esecurityplanet : Alerts
Virus Alert: Several Variants of Gruel Worm Reported
July 18, 2003
W32/Gruel-B is a mass mailing worm very similar to W32/Gruel-A. But this variant arrives in an email with different characteristics:
Subject: Microsoft Windows Critical Update
Message Text:
Critical Update: The Microsoft Windows updates found on this patch include fixes to following Windows operating systems: Any update that is critical to the operation of your computer is considered a Critical Update, and is automatically selected for installation during the scan for available updates. This patch is provided to help resolve known issues, and to protect your computer from known security vulnerabilities and all kinds of viruses. Whether a patch applies to your operating system, software programs, or hardware, it is listed in the Critical Updates category, like this patch attached. For Support please contact us at support@microsoft.com
(Safety tip: remember that Microsoft never sends out security updates as email attachments.)
W32/Gruel-C is a mass mailing worm very similar to W32/Gruel-A.
W32/Gruel-C uses the same subject line and message text as the -A variant.
W32/Gruel-D is a mass mailing worm very similar to W32/Gruel-A that arrives in an email with the following characteristics:
Subject line: Microsoft Windows Critical Update Message Text: Critical Update: The Microsoft Windows updates found on this patch include fixes to following Windows operating systems: Any update that is critical to the operation of your computer is considered a Critical Update, and is automatically selected for installation during the scan for available updates. This patch is provided to help resolve known issues, and to protect your computer from known security vulnerabilities and all kinds of viruses. Whether a patch applies to your operating system, software programs, or hardware, it is listed in the Critical Updates category, like this patch attached. For Support please contact us at support@microsoft.com
Attached File: Rundll32.exe
Find out what happens when the D variant is executed at at this Sophos page.
W32/Mapson-C Spreading
W32/Mapson-C is an internet worm which spreads via email, IRC and peer-to-peer networks. For more information, read the analysis of the A variant at at this Sophos page.
Two-Component Trojan Continues to Wreak Havoc
Reports are continuing about the presence of Troj/Webber-A, also known as TrojanProxy.Win32.Webber.10, Backdoor.Berbew, BackDoor-AXJ, a backdoor Trojan with two components. The loader component downloads the main part from a Web address into the system folder and executes it.
The downloaded component is a password-stealing Trojan that attempts to extract sensitive information from several locations on the system and sends them to CGI scripts at another Web address. The downloaded component copies itself with a random name into the Windows system folder and drops and executes a DLL file (also with a random name) that runs the copy of the Trojan. In order to be started automatically the Trojan creates certain registry entries. View them at this Sophos page.
Mass-Mailing Worm Written in VBS
W32.HLLW.Symten@mm is a mass-mailing Worm that distributes itself by a randomly generated email. The worm is written in Visual Basic. Technical details are at this Symantec page.
VBS Virus Infects HTML Files
VBS.Renegy changes the title field in original file to "HTML.Replace Was Here." More information is at this Symantec page.
VBS Virus Displays Message
VBS.Dasbud.int is a Visual Basic Script (VBS) virus that infects HTML files and displays the message "PopUp Buddy was here..." More information is at this Symantec page.
Backdoor Trojan Targets Windows 2000/XP
Backdoor.Uzbet is a Trojan that runs as a proxy server under Windows 2000/XP. Find out more at this Symantec page.
Week in Review
This week's report focuses on four worms -Klys, Gruel.B, Lohack.B and Mofei.C-. Klys spreads through IRC channels and across network shares. Although it is a worm, it also acts as a dropper, copying a file belonging to the Cult worm to the computers it infects, and as a Trojan, opening IRC ports that allow a hacker to gain remote access to the resources on the computer.
If Klys infects a computer that is connected to a network, it deletes the share from the majority of shared resources, and as a result, applications that need these resources will stop working.
Gruel.B spreads via e-mail and the P2P (peer-to-peer) file sharing program KaZaA. The most outstanding characteristic of this worm is its payload, as it deletes a large number of Windows files, which are essential to it functioning correctly. Gruel.B also carries out other actions, such as: opening windows in the Control Panel; disabling the Taskbar; hiding the C: drive; displaying messages on screen; etc.
The third worm of the week is Lohack.B, which spreads via e-mail, KaZaA and shared network drives. This worm tries to trick users into thinking the message has been sent by a trustworthy organization (such as the Spanish Ministry of Science and Technology or Panda Software).
Lohack.B activates when the message carrying the worm is viewed through the Preview Pane in Outlook. It does this by exploiting the Exploit/iFrame vulnerability detected in versions 5.01 and 5.5 of Microsoft Internet Explorer. However, if the corresponding patch has been applied to the browser, Lohack.B cannot automatically run itself.
The final report of the week is Mofei.C, which spreads via e-mail and across shared network drives. This worm also acts as a backdoor type Trojan, allowing a hacker to gain remote access to the computer in order to obtain information. Similarly, it also allows an attacker to carry out a series of actions such as, changing the password and deleting files and directories. When Mofei.C goes memory resident, it tries to connect to different web pages through ports 8080 and 1080.
For more information about these and other viruses, visit Panda Software's Virus Encyclopedia at www.pandasoftware.com.
