Panda Software reports the appearance of Gruel.B, a new and extremely dangerous worm - Virus Alerts, by Panda Software (http://www.pandasoftware.com) Madrid, July 16 2003 - Panda Software's Virus Laboratory has detected the new Gruel.B (W32/Gruel.B) e-mail worm. This a highly damaging worm with actions including the removal of numerous key files from infected computers. Gruel.B reaches computers in an e-mail which is easily recognized as the subject includes the phrase: "Symantec: New Serious Virus Found", and the message text: "Norton Security Response: has detected a new virus in the Internet. For this reason we made this tool attachement, to protect your computer from this serious virus. Due to the number of submissions received from customers, Symantec Security Response has upgraded this threat to a Category 5 (Maximum ).". The attached file, which actually contains the malicious code, is called: "Symantec_Norton_Tool.exe". This worm can also spread via the KaZaA file sharing application. To do so, Gruel.B copies itself as Windows XP KeyGen 2.5.exe. to shared directories used by the program. If the file containing Gruel.B is run, a false Windows error message is displayed, with the options "Send error" and "Send and close". If you click on the latter Gruel.B sends itself to all contacts in the Address Book and displays a new error screen, which will reappear every time users try to close it. If you click on "Send and close", the worm opens several Control Panel windows as well as the CD-Rom tray and displays a message from the virus author. The worm also changes user passwords, hides the contents of the C: drive, disables the task bar and deletes numerous system files such as autoexec.bat, config.sys o command.com. Gruel.B also generates a series of Windows Registry keys. Due to the inherent dangers of this malicious code, Panda Software advises users to treat all e-mails received with caution, and to update their antivirus solutions immediately. The company has already made the updates to its products available to users to ensure their solutions can detect and eliminate Gruel.B. Those whose software is not configured to update automatically, should update their solutions from http://www.pandasoftware.com/. For further information about these and other viruses, visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/. NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the "cut" and "paste" options to join the pieces of the URL.

W32/Israz-A - An e-mail worm that spreads via its own SMTP engine. The worm also spreads via Kazaa. E-mail messages containing the virus look like support information from legitimate companies such as Yahoo or Microsoft. No word on any permanent damage caused. (Sophos) App/ViewMov-A - Is not really a virus but a service offered by a company sending out links to comics. The applet does have a EULA that a user must agree to. (Sophos) W32/Mofei-B - Another worm that attempts to exploit weak and a non-existent passwords on the network shares ADMIN$ and IPC$. The virus comes with a backdoor component as well that could allow an intruder access to the infected machine. (Sophos) Troj/Migmaf-A - A Trojan horse that allows an external user to view objectionable Web sites via the infected machine. The infected machine is a reverse proxy in this case. (Sophos) IRC.Sx2 - This Trojan horse is delivered by a variety of means and can be exploited to control the infected computer remotely. (Panda Software) Graps - Another virus that attempts to connect to the common network share ADMIN$ via weak or non-existent passwords. A Trojan included with the virus allows an attacker access to the data on the infected machine. (Panda Software) Ronoper.B - A virus spreading via e-mail and IRC channels, this virus shuts down all antivirus related processes on the infected machine. (Panda Software)

esecurityplanet : Alerts Related Articles •Virus Alert: Trojans Run Wild •Web Applications Generating Lots of Email Traffic •Virus Alert: Worm Uses Own SMTP Engine to Spread •Virus Alert: Worm Spreads Via Hidden System Shares •Virus Alert: Worm Lowers Microsoft Office Security Settings •Virus Alert: Worm Sends Profane Emails •Virus Alert: Worm Launches IE, Connects to Various News Sites IT Management Glossary data mining ERP extranet grid computing intranet network appliance outsourcing storage VPN virus FREE Tech Newsletters Instant Messaging Planet HTML CIO Update CodeGuru Update CrossNodes Networking Practically Networked HTML Enterprise Storage Forum Text Enterprise Storage Forum HTML Optically Networked HTML Intranet Journal Update Datamation IT Management Careers Datamation IT Management Update Developer.com Update Gamelan Java Update Goodies to Go Javascript Weekly Text Javascript Weekly HTML JARS Java Update OpenSource Update SysOpt Tech Notes Grid Computing Planet Text Grid Computing Planet HTML E-Security Planet Text E-Security Planet HTML Virtual Dr. Text Worm Uses Same Icon as Norton Antivirus July 17, 2003 A mass-mailing worm that uses Microsoft Outlook to spread attempts to disguise itself with the same icon as Norton AntiVirus. W32.Jantic.F@mm is written in Microsoft Visual Basic. Technical details are at this Norton page. Trojan Steals Passwords, Delivers Them to Hacker Backdoor.Berbew is a Backdoor Trojan Horse that is downloaded from the Internet by Trojan.Download.Berbew. The Backdoor Trojan steals passwords and delivers them in the form of URL requests to the Web site of the Trojan's creator. Port numbers 7714 and 8546 may be opened for listening (the port numbers may vary). Technical details are at this Norton page. Klys Spread via IRC Chat program Klys is a worm that spreads via the chat program IRC and across shared network drives. Klys is also a dropper virus, as it copies a file belonging to the worm Cult in the affected computer. In addition, Klys acts as a Trojan, as it opens IRC ports. A hacker could use these ports to gain remote access to the resources of the affected computer. If the affected computer is connected to a network, Klys unshares most shared resources, admin$ and print$ among others, so the applications that need these resources will stop working. Read more about the effects of Klys at this Panda Software page.

New worm poses as Microsoft patch Related links More on this topic. Breaking news Today's top news. By Paul Roberts IDG News Service, 07/16/03 Antivirus company TruSecure is warning users about a new e-mail worm that is beginning to spread on the Internet and over the Kazaa peer-to-peer network. The new worm, dubbed "Gruel" is a mass-mailing worm that masquerades as a Windows software patch from Microsoft and as a virus removal tool from Symantec, according to an alert from TruSecure. Like other mass mailing worms, Gruel spreads by stealing e-mail addresses from an infected computer's Microsoft Outlook address book and mailing copies of itself to those addresses, the company said. The worm deletes files from machines it infects and copies itself into various locations, including folders used by the Kazaa file-sharing network, enabling it to spread on that network as well, TruSecure said. TruSecure received word of five infections and fielded around 20 calls from users who have received e-mail messages containing the virus, according to Bruce Hughes, content security lab manager at TruSecure. While the number of infections is still low, Gruel has a number of characteristics that have allowed other worms to successfully spread in recent months, Hughes said. In addition to its clever use of so-called "social engineering" tricks such as using the names of Microsoft and Symantec to fool recipients, the coupling of mass mailing techniques and features to spread over peer-to-peer networks makes Gruel more dangerous, Hughes said. Unlike other worms, however, Gruel does not spread over shared folders on local area networks, he said. While most organizations have antivirus software that will block or quarantine the executable attachment containing the Gruel virus, home users without such protections will likely bear the brunt of the new worm, Hughes said. In the coming hours and days, infections on those home systems may bombard corporate mail gateways with infected messages as well, Hughes said. The company currently has the new worm on "watch," he said. The IDG News Service is a Network World affiliate.