload, WORM_ASSIRAL.A proclaimed that its author was "freeing the world from BROPIA". This worm was known to terminate BROPIA-related processes. WORM_FATSO.A now insults the author of WORM_ASSIRAL, accusing him/her of being a "noob" (a "newbie", or an inexperienced person, specifically a programmer) possibly due to the fact that WORM_ASSIRAL used SMTP, a relatively "old" and conventional means of propagating worms. This worm infects systems running Windows 95, 98, ME, NT, 2000, and XP. This worm arrives on a system via MSN Messenger. Upon execution, it drops copies of itself in the system root folder, as well as several nonmalicious files. The worm then creates several registry entries that allow it to automatically execute its dropped files at every system startup. To propagate via MSN messenger it sends an instant message to all online contacts of an affected user, containing a link to a certain Web site. When a user clicks on this link, a copy of this worm is downloaded into the system. To propagate via eMule it copies itself in the %Program Files%\Program Files\eMule\Incoming\ folder, the %Root%\My Shared folder and the <User Profile>\Shared folder of an affected system. The worm also redirects affected users to a specific Web site when they attempt to access certain Web sites related to antivirus and security companies, and terminates processes. View the complete list of company Web sites and processes. This worm attempts to terminate processes and delete files associated with the malware WORM_ASSIRAL.C, if the files are not running in memory. It drops and executes the text file "Message to n00b LARISSA.txt" on the 1st, 7th, 10th, 19th, 25th, 26th, or the 30th day of any month. This text message is allegedly addressed to the creator of WORM_ASSIRAL.A. Contact Us for a one month free antivirus trial. Top 10 Most Prevalent Global Malware 1. HTML_NETSKY.P March 8, 2005 WORM_KELVIR.B and WORM_FATSO.A. 12webste.com has received numerous infection reports indicating that this malware is spreading in Korea and the United States of America. • WORM_KELVIR.B: "http://home.ea<BLOCKED>link.net/gallery10/omg.pif lol! see it! u'll like it" When the user clicks the given URL, this worm downloads a copy of itself, named OMG.PIF, from the given URL. When this downloaded copy is executesd, it downloads another malware file from the Internet, which NOD32 detects as WORM_SDBOT.AUI. • WORM_FATSO.A This memory-resident worm arrives on a system via MSN messenger, a popular instant messaging application. It spreads copies of itself to all online MSN messenger contacts of an affected system by sending an instant message conataining a link, which when clicked, downloads a copy of this worm into the recipient's system. This worm also has the ability to propagate via eMule, a known peer-to-peer (P2P) file sharing application. This worm is capable of redirecting infected users to a certain Web site, which as of this writing, is already not available. It does this whenever the user accesses Web sites that are associated with antivirus and security companies. It may also terminate certain running processes, and disallow them from executing while this worm resides in the memory. Contact Us for a one month free antivirus trial. March 6, 2005 Worm Befriends Trojan - WORM_BAGLE.BE On March 1, 12website.com declared a Medium Risk alert for WORM_BAGLE.BE. This mass-mailing worm arrives in a system as a downloaded file of TROJ_BAGLE.BE. Upon execution, it drops a copy of itself in the Windows system folder as the file WINDLHHL.EXE. It creates several registry entries keys that enable it to automatically execute at every system startup. The worm propagates by mass-mailing copies of TROJ_BAGLE.BE whhich, in turn, attempts to download a copy of this worm from several Web sites. It gathers recipients email addresses from the contacts found in the Windows Address Book. It also attempts to download the file EML.EXE into the Windows folder. This file contains a list of recipients to send email to, but the contents of the file may change at any time. It attempts to download this file every 100 milliseconds until it succeeds. The worm attempts to contact to a Simple Mail Transfer Protocol (SMTP) server to send emails. If it is unable to contact this server, it uses its own SMTP engine. It may also obtain the affected system’s Mail Exchanger (MX) server for its mass-mailing routine. If the Mail Exchanger server is not available, it uses the server 217.5.97.137. The email message it sends out contains the following details: Subject: <Blank> Note that the attached file is a .ZIP copy of TROJ_BAGLE.BE. It contains a file named DOC_<decimal number>.EXE. Since the worm gathers email addresses from the Windows Address book (WAB), the sender indicated in the From: field may be familiar. This worm also as a backdoor component that opens and listens to TCP port 80, and sets the infected system up to act as a Web server. It may allow a malicious user to take control of an infected system by logging on using a pre-set password, and may allow remote users to upload a file onto the Web server. It then attempts to download the file from the Web server (which is actually the infected machine, since it is set up as a Web server), using a specific URL. It saves the downloaded file into the Windows system folder as RE_FILE.EXE. After downloading, it then executes the file. This worm attempts to remove the following registry entries from the key: * 9XHtProtect Contact Us for a one month free antivirus trial. Top 10 Most Prevalent Global Malware 1. HTML_NETSKY.P March 1, 2005 WORM_BAGLE.BE. This malware is spreading in New Zealand and Australia. Initial analysis shows that this worm drops a copy of itself as WINDLHHL.EXE in the Windows system folder upon execution. It then mass-mails copies of TROJ_BAGLE.BE, which is resposible for downloading WORM_BAGLE.BE. The email that it sends out has the following details: Subject: <blank> Message Body: price Attachment: <.ZIP copy of the TROJ_BAGLE.BE> This worm scans infected systems for files with certain extension names to acquire its target recipients. It then uses its own SMTP engine and the domain servers of the acquired email addresses for its mailing routine. Unsuspecting users may then receive email messages from trusted acquaintances and readily execute the attachment, thereby launching this worm. Upon execution, it proceeds to drop copies of itself in folders with names containing the text string "shar", or in shared folders. It also uses file names that appear legitimate. This worm compromises system security by terminating several antivirus and security-related applications if found on an infected system. It also connects to a list of Web sites where it may download components. It also opens port 81 possibly for its backdoor activities. Continuing the notable BAGLE characteristics, it attacks the NETSKY family of worms. It deletes several registry entries and file names associated with NETSKY, and also creates several mutexes that prevent the execution of NETSKY variants on the infected machine. Contact Us for a one month free antivirus trial. Top 10 Most Prevalent Global Malware 1. WORM_NETSKY.P Contact Us for a one month free antivirus trial. 12website has a maintenance program for our clients to ensure their will not be 'let down' by an inefficient computer. Computer maintenance is necessary to keep your machine running smoothly without down time. |