Oxygen3 24h-365d [Weekly virus report - 10/26/03]
From: Jurren Bouman (jubo_at_euronet.nl)
Date: 10/26/03
- Next message: Br0wnbear: "Re: Help with Swen and Restore"
- Previous message: Andrew Z Carpenter [now with added MVP!]: "Re: W32.spybot.worm message"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 26 Oct 2003 14:27:13 +0100
- Weekly virus report -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)
Madrid, October 26, 2003 - This week's report on malicious code will focus
on three worms -Lohack.C, Flop.A and Sexer.A-, a Trojan called Sdbot.N and
the virus Vix.A.
Lohack.C spreads via e-mail and across network drives. The message carrying
this worm tries to trick users by referring to the Spanish Information
Society and E-business Services law. It also spoofs the sender's address, so
that it seems to have been sent from the Spanish Ministry of Science and
Technology or Panda Antivirus.
Lohack.C automatically activates when the message carrying the worm is
viewed through the Preview Pane in Outlook. It does this by exploiting a
vulnerability -known as Exploit/Iframe- that affects versions 5.01 and 5.5
of Internet Explorer and allows e-mail attachments to run automatically.
Finally, one of the effects of Lohack.C is that it moves the mouse pointer
around the screen.
Today's second worm is Flop.A, which spreads by copying itself to all the
floppy disks used on the affected computer, provided that they are not
write-protected. When this malicious code is run, it displays a message in
Spanish describing how to enlarge the male member. The file carrying Flop.A
has the same icon as Word documents.
Sexer.A is a worm that spreads via e-mail in a message written in Cyrillic
characters and includes an attachment called WIN2DRV.EXE. When Sexer.A has
infected a computer, it sends a copy of itself to all the contacts it finds
in the Windows address book and changes the Windows wallpaper for a text
with Cyrillic characters.
The fourth malicious code in today's report is a Trojan called Sdbot.N. This
Trojan has been mass mailed in a message with the subject: "Microsoft
Security Update" and an attachment called MS03-047.EXE. The message text
also tries to trick the user into believing that the message has been sent
by Microsoft. However, when the attached file is run, Sdbot.N goes memory
resident and connects to an IRC channel. This channel sends the Trojan
remote control commands in order to carry out the following actions, among
others: scan ports, download and run files, launch Denial of Service (DoS)
attacks, etc.
Finally, Vix.A is a virus with worm characteristics that infects PE files
and spreads via the P2P (peer-to-peer) file sharing programs KaZaA, iMesh
and Shareaza. A file that has been infected by this virus cannot be
disinfected and will therefore be rendered unusable.
For further information about these and other malicious code, visit Panda
Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia
Additional information
- PE (Portable Executable): PE refers to the format of certain programs.
- Preview Pane: A feature in e-mail programs that allows the content of the
message to be viewed without having to open the e-mail.
More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx
NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
-- Jurren Bouman MVP Windows - Security
- Next message: Br0wnbear: "Re: Help with Swen and Restore"
- Previous message: Andrew Z Carpenter [now with added MVP!]: "Re: W32.spybot.worm message"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
