|
|
|
|
|
|
|
 |
 |
 |
Home >> Service Notice >> Virus Notice |
|
|
|
 |
| |
|
|
|
|
| |
|
|
|
|
|
Virus Alert : WORM_BAGLE.AH
| 2004-07-20
|
| Virus Name : WORM_BAGLE.AH
Virus type: worm
Destructive: No
Risk rating : Medium
Damage Potential: High
Distribution Potential :High
Description:
This mass-mailing, memory resident worm propagates via email using a built-in mailing engine that utilizes Simple Mail Transfer Protocol (SMTP).
This worm also propagates via network shares. However, it does not deliberately search for all available shared folders. Instead, it searches for local folders with names that contain the character string "shar".It assumes that these folders are shared and drops a copy of itself into these folders.
It uses attractive file names for its copies so that other users who have access to the folders are enticed into obtaining the files. This propagation technique usually works on systems running peer-to-peer file sharing applications like Kazaa.
This worm is also a backdoor. It opens TCP port 1080 and random UDP ports to allow remote communication via these ports. This backdoor capability allows unauthorized users to access and manipulate infected systems.
It has another trait common to different BAGLE variants - a predefined self-termination date. If the system date is May 5, 2006, it stops running and deletes registry entries that it has created to automatically start with Windows.
This worm runs on Windows 95, 98, ME, NT, 2000, and XP.
Solution:
1. Download http://www.cyberctm.com/virus/lpt.zip
2. Download http://www.cyberctm.com/virus/sysclean.com
3. Unzip the file, Place on the same folder. Run sysclean.com to scan your PC. |
|
Virus Alert : PE_ZAFI.B
| 2004-06-14
|
| Virus Name : PE_ZAFI.B
Virus type: File Infector
Destructive: Yes
Risk rating : Low
Damage Potential: High
Distribution Potential :High
Description:
Upon execution, this memory-resident worm drops copies of itself in the Windows system folder as follows:
.exe
.dll
It adds a registry entry to ensure its automatic execution at every system startup.
This worm propagates via email. It searches for email addresses in files that have the particular extensions.
The malware drops copies of itself in folders that contain the following strings in their name:
share
upload
It uses the following filenames for its dropped copies:
winamp 7.0 full_install.exe
Total Commander 7.0 full_install.exe
The malware also attempts to overwrite .EXE files found in certain folders with a copy of itself.
It opens a random link previously visited by the user.
This file infector runs on Windows 95, 98, ME, NT, 2000 and XP.
Solution:
1. Download http://www.trendmicro.com/ftp/products/pattern/lpt915.zip
2. Download http://www.cyberctm.com/virus/sysclean.com
3. Unzip the file, Place on the same folder. Run sysclean.com to scan your PC OR TrendMicro (http://www.trend.com.tw) Download sysclean to scan your PC. |
|
Virus Alert - WORM_SASSER.C
| 2004-05-03
|
| Virus Name : WORM_SASSER.C
Virus type: Worm
Destructive: No
Risk rating : High
Damage Potential: High
Distribution Potential :High
This worm exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail in the following pages:
Microsoft Security Bulletin MS04-011 (http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx)
To propagate, it scans the network for vulnerable systems. When it finds a vulnerable system, this malware sends a specially crafted packet to produce a buffer overflow on LSASS.EXE.
It runs on Windows NT, 2000 and XP.
Note that TrendLabs is working to provide a more in depth analysis of this malware. Refer to the Technical Details section for more information about this malware.
In addition, Internet Explorer cannot browse any homepage and received the email on the affected system.
Solution:
1. Download http://www.trendmicro.com/ftp/products/pattern/lpt883.zip
2. Download http://www.cyberctm.com/virus/sysclean.com
3. Unzip the file, Place on the same folder. Run sysclean.com to scan your PC OR TrendMicro (http://www.trend.com.tw) Download sysclean to scan your PC.
|
|
Virus Alert - PE_BAGLE.Q
| 2004-03-23
|
| Virus Name : PE_BAGLE.Q
Virus type: Worm
Destructive: No
Risk rating : High
Damage Potential: High
Distribution Potential :High
As of 1:08 AM March 18, 2004 (Pacific Standard Time), TrendLabs HQ
declared a Yellow alert to control the spread of this malware. Like
recent BAGLE
(http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=bagle&alt=bagle)variants, this virus also infects files. One of its more distinct feature, however, is that it uses of a known vulnerability in Internet Explorer to propagate.
It spreads via email by sending an email message, which exploits the Object Tag vulnerability in Popup Window (MS03-040). This vulnerability allows a malicious user to run arbitrary codes on the user's system. The email message this BAGLE variant sends does not have a file attachment, but instead contains a link to a virus copy. Once the virus email is viewed, the message body (containing the code) attempts to download PE_BAGLE.Q from a certain location.
More information about the vulnerability is available from the following Microsoft page:
http://www.microsoft.com/technet/security/bulletin/MS03-040.mspx
As revealed by the virus codes, this file infector may also use another routine for spreading (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BAGLE.Q&VSect=T#EMAIL2), but the said technique fails to manifest during testing.
This virus also attempts to spread via peer-to-peer or file-sharing networks by dropping several virus copies using varying file names (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BAGLE.Q&Vsect=T#copies)
in folders that have the text string /shar/ in their names (e.g.,
C:\Program Files\Kazaa\My Shared Folder).
This virus also has backdoor capabilities. It opens port 2556 and other
randomly-generated ports, where it waits for commands from a malicious user.
It terminates certain processes (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BAGLE.Q&Vsect=T#processes), most of which are related to antivirus and firewall applications.
It runs on Windows 98, ME, NT, 2000 and XP. |
|
|
|
|
| |
| | |
 |
Copyright © 2005 CTM. All rights reserved. |
|
|
|
|
