PandaLabs' weekly report on viruses and intruders
Saturday November 20, 2004
This week’s virus report looks at five worms -Sober.I, Bagle.BG, Yanz.A, Drew.A and Aler.A-, and a Trojan called Msnsoug.A. Report courtesy of Panda Software for the week ending November 19, 2004.
Sober.I is sent by email using its own SMTP engine, in a message either in German or English depending on the recipient. It gets email addresses from the infected computer and stores them in files. In order to ensure it is run whenever the computer is started up, it creates several entries in the Windows registry.
Bagle.BG sends itself out in emails with variable characteristics. The action it takes includes opening and listening on TCP port 2002. It acts as a backdoor allowing access to the infected computer. Bagle.BG also terminates processes belonging to certain applications that update antivirus solutions, leaving the computer vulnerable to future attack.
Yanz.A is an email worm that spreads in messages with highly variable characteristics and which displays false sender addresses. It can also use P2P file-sharing programs to spread creating files, with variable names, with copies of itself in folders whose name contains the letters ‘shar’. Both the messages and the shared files it creates, make reference to the Chinese singer Sun Yan Zi.
Drew.A spreads both via email and P2P applications. In the first case it uses its own SMTP engine to send messages with a highly variable format. Both the message subject and text, along with the name of the attachment are chosen at random from a list of options. To spread via P2P applications, Drew.A searches all folders with the text ‘share’ and copies itself to these folders using names aimed at enticing users such as "Cameron Dias.scr", "Delphi 8 keygen.com" and "DrWeb 4.32 Key.com".
Aler.A exploited a flaw in the handling of WMF/EMF image files (MS04-032). It also exploited political sentiment - the email subject read “Latest News about Arafat !!!”, and included two EMF attachments. One of them was an image file of the funeral of the Palestinian politician. The other exploited the flaw, allowing it to automatically install the Aler.A network worm.
The Panda Software report ends with Msnsoug.A, a Trojan that does not spread under its own steam. Once it has infected a computer, it waits for a user to start a MSN Messenger session and sends –to all contacts active at that moment– a text message in Portuguese.
Sober.I is sent by email using its own SMTP engine, in a message either in German or English depending on the recipient. It gets email addresses from the infected computer and stores them in files. In order to ensure it is run whenever the computer is started up, it creates several entries in the Windows registry.
Bagle.BG sends itself out in emails with variable characteristics. The action it takes includes opening and listening on TCP port 2002. It acts as a backdoor allowing access to the infected computer. Bagle.BG also terminates processes belonging to certain applications that update antivirus solutions, leaving the computer vulnerable to future attack.
Yanz.A is an email worm that spreads in messages with highly variable characteristics and which displays false sender addresses. It can also use P2P file-sharing programs to spread creating files, with variable names, with copies of itself in folders whose name contains the letters ‘shar’. Both the messages and the shared files it creates, make reference to the Chinese singer Sun Yan Zi.
Drew.A spreads both via email and P2P applications. In the first case it uses its own SMTP engine to send messages with a highly variable format. Both the message subject and text, along with the name of the attachment are chosen at random from a list of options. To spread via P2P applications, Drew.A searches all folders with the text ‘share’ and copies itself to these folders using names aimed at enticing users such as "Cameron Dias.scr", "Delphi 8 keygen.com" and "DrWeb 4.32 Key.com".
Aler.A exploited a flaw in the handling of WMF/EMF image files (MS04-032). It also exploited political sentiment - the email subject read “Latest News about Arafat !!!”, and included two EMF attachments. One of them was an image file of the funeral of the Palestinian politician. The other exploited the flaw, allowing it to automatically install the Aler.A network worm.
The Panda Software report ends with Msnsoug.A, a Trojan that does not spread under its own steam. Once it has infected a computer, it waits for a user to start a MSN Messenger session and sends –to all contacts active at that moment– a text message in Portuguese.
No comments yet. Leave a Comment