Weekly report on viruses and intrusions
Apr 19, 2004 Comments (0)
Bugbear.C installs a keylogger-type Trojan on the infected computer, stealing information from the machine and sending it to the virus author. It also ends processes belonging to security programs, including antivirus solutions for home users and corporate networks, and prevents them from running, which leaves the infected PCs vulnerable to attacks from other malware.
The next worms we are reporting on are Netsky.T and Netsky.S, two very similar variants of Netsky, which share the following characteristics:
* They spread via e-mail in a message written in English with variable subject and text lines. This message always includes an attached file with a PIF extension.
* Attempt to launch DoS (Denial of Service) attacks against several web pages, between April 14th and 23rd inclusive.
* Create a mutex called SyncMutex_USUkUyUnUeUtU in order to ensure that only a copy of the worm is run simultaneously.
We finish with Sober.F, a worm that spreads via e-mail in a message written in English or German, depending on the extension of the recipient's mail address domain. This malicious code searches for e-mail addresses in files with several specific extensions, and sends itself out to those addresses using its own SMTP engine.
For further information about these and other computer threats, visit Panda Software's Virus Encyclopaedia at: http://www.pandasoftware.co.uk/
* SMTP (Simple Mail Transfer Protocol): This is a protocol used on the Internet exclusively for sending e-mail messages.
* Mutex (Mutual Exclusion Object): This is a technique used by some viruses to control access to resources (programs or even other viruses) and prevent more than one process from simultaneously accessing the same resource.
About Panda Software's Virus Laboratory
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.