Panda Weekly Virus Report 22 August 2003

Author	All Replies
John2g Qui Tacet Consentit Premium join:2001-08-10 England	Panda Weekly Virus Report 22 August 2003 08/22/2003. This week's report looks at three worms -Nachi.A (W32/Nachi.A), Sobig.F (W32/Sobig.F) and Panol.B (W32/Panol.B)-, and the Caraga (W97M/Caraga) macro virus. Nachi.A is designed, like the infamous Blaster worm, to exploit the RPC DCOM vulnerability that affects some versions of the Windows operating system. Nachi.A does not spread by e-mail. It incorporates a TFTP (Trivial File Transfer Protocol) server that allows it to attack remote computers via TCP/IP in order to cause a buffer overrun in the targeted machine. As a result, the affected computer will download a copy of the worm. Nachi.A, whose origin seems to be China, can also exploit the WebDav vulnerability. Nachi.A has an unusual feature, it uninstalls the Blaster worm from computers affected by this malicious code, killing its processes and deleting the file that contains the worm. Besides, it downloads and installs the Microsoft security patch that fixes the RPC DCOM vulnerability. Finally, it deletes itself when the year of the system date is 2004. The F variant of the Sobig worm has become the virus with the highest, quickest proliferation rate in the history of computer viruses. Its presence has been detected all aroung the world, and, in less that 24 hours, it has managed to place itself among the viruses most frequently detected by Panda ActiveScan. This stems from the worm's unusual capacity to spread via e-mail and across local networks, which makes Sobig.F a serious threat for corporate networks, which could be collapsed by the worm. Sobig.F also poses additional dangers, as it uses social engineering techniques to trick users into running the file that contains it. Besides, it changes the sender of the e-mail that contains it, like other malicious codes such as Klez.I. In this way, it tries to convince users the infected message comes from a reliable source. Once the user runs the attachment carrying the worm, Sobig.F uses its own SMTP engine to send itself out to all the e-mail address it finds in the files with the following extensions TXT, HTM*, WAB, DBX and .EML on the affected computer. It also copies itself to the affected system under the name winppr32.exe and creates several keys in the Windows Registry in order to ensure that it is run whenever the affected computer is started. Sobig.F can also download files from the Internet and has backdoor functions, which allow it to open several communication ports. Finally, it can spread across local networks. Panol.B looks in the infected computer's hard drive for files with an extension starting with HTM. Then, it searches these files for e-mail addresses which begin by the string "mailto:." and sends itself out to them. Once installed on the affected computer, Panol.B stays memory resident and tries to carry out different actions depending on the system date: restarting the computer or disabling the mouse and the keyboard. Finally, Caraga infects Word documents using the normal means of infection used by macro viruses. Firstly, it infects the global template (NORMAL.DOT file) and then it infects all the documents that are opened, closed or saved in the affected computer. Caraga also hides or disables many options of the Tools menu: Visual Basic Editor and toolbar, Macros, Control Box toolbar, shortcut keys, etc. For further information about these and other viruses, visit Panda Software's Virus Encyclopedia at: »www.pandasoftware.com/virus_info···lopedia/. -- Better to remain silent and be thought a fool, than to speak and remove all doubt.
	to forum · permalink · · 2003-08-22 11:12:56 ·
Randy Bell Premium join:2002-02-24 Santa Clara, CA	Of course, all the vendors have these worms covered, but here are the Panda references: Nachi.A - »www.pandasoftware.com/virus_info···us=40404 Tech Details: »www.pandasoftware.com/virus_info···us=40404 Alias: W32/Nachi.Worm, W32.Welchia.Worm, Worm_MSBLAST.D Sobig.F - »www.pandasoftware.com/virus_info···us=40408 Tech Details: »www.pandasoftware.com/virus_info···us=40408 Alias: W32/Sobig.F@mm, Win32.HLLM.Reteras, Win32/Sobig.F.Worm, I-Worm.Sobig.f Panol.B - »www.pandasoftware.com/virus_info···us=40429 Tech Details: »www.pandasoftware.com/virus_info···us=40429 Alias: {none listed} Caraga - only mentioned in the Weekly Report at this time {no Search hits at the Virus Encyclopedia}. -- "But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)
Randy Bell Premium join:2002-02-24 Santa Clara, CA	to forum · permalink · · 2003-08-24 11:53:58 ·


Wednesday, 25-Nov 14:16:22	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF