This week's report will focus on two worms -Noomy.A and Bagle.BB-, and a Trojan called HardFull.A.
Noomy.A spreads via email and IRC. In order to spread via email it sends itself out to all the addresses it finds in the files with a .dbx, .htm, .html or .php extension, except to those that contain certain strings. In order to spread across IRC, Noomy.A installs its own HTTP server and sends messages to several hard-coded IRC channels, as well as links that try to persuade users to connect to the HTTP server on the affected computer. When the user accesses these links, a web page is opened, from which copies of the worm can be downloaded.
The propagation and payload of Noomy.A vary depending on the date it is run and the type of Internet connection used. The actions that this worm can carry out on affected computers include the following:
- End the processes belonging to security tools, such as antivirus and firewall applications, leaving the computer vulnerable to attack from other malware.
- Launch Denial of Service attacks by pinging several websites, including Microsoft's website.
- Connect to a website in order to send information about the compromised computer, such as the system date and time, whether MSWINSCK.OCX is used and the SMTP server and user name that Outlook uses.
When it is run, Noomy.A displays an error message on screen, making it easy to know if it has infected the computer.
The second worm in today's report is Bagle.BB, which spreads via email in a message with variable characteristics, and through P2P (peer-to-peer) file sharing programs.
Bagle.BB opens TCP port 81 and listens in on the communications for a remote connection. Through this connection, the worm will allow remote access to the affected computer. This would allow a remote user to carry out actions that could compromise the confidentiality of user data or impede the tasks carried out.
Bagle.BB ends the processes belonging to security tools, such as antivirus applications, leaving the computer vulnerable to attack from other malware. Bagle.BB also deletes the entries created by several variants of the Netsky worm in the Windows Registry, preventing them from being run when the computer starts up.
We are going to finish this report with HardFull.A, a Trojan that does not spread automatically using its own means, but requires intervention from the attacker. The means of transmission it uses include, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, etc.
HardFull.A creates a file that fills itself with the text Win32.Delf.du_Ful, increasing its size until it uses up all the hard drive space available and causing the computer to slow down or even block. This Trojan also disables the Windows Registry editing tools, and the Run and Find options in the Start menu.
For further information about these and other computer threats, visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/
Payload: The effects of a virus.
Windows Registry: This is a file that stores all configuration and installation information of programs installed, including information about the Windows operating system.
More definitions at: http://www.pandasoftware.com/virus_info/glossary/default.aspx
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.