PRODUCTS > Computer Virus Alerts - Maintenance
Virus alerts for November 2004
Current virus alerts here.
Previous
Oct 04

By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly.

Computer virus alert

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Bagle virus info here

November 22 WORM_SOBER.I.

This mass-mailing worm arrives on a system as an email message that has German content. It propagates by sending copies of itself to certain email addresses, which it gathers from files on the system with specific extension names. However, it also avoids sending email messages to certain email addresses with certain strings. It also drops several files in the Windows system folder and creates registry entries to enable itself to run automatically at every system startup.

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

November 20 Arafat Worm - WORM_GOLTEN.A

WORM_GOLTEN.A is a memory-resident network worm. It has no mass-mailing capabilities, but may have been mass-mailed to specific email addresses instead. The email message contains two .EMF file attachments: one shows the burial of Palestinian leader Yasser Arafat and the other contains code that exploits a Microsoft XP vulnerability. The worm propagates via network shares and attempts to connect to network shared folders. It uses a list of user names and passwords to gain access to a machines, to establish a network connection and execute a copy of itself in the accessed network share. This worm runs on Windows 2000 and XP, and is currently spreading in-the-wild.

Upon execution, this worm drops the following files in the Windows system folder:

* ALERTER.EXE - main component and installer
* COMWSOCK.DLL
* DMSOCK.DLL
* IETCOM.DLL
* SPTRES.DLL
* SCARDSER.EXE - installs .DLL (Dynamic Link Library) files that inject this worm into LSASS.EXE and IEXPLORE.EXE

It also adds a registry entry that allows it to automatically execute at every system startup, and installs the following .DLL files:

* COMWSCOK.DLL
* DMSOCK.DLL
* IETCOM.DLL
* SPTRES.DLL

These .DLL files inject this worm into the following processes:

* LSASS.EXE
* EXPLORER.EXE

The .DLL files download other components from a remote location, and are responsible for the propagation of this worm.

The worm also adds a registry entry that initiates the download of a remote file, which is saved as DMSTI.EXE.

WORM_GOLTEN.A propagates through network shares and attempts to connect and execute a copy of itself in the following default network folders:

* ADMIN$
* IPC$

It also installs a service named NETLOG.

This worm uses the following user names and passwords to gain access to machines connected on the same network:

!@#$
!@#$%
!@#$%
~!@#
000000
00000000
111
111111
11111111
12
123
123!@#
1234
1234!@#$
12345
12345!@#$%
123456
1234567
12345678
54321
654321
888888
88888888
admin
fan@ing*
oracle
pass
passwd
password
root
secret
security
stgzs
super

The worm may have been mass-mailed to specific email addresses. The email arrives with the following:

Subject: Latest News about Arafat!!!
Message body:
Hello guys!
Latest news about Arafat!
Unimaginable!!!!!

The email also contains two .EMF file attachments: ARAFAT_1.EMF is a .JPG file showing the burial of Palestinian leader Yasser Arafat, and ARAFAT_2.EMF contains exploit code that uses the Microsoft Windows XP Metafile Heap Overflow vulnerability. When opened, the file drops this worm into a system.

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(week of: November 12, 2004 to November 18, 2004)

1. WORM_NETSKY.P
2. HTML_NETSKY.P
3. WORM_NETSKY.D
4. WORM_NETSKY.B
5. WORM_SOBER.G
6. JAVA_BYTEVER.A
7. WORM_BAGLE.AT
8. WORM_NETSKY.C
9. WORM_NETSKY.Q
10. WORM_SOBER.F

November 13 Mining for Gold - TROJ_GETEGOLD.A

TROJ_GETEGOLD.A targets users with e-gold accounts. E-gold is an integrated account-based payment system mainly utilized for e-commerce. This Trojan does not employ typical phishing techniques, such as logging user keystrokes in text files that can be sent to a remote malicious user. Instead, when a user accesses the e-gold account login form it opens a hidden duplicate Internet Explorer (IE) window accessing that same URL. It then fills the duplicate Web form, which eventually leads to illegal account access. The Trojan periodically drains the funds of the compromised account by a certain percentage, and the stolen funds are then transferred to another e-gold account. This Trojan runs on Windows 95, 98, ME, NT, 2000, and XP and is currently spreading in-the-wild.

Upon execution, this Trojan drops itself as SVHOST.EXE in the Windows folder. It then creates a registry entry that allows it to automatically execute at every Windows startup. When a user accesses the URL http://e-gold.com/acct/login.html, this Trojan opens a hidden duplicate Internet Explorer page of the said URL, which it fills, in order to drain a target user’s e-Gold account.

To successfully perform this function, this Trojan uses Internet Explorer’s built-in OLE automation functions. This method is similar to API hooks used by PE viruses. In this case, this Trojan executes certain functions for every change in the URL address that occurs.

The following URLs cause this Trojan to execute certain functions:

* e-gold.com/acct/acct.asp
* e-gold.com/acct/balance.asp
* e-gold.com/acct/spend.asp
* e-gold.com/acct/verify.asp
* https://www.e-gold.com/acct/acct.asp
* https://www.e-gold.com/acct/balance.asp
* https://www.e-gold.com/acct/spend.asp

E-gold account holders should monitor e-gold Security Alerts at the following URL:
http://www.e-gold.com/unsecure/alert.html

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(week of: November 5, 2004 to November 11, 2004)

1. WORM_NETSKY.P
2. HTML_NETSKY.P
3. WORM_BAGLE.AT
4. WORM_NETSKY.D
5. JAVA_BYTEVER.A
6. PE_ZAFI.B
7. WORM_BAGLE.AU
8. WORM_NETSKY.C
9. WORM_NETSKY.B
10. TROJ_DELF.AR

November 06 Faker - ELF_FAKEPATCH.A

ELF_FAKEPATCH.A is an executable that runs on Linux. ELF refers to Executable and Link Format, which is the well-documented and available file format for Linux/UNIX executables. It arrives via email, and retrieves network configuration and system information. The information is saved in the file "mama", and sent to a specific email address.

The email it sends is designed to trick users into believing it is a legitimate email sent by the RedHat Security Team, regarding critical security patches that must be downloaded. The email includes links to downloadable files, and encourages the recipients to click the links to download the patches.

When one of the specific files mentioned in the email is downloaded, the following files are found:

* Inst.c – source code of this malware
* Makefile – used to compile inst.c

When this Elf executable is already compiled, it produces the shell code that retrieves information from a machine. The shell code first checks whether it is executed in the root level. If not, it displays the following line in a console:

This patch must be applied as "root", and you are: %User% (Note: %User% is the currently logged on user)

Afterward, it adds a user named "bash" with a null password and creates the file "mama" inside the temporary folder. It then obtains network configuration and system information, and saves it in the file mama. Next, it sends this file to the email address root@addlebrain.com. It then deletes the file from the system and starts SSHD (Secure Shell Server). Note: A Secure Shell Server provides secure encrypted communications between untrusted hosts over an untrusted network. It allows users to connect to a system from another system via TCP/IP, and obtain a shell prompt, from which they can issue commands and view output.

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(week of: October 29, 2004 to November 4, 2004)

* WORM_NETSKY.P
* HTML_NETSKY.P
* WORM_BAGLE.AT
* WORM_NETSKY.D
* JAVA_BYTEVER.A
* WORM_NETSKY.B
* WORM_BAGLE.AU
* WORM_NETSKY.C
* PE_ZAFI.B
* WORM_NETSKY.Q

Get in touch for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.

12website has a maintenance program for our clients to ensure their will not be 'let down' by an inefficient computer.

Computer maintenance is necessary to keep your machine running smoothly without down time.

Contact Us. Add "Virus Trial" to the Comments area.