Weekly report on viruses and intrusions

Send to friend

This week's report on viruses and intrusions will deal with the worms Bobax.A, Bobax.B, Bobax.C, Kibuv.A and Lovgate.AF, as well as with the Trojan Ldpinch.W.

 

The three variants of the worm Bobax (A,B and C) are very similar, the only difference between them being the size of its infections code. The main feature of this new family is that, such as Sasser, they exploit the Windows LSASS vulnerability in order to spread. By doing so, they search the web for computers that contain the already mentioned vulnerability. If successful, Bobax sends instructions to the affected computer to download and run a copy of the worm. When these worms exploit the LSASS vulnerability, they launch a buffer overrun that restarts the computer.

 

Although the LSASS vulnerability only affects Windows XP/2000 operating systems, Bobax and all its variants can also affect other Windows platforms. In this second case, Bobax worms cannot spread to these computers automatically: they need users to execute a file containing a copy of themselves in order to carry out their infections.

 

Once they have been executed, the Bobax worms open several TCP ports, thus allowing hackers to use the affected computers as SMTP mail servers. By doing so, computers can be turned into 'zombies' for sending spam.

 

Kibuv.A is another imitator of Sasser, and their effects are very similar. It also exploits the LSASS vulnerability in order to spread, thus restarting the computer. Like the Bobax worms, Kibuv.A affects all the Windows operating systems, but it only spreads automatically to Windows XP/2000 computers.

 

Lovgate.AF is a worm with backdoor characteristics that uses several techniques to spread, such as e-mail messages, the peer-to-peer (P2P) file sharing program KaZaA, shared network resources, etc.

 

Once it has reached a computer, Lovgate.AF opens a port and sends an e-mail message to a remote user, in order to notify that the computer has been affected and it is accessible through the port opened.

 

Finally, the Trojan Ldpinch.W. has been sent massively by hackers in an e-mail message with the subject 'Important news about our soldiers in IRAQ!!!'. The message contains a text on the conflict in Iraq, and includes a link to a web page with information on that issue. This e-mail message contains the compressed attached file IMPORTANT INFORMATION.ZIP which, at the same time, contains the file IMPORTANT INFORMATION.SCR. When the user runs this file, Ldpinch.W will be installed on the computer.

 

Ldpinch.W steals confidential information on the affected computer and then sends it out to a specific e-mail address. By doing so, the virus author can use this data with malicious intent.

 

For further information about these and other computer threats, visit

Panda Software's Virus Encyclopedia at:

<http://www.pandasoftware.com/virus_info/encyclopedia/>

 

Additional information

 

- Vulnerabilities: Flaws or security holes in a program or IT system, and often used by viruses as a means of infection.

 

- Backdoor Trojan: this is a program that enters the computer and creates a backdoor through which it is possible to control the affected system without the user realizing.

 

More definitions at:

<http://www.pandasoftware.com/virus_info/glossary/default.aspx>

 

About PandaLabs

 

On receiving a possibly infected file, Panda Software's technical

staff get straight down to work. The file is analysed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.

Comments (0)

Add a Comment

This thread has been closed from taking new comments.