Weekly report on viruses and intrusions

This report deals with seven worms -four variants of Mydoom (T, U, V and W), Mywife.D, Mywife.C and Sdbot.AQA- and two adware programs called Neededware and WUpd.

Mydoom.T, Mydoom.U, Mydoom.V and Mydoom.W spread in emails with variable characteristics. The T variant also uses the KazaA P2P program to propagate, making copies of itself with enticing names in the applications shared folder.

The U, V and W variants of Mydoom connect to several websites, from which they try to download a file -a Backdoor Trojan-, and install it on the computer. Mydoom.T opens the Notepad application and displays garbled text.

The next worms well look at in this report are Mywife.D and Mywife.C, which also spread via email in a message with variable characteristics. Both of these viruses also share the following features:

- Some seconds after they are run they block the computer, as they consume all available processor time.

- They delete the files belonging to several antivirus programs, if they are installed in the same directories as the ones specified in the worms code. They also delete entries in the Windows Registry belonging to these antivirus programs, so these applications will not be run automatically the next time Windows is started. They also attempt to search and end the processes belonging to antivirus and computer security programs. This would leave the affected computer vulnerable to attacks from other malware.

- They also delete the entries belonging to other worms, such as Mydoom.A, Mimail.T and several variants of Bagle.

- They open Windows Media Player.

The last worm in this report is Sdbot.AQA, which spreads across computer networks. It does this by checking if the PC it has infected is connected to a network. If that is the case, it attempts to access and copy itself to shared resources, by trying typical or simple passwords.

Sdbot.AQA allows hackers to gain remote access to the affected computer in order to carry out actions that compromise user confidentiality or prevent the computer from working properly. Sdbot.AQA uses its own IRC client in order to join an IRC channel and accept remote control commands, such as launching Denial of Service (DoS) attacks against websites. It can also download and run files on the affected computer.

Todays report ends with Neededware and WUpd, two adware programs that allow programs to be downloaded and run without users consent. It is easy to tell whether these programs are on your computer, as they display advertising messages. WUpd also monitors users Internet activity, and uses the results to determine which adverts are displayed.

For further information about these and other computer threats, visitPanda Software's Virus Encyclopedia.
Additional information
* Backdoor Trojan: This is a program that enters the computer and creates a backdoor through which it is possible to control the affected system without the user realizing.

* Denial of service (DoS): This is a type of attack, sometimes caused by viruses, that prevents users from accessing certain services (in the operating system, web servers etc.).

More definitions at:

About Panda Software's virus laboratory
On receiving a possibly infected file, Panda Software's technical staff gets straight down to work. The file is analysed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.

Comments (0)

Add a Comment

This thread has been closed from taking new comments.

Editorial: +44 (0)1892 536363
Publisher: +44 (0)208 440 0372
Subscribe FREE to the weekly E-newsletter