Worm Spreads Via File-Sharing Networks September 10, 2003 W32/Blaxe-A is a worm that spreads via file sharing on P2P networks. When first run W32/Blaxe-A copies itself to the Windows folder as BearShare.exe and WinBat.exe and creates the following registry entries so that BearShare.exe is run automatically each time Windows is started: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\BearShare = %WINDOWS%BearShare.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BearShare = %WINDOWS%\BearShare.exe W32/Blaxe-A adds the pathname of WinBat.exe to the following registry entry so that WinBat.exe is run each time a MS-DOS batch file is run or opened: HKLM\Software\CLASSES\batfile\shell\open\command W32/Blaxe-A creates a sub-folder of the Windows folder named \Kernell\, with the Hidden attribute set, and copies itself to this folder using a variety of file names. View them and other information at this Sophos page. Antivirus software vendor McAfee recognizes the worm as W32/Blaxe.worm, and says it spreads by peer to peer networking like Kazaa/Grokster. The readme.exe has a deceiving winzip icon. When the file gets executed, it runs silently, no gui messages boxes appear. It may drop a temporary work file into the root of the system called c:\windll32.dll - filesize 6 bytes, content "done". A copy of the worm is installed into the %windows directory, for example on a Win2K system under: c:\winnt\Internet Explorer.exe - filesize 46945 bytes. It makes registry entries to launch itself at startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\Currentversion\RunServices with value "Internet Explorer" and calling c:\winnt\Internet Explorer.exe. More information is at this McAfee page. W97M/Adenu Disables Macro Protection in Word The virus contains one module - AdeNU2002. It will disable the macro protection warning in Word and sets the level of security to low for Word2K. Tools/Macro, Tools/Customize, Tools/Templates and addins, Tools/Macro/Visual Basic Editor are also disabled. The file GbcHS4664.VBS is created in the windows SYSTEM folder which carries an encrypted copy of W97M/Adenu. This file is detected as W97M/Adenu in DATs 4288 and higher. The virus will add the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Run\ "[Windows SYSTEM directory]/GbcHS4664.vbs" On the 26th of June, the virus will overwrite the document contents with a message in Filipino. Find out more at this McAfee page. W97M/Rochitz Has No Malicious Payload This virus will disable the macro protection warning for Word. It does not contain malicious payload and will display a message that can be viewed along with other information, at this McAfee page. W32/Sankey Infects Select Files The W32/Sankey family are encrypted, non memory-resident PE file infectors. When run, the virus enumerates directories and infects files having a filename like "kaze*.exe (examples: kaze01.exe, kazeta.exe). The virus only spreads on W95/W98 platforms and often corrupts the file it infects. Infected files contain the text "Win9x.Sankei coded by kaze/FAT". When an infected and not corrupted file is run, a message with the here-above text is displayed. An Internet Web address is also displayed that is the link for a French underground site. More information is at this McAfee page. Gaobot.L Exploits RPC DCOM and WebDAV Vulnerabilities This worm has backdoor characteristics and infects only Windows XP/2000/NT computers. Gaobot.L exploits the RPC DCOM and WebDAV vulnerabilities to spread to as many computers as possible. Gaobot.L also spreads by attempting to copy itself to network shared resources. It gains access to these shared resources by using passwords that are typical or easy to guess. Once it is run, Gaobot.L connects to a specified IRC server through the port 9900 and waits for control commands. As a backdoor, it allows to obtain information on the affected computer, run files, launch distributed denial of service (DDoS) attacks, upload files by FTP, etc. It also ends processes belonging to Nachi.A, Autorooter.A, Sobig.F and several variants of Blaster. If a computer has Windows XP/2000/NT, it is highly recommendable to download the security patches for the RPC DCOM and WebDAV vulnerabilities from the Microsoft web site. Technical details are at this Panda Software page. W97M.Riosys Infects Closed Word Documents This macro virus infects Microsoft Word documents and templates when they are closed. Technical details are at this Symantec page. W32/Vote.k@MM Sends Out Fake War Message This Visual Basic worm propagates via mailing itself to recipients in the Outlook Address book (using Outlook to construct and send messages). It also propagates through the KaZaa peer-to-peer file-sharing network. The virus is likely to be received in an email bearing the following characteristics: Subject: [Outlook recipient]. [*********] THE WAR HAS STARTED! Where [Outlook recipient] is the email address found from the Outlook Address book. Where *********could be any of the following: LET US UNITE NOW OUR MISSION: DEATH ? THE WORLD WAR THREE IS HERE ! REMEMBER OUR LOST SOULS ! WORLD WAR SCENES FROM IRAQ ! WORLD TRADE CENTER, REVENGE ! Message Body: [Outlook recipient], THE WAR IS NOT A JOKE !... THERE IS ONE BUILDING UP RIGHT NOW Let's Unite In This Horrible Kaos. [Outlook recipient ], ... Fight For Us....!!! ...And Let Us Remember Those Lost Souls ! WE COUNT ON YOU ! [Outlook recipient ] Greetings, World War Veterans. More details are at this McAfee page. Antivirus software vendor Trend Micro recognizes this destructive worm as Worm_Vote.K, and says it propagates via email, Internet Relay Chat (IRC) and KaZaA peer-to-peer file sharing network. It deletes several files in the system and replaces .exe files with a copy of itself. It arrives as an attachment in an email message with following details: Subject: %Email address%. %s% THE WAR HAS STARTED! Message: %Email address%, THE WAR IS NOT A JOKE !... THERE IS ONE BUILDING UP RIGHT NOW Let's Unite In This Horrible Kaos. %Email address%... Fight For Us....!!! ...And Let Us Remember Those Lost Souls ! WE COUNT ON YOU ! %Email address% Greetings, World War Veterans. Attached File: WTC32.SCR and WTC32.DLL Note: %Email address% is the the email address of the recipient and %s% can be any of the following text strings: NOW OUR MISSION: DEATH ? THE WORLD WAR THREE IS HERE ! REMEMBER OUR LOST SOULS ! WORLD WAR SCENES FROM IRAQ ! WORLD TRADE CENTER, REVENGE ! Upon execution, it displays certain messages. View them and other information at this Trend Micro page.

Thanks Dave! Bearshare, Kazaa, IMESH are not free!

yw capt!

Trojan Tries to Provide Unauthorized Computer Access September 11, 2003 Troj/Backsm-A is a backdoor Trojan that when executed, initiates a background process and attempts to connect to a remote IRC server and provide unauthorized access to the infected computer, according to Sophos, which issued an alert Thursday. Troj/Backsm-A sets the following registry entry in an attempt to run the Trojan when Windows starts up: HKLM\Software\Microsoft\Windows\CurrentVersion\Run "winlogin"=\Winlogin.exe Instructions for removing Trojans are at this Sophos page. Trojan Drops DLL Into Windows Folder Troj/Apdoor-A is a backdoor Trojan that drops a DLL with a random name into the Windows temporary folder and executes it. The Trojan DLL attempts to inject itself into the Program Manager process, then copies itself and the Trojan EXE into the Windows system or temporary folder and sets the following registry entry or the corresponding HKCU entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ = Troj/Apdoor-A monitors this registry entry and attempts to reset it if the entry is modified or removed. Troj/Apdoor-A is typically distributed by a malicious script hosted on a web site. The script will drop a downloader EXE file and run it. The dropped EXE program drops a DLL into the Windows temporary folder with a random name and executes it. The dropped DLL attempts to inject itself into the Program Manager process, copies itself and its dropper EXE into the Windows system or temporary folder and sets an HKLM or HKCU registry key. View it and other information at this Sophos page. Mass-Mailing Worm Deletes Files W32.HLLW.Syney@mm is a mass-mailing worm that deletes Windows system files and spreads through Microsoft Outlook. Technical details are at this Symantec page. Macro Virus Infects Word Documents W97M.Riosys is a macro virus that infects Microsoft Word documents and templates when they are closed. Technical details are at this Symantec page. Worm Spreads Via Email With 'Fradulent' Subject Line Mimail.B is a worm with Trojan characteristics that spreads via e-mail in a message with the subject 'Fraudulent escrow service' and the attached file INFO.ZIP. Mimail.B exploits the following vulnerabilities: Internet zone: Internet Explorer vulnerability. It allows a hacker to open an executable file already present in the affected computer. MHTML: Outlook Express vulnerability. It allows hackers to send and run a file of their choice. Due to its Trojan characteristics, Mimail.B logs keystrokes. More information is at this Panda Software page. Worm/Sefex Copies Itself to Directory Upon Execution Worm/Sefex is a memory resident Internet worm that if executed will copy itself in the \windows\ directory under the filename "RESUEM.EXE" so that it gets run each time a user restarts a computer. When the computer is restarted, the following registry key gets added: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "putil"="C:\\WINDOWS\\RESUEM.exe"