Jump to content
Sign in to follow this  
nlinecomputers

Viruses Worms Trojans ... Oh, my!

Recommended Posts

Tushman

IT experts have found a new virus variant nomed "New Bagle" that uses some sneaky new tricks to disguise itself. Particularly using a file compression format *.rar which any internet downloader should take note of.Read the full article here.EDIT:Oh criminey... looks like this is a dupe. Bambi, you beat me to the buzzer. :)This is what happens when your PC is offline and you get your news from Fox! :lol:

Share this post


Link to post
Share on other sites
Guest LilBambi

Tushman, I don't think that your article was the same was it? Would still have been interested in reading it if it was a different link.And if that wasn't bad enough ... Netsky.P upgraded.Security Pipeline article - Netsky.p Upgraded To Medium Risk

The latest variant of the Netsky virus was rated a medium threat Monday, and reportedly infected at least one large European company.Netsky.p, the 16th variant of the Internet worm, takes advantage of a vulnerability in Microsoft Internet Explorer 5.01 or 5.5 without Service Pack 2. The variant is the first of the Netsky family capable of executing without the PC user clicking on an attachment, antivirus experts said.Network Associates Inc. and Symantec Corp. have rated Netsky.p a medium risk.Network Associates has received more than 100 reports of the worm from customers and virus-generated emails. A worm is a type of virus that opens a backdoor in a PC, making it possible for a hacker to take control of the machine to distribute spam, launch a denial of service attack, or steal passwords to Internet accounts.Netsky.p infected at least one large European company, but it was confined to a few hundred machines."The company is as large as a Fortune 500 company in Europe," Vincent Gullotto, a virus expert at Network Associates, said. " It wasn't a widespread outbreak, and the company is still in operation."Gullotto declined to name the company.Netsky.p is troublesome because the virus can be executed without a PC user double clicking on the attachment. For this to happen, however, the user must have the Microsoft Outlook e-mail client set to display e-mail written in HTML.Code embedded in the document automatically executes the Zip file containing Netsky.p, which propagates itself by stealing e-mail addresses from the infected machine.Virus experts, however, do not expect Netsky.p to become a major threat, primarily because it takes advantage of a vulnerability that Microsoft patched in 2001 Many PC users have either installed the patch, or have upgraded to Internet Explorer 6.0.Netsky.p arrives in e-mails with these subject lines: stolen document, re: hello, mail delivery, private document, re: notify, re: document, re: extended mail system, re: protected mail system, re: question, private document, and postcard.Netsky is one of three of the most prevalent virus families on the Internet. The other two are Mydoom and Bagle.

Share this post


Link to post
Share on other sites
Guest LilBambi

Last weekend, several AV companies played down the PhatBot Trojan Horse story by the Washington Post that was posted after DHS (Department of Homeland Security) issuing an alert about it, but apparently have changed their tune since Monday, March 18.It is all over the Internet news wires today.At least several hundred thousand broadband home users are being made an unwilling participant in the beginnings of what could become a very large spammer and identify theft network. The 'swiss army knive' PhatBot/Agrobot trojan horse tool set is quite versatile.LUHQ: Phatbot Trojan Analysis (March 15, 2004)

A kind of Darwinism pervades the world of trojan botnet development. With time, the more effective bots become increasingly popular, leading to additional development from secondary developers who provide "mods" to the bots. One very successful bot known as "Agobot" has now found itself superceded by "Phatbot". Phatbot is actually a direct descendant of Agobot, with additional code rolled in from other sources. These additions have made Phatbot a more versatile and dangerous threat in the realm of Internet security. The analysis that follows attempts to detail the functionality of Phatbot for purposes of detection and elimination.
Much, much more at the LUHQ site including a huge list of PhatBot/Agrobot Trojan Horse capabilities. Washington Post: Hackers Embrace P2P Concept - Experts Fear 'Phatbot' Trojan Could Lead to New Wave of Spam or Denial-of-Service Attacks (March 17, 2004) (requires free registration to view the article)Despite it's pressing the term hacker (the term should be unethical hacker, or crackers/black hat hackers, etc.) -- the lack of descriminating between ethical and unethical hackers really burns me up. It gives true hackers a bad name and is very annoying.
Computer security experts in the private sector and U.S. government are monitoring the emergence of a new, highly sophisticated hacker tool that uses the same peer-to-peer (P2P) networking abilities that power controversial file-sharing networks like Kazaa and BearShare.By some estimates, hundreds of thousands of computers running Microsoft's Windows operating system have already been infected worldwide. The tool, a program that security researchers have dubbed "Phatbot," allows its authors to gain control over computers and link them into P2P networks that can be used to send large amounts of spam e-mail messages or to flood Web sites with data in an attempt to knock them offline.The new hacker threat caught the attention of cyber-security officials at the U.S. Department of Homeland Security, prompting the agency to send an alert last week to a select group of computer security experts. In the alert, the agency warned that Phatbot snoops for passwords on infected computers and tries to disable firewall and antivirus software.A copy of the DHS alert was made available to washingtonpost.com by two sources at different companies who asked that their identities not be used because they did not want to risk losing access to future government alerts. Officials at the department and US-CERT -- a government-funded cyber-security monitoring agency -- confirmed that the message was genuine.
Internet Week: New Phatbot Trojan Targets Windows Systems (March 18, 2004)
Computer-security companies warned Wednesday that a new malicious Trojan horse that targets Windows systems has been spotted on the Internet. Dubbed Phatbot, the Trojan was first noticed by antivirus companies earlier this week."We started getting reports of infections early Monday," says Craig Schmugar, a virus researcher with McAfee antivirus and vulnerability emergency-response team at Network Associates Inc.Phatbot, which already has several variants, is leveraging a long list of software flaws to infect systems. According to security researchers, Phatbot scans for systems that have unpatched Windows vulnerabilities, including DCOM, DCOM2, locator service, network shares using weak passwords, WebDav, and the Windows Workstation Service. It will also attack systems already infected with the MyDoom worm.Some variants of Phatbot can be controlled by attackers through Internet Relay Chat, while others can be controlled through peer-to-peer file-sharing technology.Once the Trojan infects a system, it can try to use that system to send spam; steal Microsoft Windows Product Keys; kill previous infections of Blaster, Welchia, and Sobig.F worms; and steal Internet Relay Chat or IRC operator logon information and user names and passwords from FTP network traffic. It also can shut down common antivirus applications and block access to many antivirus vendor Web sites, Schmugar says. He says the majority of infections have so far occurred in Asia, with some in the United States.Security vendor iDefense Inc. has spotted successful Phatbot infections, but Ken Dunham, director of malicious code, says it isn't the number of infected machines that's worrisome but the networks that are placed at risk with infected systems. "Large networks are clearly the target of this attack, as well as opportunistically attacking home users," he says.
The Register: Phatbot primed to steal your credit card details (March 21, 2004)
A Trojan horse-type computer virus called Phatbot can steal credit card numbers and launch denial of service attacks on Web sites.The new virus made its debut on the Internet on Friday (18 March), clogging bandwidth, stealing personal data and initiating denial of service attacks.Phatbot is a variant of a Agobot, a big family of IRC bots. It can steal personal information such as email addresses, credit card numbers, PayPay details and software licensing codes. It forwards this information using a peer-to-peer (P2P) network, rather than IRC channels exploited by its predecessors. Earlier versions of the bug go by monikers such as Phat, Backdoor.Agobot.fo and Gaobot, according to F-Secure.Phatbot can also kill any anti-intrusion devices and give people a false sense of security in order to get inside a network and exploit vulnerabilities, F-Secure says.Phatbot inserts backdoors which can be used to perform distributed denial of service (DDoS) attacks aimed at shutting down Web sites including those of German Internet hosting company Schlund, US telecoms firm XO and Stanford University. The bug also terminates processes belonging to competing malware such as MSBlast.
ZDNet: Watch out: It's virus season again (March 22, 2004)
Like it or not, we're hot and heavy into the first active virus season of 2004, one that--if the past is any indication --should last until May, then resume again in early August. Despite the sheer number of medium-threat viruses on the loose this year, however--we've seen about 36 low- to medium-level threats so far since January 18, 2004--virus writers seem to be burning through their bag of new tricks with only limited success.Indeed, none of the recent crop of Bagle, Netsky, or MyDoom variants has risen above a medium threat level. Still, the season isn't over yet; we may have seen only the beginnings of a bad year. Fortunately, there are ways you and I can defeat these buggers before they attack, but first, let me detail the history of one recent annoyance: Bagle.
There are sections of this article on the Beagle/Bagle/Netsky worms and also on the new trojans.Keep your 'puters safe out there!

Share this post


Link to post
Share on other sites
Guest LilBambi

MS Hearts anyone?Well that's what the newest Bagle Worm does ...it opens MS Hearts ... among other things!TrendMicro: Bagle.U

As of March 26, 2004, 2:15 AM (US Pacific Time), TrendLabs has declared a Medium Risk Alert to control the spread of this new BAGLE variant.This worm propagates via email. It sends copies of itself to addresses that it gathers from files with certain extension names. The email that it sends out has the following details:Subject: Message Body: Attachment: .exeThis worm has backdoor capabilities. It listens to TCP port 4751 to wait for instructions from a remote user. It may also launch the game MSHEARTS.EXE upon execution.
See full description .. it also makes use of a specific 'clock' iconThe Register: Bagle-U plays MS Hearts article from this morning on it. Edited by LilBambi

Share this post


Link to post
Share on other sites
Guest LilBambi

The above noted Bagle.U is now at Risk Level 3 according to Symantec's site. :ph34r: And if that wasn't bad enough ...TrendMicro: WORM_NETSKY.Q

As of March 29, 2004, 12:29 AM PST, TrendLabs has declared a MEDIUM RISK VIRUS ALERT to control the spread of this new NETSKY variant spreading in Japan and China.It uses its own Simple Mail Transfer Protocol (SMTP) engine to propagate via email with varying subjects, message bodies,and attachment file names. It gathers email addresses from files with certain extension names in drives C to Z (except for CD-ROM drives).It also exploits a known vulnerability affecting Internet Explorer involving incorrect MIME Header (MS01-020), which allows the automatic execution of email attachments while an email is read or previewed. More information on this vulnerability is available at:      http://www.microsoft.com/technet/security/...n/MS01-020.mspx It launches a Denial of Service (DoS) attack on several Web sites from April 8 to 11, 2004.This Petite-compressed malware is written using Microsoft Visual C++, a high-level programming language.It runs on Windows 95, 98, ME, NT, 2000, and XP.Solution:

Share this post


Link to post
Share on other sites
teacher

I assume that running text only it is still safe to open email??? One more reason to not set up email to allow html or java?Julia :P

Share this post


Link to post
Share on other sites
Ed_P

According to the story this worm doesn't use email to spread. It just needs you to be connected to the 'net.I don't allow Java in email but do allow for HTML and Javascript. I've never had a problem. I of course also run a firewall and an AV which I keep current. Limiting email won't stop infections.

Share this post


Link to post
Share on other sites
teacher

It sure sounded to me like it used email....

W32/Netsky-V exploits security loopholes in Microsoft's software that mean users can be hit just by reading an email
I still will not open an email in html even with virus protection and being behind a firewall. It is much easier to be safer than sorry. Good computing habits help to keep a clean computer. Even in Linux I will not open an email in html.Julia :P

Share this post


Link to post
Share on other sites
Ed_P
icon_redface.gif You are correct teacher. I was mislead by the
the new Netsky-V worm (W32/Netsky-V) spreads without using email attachments to infect.
part. icon_redface.gif

Share this post


Link to post
Share on other sites
havnblast
The latest Netsky worm rolled onto the Internet Tuesday, and immediately picked up enough traction for security firms to bump up threat assessments.Netsky.x, which is similar to past Netsky variants, arrives as an e-mail message with a spoofed address, uses a English subject line that reads “Re: Document,†and tucks its payload into a .pif file. Once it infects a system, it hijacks e-mail addresses found on the PC and spreads to others.The worm is intelligent enough to craft its message to the language of several e-mail top-level domains. If the address' domain is “de,†for example, the subject head changes to “Re: dokument†and the message text to “Bitte lesen Sie das Dokument.â€Like other Netskys, version X also schedules a denial-of-service (DoS) attack on several Web sites, including nibis.de, medinfo.ufl.edu, and educa.ch starting on April 28 and running through April 30.(The author of Netsky.x must have something against learning, for all three targets -- one each in Germany, Switzerland, and the U.S. -- are educational sites.)The worm also opens a backdoor on TCP port 82, which the hacker can use to later plant other malicious code, such as key logger.In keeping with the juvenile tradition of Netsky authors, this one took a shot at Bagle, a competing worm, by naming the text file copy of itself as “f***_you_bagle.txt.†The copy is dropped into the Windows folder; its presence is a sure sign of infection.Netsky.x was bumped from a level “2†threat to a “3†by Symantec early Tuesday in response to an increased number of submissions. Symantec uses a 1 through 5 scale to denote a virus' of worm's severity.
Source: Techweb

Share this post


Link to post
Share on other sites
Guest LilBambi
TrendMicro: WORM_BAGLE.X, AKA W32/Bagle.z@MM, w32.beagle.w@mm, W32/Bagle-W, Bagle.y
As of April 26, 2004 11:22 AM PST, TrendLabs has declared a Medium Risk Virus Alert to control the spread of this BAGLE variant. Several infection reports indicate that it is spreading in Europe, Latin America, and the US.This memory-resident worm propagates via email and network shares. Upon execution, it drops the following files in the Windows system folder:    * Drvsys.exe    * Drvsys.exeopen    * Drvsys.exeopenopen It may also create more copies of itself with the string open appended in its file name.The email it sends out has varying subjects, message bodies, and attachment file names. It uses specific user names followed by the domain of the recipient's email address to spoof the From field. It sends two attachments. One of them is a picture of a girl in .JPEG format. The other attachment is a copy of this malware with any of the following extension names:    * COM    * CPL    * EXE    * HTA    * SCR    * VBS    * ZIP
Screenshot of email (actually has a working picture of a girl in it at TrendMicro.
It also searches for target email addresses in files having certain extensions. However, it skips those addresses that contain particular strings.This malware drops copies of itself using specific file names in folders that contain the string shar in their folder names.It terminates several antivirus and security programs. It also creates a separate thread and listens to port 2535 for its backdoor capability. It then tries to connect to several Web sites.It deletes several registry keys that WORM_NETSKY variants and other normal applications use to automatically run. After January 25, 2005, it also deletes a certain registry key and entry.This UPX-compressed malware runs on Windows 95, 98, ME, NT, 2000, and XP.

Share this post


Link to post
Share on other sites
nlinecomputers

The Sasser Worm, a blaster type of worm, is spreading rapidly across the net. Please update your AV programs today and visit Windows Update and make certain that your systems are up to date.Symantec has listed this at level 3, McAfee has this as a Medium Risk. This is spreading fast and on a Saturday. This is a blaster style worm so it DOES NOT spread via email. It spreads via open port connections.

As of May 1, 2004  4:15 AM PST, TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_SASSER.A. TrendLabs has received several infection reports indicating that this malware is spreading in the US.This worm is known to exploit the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail in the following pages: • http://www.trendmicro.com/vinfo/virusencyc...CROSOFT_WINDOWS• http://www.microsoft.com/technet/security/...n/ms04-011.mspxTo propagate, it scans random IP addresses for vulnerable systems. When a vulnerable system is found, the malware sends a specially crafted packet to produce a buffer overflow on LSASS.EXE. The resulting overflow allows the malware to listen to TCP port 9996, which instructs it to spawn a command shell. The malware then creates the script file CMD.FTP that contains instructions for the vulnerable system to download and execute a copy of this malware via FTP. The infected host then opens TCP port 5554 to accept any FTP requests from infected remote systems. The worm copy to be downloaded bears the file name, <random integer>_up.exe (e.g., 12345_up.exe), and is saved in the Windows system directory. After download, the malware deletes the file CMD.FTP. A log file named WIN.LOG is created in the root directory. This file contains the number of remote systems that the host system were able to infect. TrendLabs will be releasing the following EPS deliverables: TMCM Outbreak Prevention Policy 110 (released) Official Pattern Release 879 (released) Damage Cleanup Template 331 (ETA 1 hour) Vulnerability Assessment Rule 10 (released) NVW Pattern 10124 (ETA 1 hour)  For more information on WORM_SASSER.A, you can visit our Web site at:http://www.trendmicro.com/vinfo/virusencyc...e=WORM_SASSER.A.You can modify subscription settings for Trend Micro newsletters at:http://www.trendmicro.com/subscriptions/default.asp

Share this post


Link to post
Share on other sites
Guest LilBambi

Thanks JackR.Yes, this is quite a nasty one if you don't have that particular update especially without a proper firewall.

Share this post


Link to post
Share on other sites
ross549

Thanks for the heads-up Jack. I e-mailed my clients (family) so they can make sure their computers are updated and patched to avoid this worm. :D

Share this post


Link to post
Share on other sites
Guest LilBambi
ZDNet: New worm's got sass, but not much else
The security researchers at eEye Digital Security are not impressed with the Sasser worm.The company, which found the flaws that were exploited by both the MSBlast worm and the Witty worm, on Saturday started analyzing the latest piece of attack code that takes advantage of a Microsoft Windows vulnerability discovered by its researchers. So far, eEye's analysts are surprised that the worm has spread so far."It's so poorly written," said Marc Maiffret, chief hacking officer for the Aliso Viejo, Calif., company. "This could still have a lot of impact, but it's written by someone that could barely get the code working."
Let's just hope their distain for the coding doesn't challenge the writer, huh?Glad it hasn't been as bad as it could be, but this is only one of the first two groups of vulnerabilities to really take advantage of LSASS.EXE vulnerability that thankfully has been patched and many have been smart enough to get their updates. Gaobot is the other.Despite their distain for the actual code problems, it still managed to hit Category 3 almost immediately. Not exactly a total dud. And unfortunately mutations/variations seem to always follow. sigh....

Share this post


Link to post
Share on other sites
FuzzDuckie

for a poorly written piece of code it sure crashed the LSASS reallly well. Not a lot of payload though...files were easy to find once the names were known.Yep there is a variant out there. I had the file on my system- thankfully it just sat there LOL. I had both.

Share this post


Link to post
Share on other sites
nlinecomputers
for a poorly written piece of code it sure crashed the LSASS reallly well.  Not a lot of payload though...files were easy to find once the names were known.Yep there is a variant out there.  I had the file on my system- thankfully it just sat there LOL.  I had both.
I think that is the point. Like the MsBlast virus it was NOT supposed to crash the machine. It was supposed to enter silently. If it had worked better it would spread faster as people would be spreading it without knowing about it. MsBlast was such a pain in the rear because of the amount of machines that went down because of it. An unintended side effect. It could have been alot worse had the virus spread sliently and then had somekind of damaging payload launched via the MsBlast network.

Share this post


Link to post
Share on other sites
nlinecomputers

Sasser.B is starting to spread fast this morning. Symantec is now listing this as level 4 and Trend Micro now has a Red Alert level warning for it.. McAfee still lists it as a medium level but I expect that to change. Again call your friends your coworkers and your clients and make sure that they have fully updated their patches and AV programs! I think this is going to be a long week.

Share this post


Link to post
Share on other sites
Marsden11

The worm is looking for TCP port 5554. Check your hardware firewalls!

Share this post


Link to post
Share on other sites
Guest LilBambi
Sasser.B update!Sasser.B can run on (but not infect) Win95/Win98/WinME computers.Quote from Symantec's updated Sasser.B page:
W32.Sasser.B.Worm can run on (but not infect) Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect vulnerable systems that they are able to connect to. In this case, the worm will waste a lot of resources so that programs cannot run properly, including our removal tool. (On Windows 95/98/Me computers, the tool should be run in Safe mode.)
So, in addition to Windows 2000 and Windows XP getting infected, we have to worry about any Win9x family of PCs (which do not get sick with the worm), helping to spread it like some sort of slow motion computerized Typhoid Mary

Share this post


Link to post
Share on other sites
Guest LilBambi
eWeek: Sasser.D Worm Arrives, Ready to Do Damage
UPDATED: A fourth version of Sasser has the potential to cause serious slowdowns and outages; a hoax e-mail claiming to contain a fix for the worm in fact contains a version of the NetSky worm.
There are various changes to this last variant that make it potentially more devastating than previous versions.In addition to the problems noted above, the article also states that Sasser.D creates a remote shell on TCP port 9995, instead of 9996, which is used by the other three variants; changes the name of the file it drops on computers, and scans multicast addresses, which has led to it causing some destabilization of routers that handle multicast traffic.

Share this post


Link to post
Share on other sites
epp_b

*epp_b checks the malware thread**clicks on link to sasser patch info*hmmmm...systems not affected...Win98!! Yeaaah! Na na na naaa na! :harhar:yikes! I'm outa here! :D

Share this post


Link to post
Share on other sites
teacher

After a bit of a lull, it looks like we have a new upgrade of thread level for the latest: W32.Korgo.F. This one takes advantage of a buffer overflow error.Symantec DescriptionJulia B)

Share this post


Link to post
Share on other sites
Peachy

Add the Plexus worm.

Share this post


Link to post
Share on other sites
nlinecomputers

New Cyber alert for today. My Doom variant doing the usual email and spam harvest but with a twist. This one is doing searches for your email addresses on Google and Yahoo.Everyone please update your AV programs. NOW. Why are you still reading this? I told you to go update. *smack* :rolleyes:

-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1                        National Cyber Alert SystemCyber Security Alert SA04-208ANew Variant of MyDoom Virus Original release date: July 26, 2004 Last revised: -- Source: US-CERTSystems Affected  * Microsoft Windows SystemsOverview  A new variant of the MyDoom virus is spreading through email. In  addition to infecting your computer and emailing itself to other  machines, the virus may open a backdoor that could make your  machine vulnerable to future attacks.Solution Avoid opening email attachments  Be sure you know the source of an attachment before opening it.  Also remember that it is not enough that the mail originated from  an email address you recognize. Many viruses spread precisely  because they originate from a familiar email address. Maintain updated anti-virus software  It is important that you use antivirus software and keep it up to  date. Most antivirus software vendors frequently release updated  information, tools, or virus databases to help detect and recover  from virus infections. Many antivirus packages support automatic  updates of virus definitions. US-CERT recommends using these  automatic updates when possible.Description  This variant of MyDoom (known as MyDoom.M or MyDoom.O) is  significant because it seems to be conducting searches on  addresses it harvests from infected computers. Therefore, not  only is email activity affected, response times in many popular  search engines may be dramatically reduced.References  * MyDoom.B Virus -    <http://www.us-cert.gov/cas/alerts/SA04-028A.html>  * US-CERT Computer Virus Resources -    <http://www.us-cert.gov/other_sources/viruses.html>  * Understanding Anti-Virus Software -    <http://www.us-cert.gov/cas/tips/ST04-005.html>  * Using Caution with Email Attachments -    <http://www.us-cert.gov/cas/tips/ST04-010.html>  * Home Network Security -    <http://www.cert.org/tech_tips/home_networks.html>  * Home Computer Security -    <http://www.cert.org/homeusers/HomeComputerSecurity/  _________________________________________________________________ Author: Mindi McDowell. Feedback can be directed to US-CERT at "US-CERT Security Alerts" at <cert@cert.org>.  Please include the Subject line "SA04-208A Feedback". _________________________________________________________________ Copyright 2004 Carnegie Mellon University. Terms of use: <http://www.us-cert.gov/legal.html> Revision History July 26, 2004: Initial release -----BEGIN PGP SIGNATURE-----Version: GnuPG v1.2.1 (GNU/Linux)iD8DBQFBBXLVXlvNRxAkFWARArVGAJ99OXSp1CagGU3QY/IpDGAt0Tkg0ACgjoLc2E06a0cgwvuyXx31oduKJRI==Z63l-----END PGP SIGNATURE-----

Share this post


Link to post
Share on other sites
nlinecomputers

Symantec has admited that a flaw exists in the it's Norton Antivirus Products that can allow someone to run virus code via the email scanner and thus onto your computer.http://www.zdnet.com.au/news/security/0,20...39180674,00.htmUsers should run Live Update to patch your system immmediatly. Most users should have gotton this automaticly on Tuesday but I'd run Live Update just to be certian. If it offers no new patches then you are updated.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...