Weekly report on viruses and intruders

This week's virus report looks at three vulnerabilities, two Trojans -WmvDownloader.A and WmvDownloader.B-, and two worms -Lasco.A and Gaobot.CKP-.

We start this report by looking at three security problems, for which Microsoft has this week published the corresponding patches.

- Vulnerability in the Windows HTML help, that could allow hackers to take control of a computer with the same privileges as the user that started the session. It could be exploited by the creation of a specially designed web page and affects computers with Windows 2003/XP/2000/NT/Me/98.

- A security problem in the format of Windows icons and cursors. A user could exploit it to take control of a vulnerable computer by hosting a specially created icon or cursor on a malicious web page or HTML email. It affects computers with Windows 2003/XP/2000/NT/Me/98.

- Vulnerability in the Index Server service, which allows remote code to be executed and privilege escalation. It affects computers with Windows XP -without Service Pack 2- and Windows 2003.

WmvDownloader.A and WmvDownloader.B are two Trojans that spread across P2P networks in the form of video files with the extension ".wmv".

In order to spread, WmvDownloader.A and WmvDownloader.B use Windows Media Digital Rights Management (DRM), a technology that demands a valid license number when a protected Windows Media file is run. If a user were to execute a video file infected with WmvDownloader.A or WmvDownloader.B, these Trojans simulate the download of the corresponding license from certain web pages. However, what they really do is redirect users to other addresses from which malicious applications like adware, dialers or spyware are downloaded.

The first worm we'll look at today is Lasco.A, which spreads to cell phones using the Symbian operating system. Although at first it targeted Nokia 60 series phones, it can also target other devices using the same software.

Lasco.A uses the following means of propagation.

1.- Via Bluetooth (technology that allows wireless connection between devices over short distances).

When executed, Lasco.A starts a search for other devices connected using Bluetooth and if it finds any, it sends a copy of itself in a file called VELASCO.SIS. When the device to which it has sent a file is out of range of Bluetooth, Lasco.A searches for others to infect.

2.- Inserting its code in all SIS files on the affected device. When these files are distributed and run in new devices, these are then infected by Lasco.A.

In order to be able to spread, Lasco.A requires intervention from users, as they receive a message announcing the fact that it has been received. If the users accept this message, the worm installs itself on the device.

We end today's report with Gaobot.CKP, a worm that spreads by making copies of itself in shared resources on the network and exploits the LSASS, RPC DCOM and WebDAV vulnerabilities. It can also enter computers running SQL Server, whose System Administrator account's password is blank, and in computers running DameWare Mini Remote Control. Finally, Gaobot.CKP also accesses computers affected by the following malware: Bagle.A, Mydoom.A, Optix, NetDevil, Kuang and SubSeven.

Gaobot.CKP lets attackers take remote control of the computer it affects, allowing them to execute commands, download and execute files, log keystrokes and carry out Distributed Denial of Services attacks (DDoS).

About PandaLabs

On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.
For more information: http://www.pandasoftware.com/virus_info/

Add a Comment

No messages on this article yet

Editorial: +44 (0)1892 536363
Publisher: +44 (0)208 440 0372
Subscribe FREE to the weekly E-newsletter