PRODUCTS > Computer Virus Alerts - Maintenance
Virus alerts for Oct 2005
Current virus alerts here.
Computer virus alert
By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Virus Alerts Oct 2005

October 29 2005 Skype Vulnerabilities Announced

Two new vulnerabilities to the Skype telephony software have been found, each of which could be used to compromise security on affected systems:

SKYPE-SB/2005-02
Affecting Skype for windows, a malicious attacker could utilize a buffer overflow to execute arbitrary code when Skype is called upon to handle malformed URLs that are in Skype-specific URI types callto:// and skype://. Additionally, an attacker could potentially utilize this vulnerabilty to execute arbitrary code during the importation of a VCARD that is in a specific non-standard format.

SKYPE-SB/2005-02
Affecting every Skype platform, an error in bounds checking in a specific networking routine could enable a remote malicious attacker to force the Skype client to crash.

To take advantage of this vulnerability, an attacker would need to send a stream of specifically-crafted network traffic to a Skype client network, which could then cause the client to crash. Other unpredictable behavior is possible, though this vulnerability has not been able to cause the client to execute specific instructions. Skype has released an update that addresses both of these vulerabilities. For the updated version, visit http://www.skype.net/download/

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area. Free trial antivirus

Top 10 Most Prevalent Global Malware
(from October 21 to October 27, 2005)

1. JAVA_BYTEVER.A
2. SPYW_DASHBAR.300
3. HTML_NETSKY.P
4. WORM_NETSKY.P
5. SPYW_GATOR.F
6. TSPY_SMALL.SN
7. PE_PARITE.A
8. ADW_LOP.A
9. TROJ_DYFUCA.I
10. ADW_SLAGENT.A

October 27 2005 Security report on Zotob

Virginia USA based Cybertrust released results on Wednesday of a study of 700 enterprises and the impact of the Zotob worm to organizations worldwide. The damage caused by the Zotob worm affected Windows 2000 systems back in August and created real problems for the impacted systems.

Worms and viruses can have a devastating impact on businesses as this article reports. Many businesses got hit much harder than they talk about hear. "Cybertrust's study on the Zotob worm demonstrated that, compared to earlier worm outbreaks such as SQL Slammer or Sasser, Zotob adversely impacted significantly fewer organizations," said Russ Cooper, Cybertrust senior information security analyst and author of the Zotob study.

"The nature of this worm and its ultimate business impact complements Cybertrust's intelligence that illustrates the goal of hackers today is no longer widespread system shutdown, but rather more frequent, smaller attacks with specific targets powered by a drive for financial and information gain."

The study said 13% of organizations surveyed experienced at lease some adverse impact from Zotob. They defined impact as spending time, resources or money fighting or recovering from the worm. About 6% had moderate or major impact, which they defined as more than $10,000 in losses and at least one business critical system affected (e.g. email, commerce, Internet connectivity).

The significance comes from comparisons to previous worms. For example, the Nimda worm had a moderate to major impact of more than 60% of organizations and Blaster was 30% based on the same impact criteria.

Cybertrust said organizations reported an average cost of $97,000 while clean up required more than 80 hours of work for 61% of impacted organizations. They said the healthcare industry had biggest hit at 26% of companies experiencing at least some adverse impact with only 7% of financial institutions being impacted.

One interesting point Cybertrust mentioned was how Zotob infected systems. They said the worm entered the majority of organizations "through wired networks from within the corporate perimeter" instead of normal routes like email or wireless pathways.

They said infections that began locally, occurred at least three times more frequently than from any other location such as public networks, VPNs or home networks. They said 26% of victims were impacted because no firewall was in place or firewalls weren't set properly. They also pointed out that only 7% of impacted organizations received the worm via email. It shows an incredible reliance on traditional anti-virus programs scanning incoming email and that while traditional anti-virus programs are necessary; companies definitely need more protection from these attacks.

This study shows a couple of major points. First and most importantly, most places need to reexamine the protections they have in place. Make sure the firewalls and antivirus software are up to date and working correctly. It also shows other measures could very well be necessary to protect systems. There are many possibilities for improving security in both hardware and software forms.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area. Free trial antivirus

October 21 2005 Fanbot worms Fanbot.f

Over the past five days, we have seen six variants of FANBOT, a new family of worms. Although none have progressed very far, researchers at NOD32 are paying particular attention to this new threat because of the potential these early variants have shown to propagate and successfully exploit a serious vulnerability that can be utilized to grant a malicious user complete access to the user’s system. Such access can be used to launch malicious attacks, install rogue software, and steal personal information. Future variants may also have the ability to spread rapidly and include additional functionality.

The FANBOT family utilizes the base code of the MYTOB family, in addition to added functionality that exploits the MS05-039 (“Plug-and-Play”) vulnerability announced in August. The author has also added the capability for this worm to propagate via P2P or file-sharing networks, in addition to more traditional email spam methods. This family also incorporates the use of the following mock error message, when the user clicks on the file attachment:

Error
The file could not be opened!

Launching the attached file actually executes the worm, but the message box disguises this fact by creating the illusion that the email was in fact legitimate.

The FANBOT family of worms does not appear to be developed by any of the MYTOB groups, but likely is the creation of a different individual. In fact, NOD32 believes there may be a new underground war starting, evidenced by the statement made in some of the FANBOT variants that the MYTOB author “is an idiot!!!".

Security experts at NOD32 recommend that users take the following measures to protect against the FANBOT family of malware as well as other attacks:

  • Ensure your system is patched with the most current Microsoft system update
  • Ensure your antivirus definitions are updated

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area. Free trial antivirus

Top 10 Most Prevalent Global Malware
(from October 14 to October 20, 2005)

1. JAVA_BYTEVER.A
2. SPYW_DASHBAR.300
3. HTML_NETSKY.P
4. WORM_NETSKY.P
5. SPYW_GATOR.F
6. PE_PARITE.A
7. TSPY_SMALL.SN
8. ADW_LOP.A
9. TROJ_DYFUCA.I
10. ADW_ISTBAR.

October 15 2005 Sober.s

Sober.S is written in Visual Basic. The worm's file is a UPX packed PE executable about 113 kilobytes long. The unpacked worm's file size is around 251 kilobytes. The worm adds random garbage to the end of its file every time it installs itself on a computer.

Installation to System

When the worm's file is started it shows a fake error messagebox as a decoy:

After that it creates a subfolder named 'ConnectionStatus' in Windows folder and copies itself there as "services.exe" file.

Sober.S worm adds startup keys for the copied "services.exe" in System Registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
" WinINet" = "%WinDir%\ConnectionStatus\services.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"_WinINet" = "%WinDir%\ConnectionStatus\services.exe"

In addition the worm creates a file named "netslot.nst" in the same folder, where it stores its mime-encoded copy that will be used for spreading. Quite often the mime-encoded copy of the worm is corrupted.

Also the worm creates a few files in Windows System folder. Due to a bug in the worm's code the names of these files contain machine code or characters which cannot be typed from a regular keyboard.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area. Free trial antivirus

However on some systems the worm manages to create empty files with proper names:

nonrunso.ber
langeinf.lin
rubezahl.rub
bbvmwxxf.hml
gdfjgthv.cvq
seppelmx.smx

These files are used to deactivate previous Sober variants. This particular Sober variant checks for the file called 'runstop.rst' and if such file is found, the worm deactivates itself.

The worm blocks access to its files and re-creates its startup keys in the Registry if they are deleted.

Spreading in E-mails

Sober.S worm sends different types of e-mail messages with English and German texts and its file attached. The attachment is a ZIP archive containing the worm's executable.

To collect e-mail addresses the worm scans files with the following extensions:

pmr phtm stm slk inbox imb csv bak imh xhtml imm imh cms nws vcf ctl dhtm cgi pp ppt msg jsp oft vbs uin ldb abc pst cfg
mdw mbx mdx mda adp nab fdb vap dsp ade sln dsw mde frm bas adr cls ini ldif log mdb xml wsh tbb abx abd adb pl rtf mmf
doc ods nch xls nsf txt wab eml hlp mht nfo php asp shtml dbx

The collected e-mail addresses are stored in "socket.dli" file that is created in the same folder where the main worm's executable file is located. The worm ignores e-mail addresses that contain any of the following substrings:

@www @from. smtp- @smtp. ftp. .dial. .ppp. .dip.t-dia anyone
@gmetref sql. someone nothing you@ user@ reciver@ somebody
secure whatever@ whoever@ anywhere yourname mustermann@
mailer-daemon variabel noreply -dav law2 .qmail@ freeav @ca.
abuse winrar domain. host. viren bitdefender spybot detection
ewido. emsisoft linux @foo. winzip @example. bellcore. @arin
@iana @avp icrosoft. @sophos @panda @kaspers free-av antivir
virus verizon. @ikarus. @nai. @messagelab nlpmail01. clock

When the worm sends an e-mail to an address that contains "gmx." domain or has the domain suffix ".de", ".li", ".ch" or ".at", it composes messages in German, otherwise the worm composes messages in English.

The worm can compose the following English messages:

Subject:

I've got your mail on my account!

Body:

hello,
First I must say, my English is very very bad! Sorry about this.

Ok, I've got an email in my box, but this email is not for me, because,,,
I'm not the recipient! The recipient are YOU !!!

This must be an email provider error, but I don't know!
I have made a Screenshot about this mail and saved in a zipped jpeg graphic file for you.

ok then,
bye

Attachment:

screen_photo.zip

--- OR ---

Subject:

Your new Password

Body:

Your password was successfully changed!
Please see the attached file for detailed information.

Attachment:

pword_change.zip

--- OR ---

Subject:

Registration Confirmation

Body:

Thanks for your registration.
Your data are saved in the zipped .doc file!

Attachment:

Regis.info.zip

In addition to English messages, the Sober.S worm can compose the following German messages:

Subject:

Bcc: Ich habe Ihre Mail erhalten!

Body:

Danke fur Ihre Mail ....
Sie haben aber Ihre Mail wahrscheinlich falsch adressiert,,, namlich an mich.
Ich kenne sie aber nicht!

Oder Ihr Provider hat die Mail falsch weiter geleitet!?

Um mich zu entlasten, schicke ich Ihnen das (...) Foto wieder zuruck.

MfG
Sender

Attachment:

Privat-Foto.zip

--- OR ---

Subject:

Fwd: Klassentreffen

Body:

hi,
ich hoffe jetzt mal das ich endlich die richtige person erwischt habe!
ich habe jedenfalls mal unser klassenfoto von damals mit angehangt.
wenn du dich dort wiedererkennst, dann schreibe unbedingt zuruck!!

wenn ich aber wieder mal die falsche person erwischt habe, dann sorry for die belastigung ;)

liebe gruBe
Rita

(or any of the following: Sandra, Nicole, Hannelore, Kerstin, Elke)

Attachment:

KlassenFoto.zip

--- OR ---

Subject:

Haben Sie diese Mail verschickt?

Body:

Um es vorweg zu sagen: Ich bin kurz davor eine Anzeige gegen Sie zu erstatten!

Sie spinnen ja wohl! Die Mail hat meine Tochter gelesen !!!!!!!!!!!!!!

Ich habe Ihnen "diese" Word-Text Datei zu meiner Entlastung zuruckgeschickt.

Es ware von Vorteil, wenn Sie sich dazu au-ern wurden!!

Attachment:

Brief.zip

The worm does not use any exploits to start attachments automatically on remote systems. To get infected a user has to extract and run the worm's executable file.

Payload

The worm can download and run executable files from user accounts created on the following servers:

people.freenet.de
scifi.pages.at
home.pages.at
free.pages.at
home.arcor.de

Sober.S worm terminates applications that have the following substrings in their names:

microsoftanti
gcas
gcip
giantanti
inetupd.
nod32kui
nod32.
fxsob
avwin.
guardgui.
stinger
hijack
sober
brfix
fixsob
s-t-i-n

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Top 10 Most Prevalent Global Malware
(from October 07 to October 14, 2005)

1. SOBER.S
2. HTML_NETSKY.P
3. WORM_NETSKY.P
4. SPYW_DASHBAR.300
5. TSPY_SMALL.SN
6. SPYW_GATOR.F
7. PE_PARITE.A
8. TROJ_DYFUCA.I
9. JAVA_BYTEVER.A-1
10. TROJ_ROOTKIT.S


October 07 2005 A Sober Surprise - WORM_SOBER.AC (Medium Risk)

As of October 6, 2005, NOD32 has declared a Medium risk alert for WORM_SOBER.AC that is currently spreading in-the-wild in the U.S., Japan, and Germany. SOBER.AC is written in both German and English languages. It checks the user's system for the version of the Microsoft OS that’s running if it detects GMX as the domain, it installs one of the German versions; otherwise, it installs one of the English versions.

The worm propagates via email messages that are spammed to recipients. It has no automated capabilities and must therefore be inadvertently executed by the user to install. To entice the user to do this, the author utilizes classic social engineering techniques, disguising the attachment as either a zipped Word document or a zipped image file. The subject lines vary, but include statements such as of “I've got your mail on my account!”; “Your New Password”; and Registration Confirmation”.

SOBER.AC can download and run executable files from certain Web sites that it points to. However, this worm does not seem to have any backdoor capabilities.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Top 10 Most Prevalent Global Malware
(from September 30 to October 6, 2005)

1. JAVA_BYTEVER.A
2. HTML_NETSKY.P
3. WORM_NETSKY.P
4. SPYW_DASHBAR.300
5. TSPY_SMALL.SN
6. SPYW_GATOR.F
7. PE_PARITE.A
8. TROJ_DYFUCA.I
9. JAVA_BYTEVER.A-1
10. TROJ_ROOTKIT.S

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

12website has a maintenance program for our clients to ensure their will not be 'let down' by an inefficient computer.

Computer maintenance is necessary to keep your machine running smoothly without down time.