Macro Drops Trojan to Launch Attacks September 5, 2003 OF97/ExeDrop-B is a macro that drops and runs Troj/Graybird-A, a backdoor Trojan, so that when run, that computer will become vulnerable to unauthorized access attacks. OF97/ExeDrop-B requires a double-byte version of Office 2000 (or above) and is received by being spammed with an Access Database named SEP 2003 POM.mdb. Instructions for removing Trojans are at this Sophos page. Macro Virus Infects Word Documents W97M.Plonky is a Microsoft Word macro virus that spreads by infecting Microsoft Word documents and the Normal.dot global template. It disables access to the Control Toolbox toolbar and prevents you from editing Visual Basic code. Technical details are at this Symantec page. Week in Review This week's report focuses on Blaster.F, Mapson.D, Darby.A, Apdoor.B, Daol.A and Surfbar. Blaster.F, which only infects Windows 2003/XP/2000/NT computers, is a worm that exploits the 'Buffer Overrun in RPC Interface' vulnerability to spread to as many computers as possible. In this particular case, this worm exploits the vulnerability in order to download a copy of itself to the computer it infects. In order to do so, Blaster.F incorporates its own TFTP server (Trivial File Transfer Protocol). Indications that Blaster.F has infected a computer are increased network traffic on TCP 135 and 4444 and UDP 69 ports, and if the computer blocks and restarts. Mapson.D is a dangerous worm that spreads via e-mail, through peer-to-peer (P2P) file sharing programs, and via IRC channels. It ends many processes belonging to Windows, such as system tools as well as antivirus and firewall programs. By doing this, the worm leaves the infected computer vulnerable to attack from other viruses and worms. On Windows NT computers, Mapson.D starts a Telnet session with the user GEDZAC, which is given local administrator rights by the worm. This allows Mapson.D to validate the IP addresses received. The third malicious code in today's report is Darby.A, is a virus that shares characteristics with worms and, like Mapson.D, spreads via e-mail, through peer-to-peer file sharing (P2P) programs and via IRC. It also ends processes belonging to several antivirus programs and other applications, such as firewalls and system monitoring tools. Darby.A infects Word's global template (NORMAL.DOT file) and Excel's template (TEMPLATE.XLS file). All the Word documents and Excel spreadsheets based on these templates will then be infected. In addition, Darby.A disables the macro editing tools incorporated in these programs. Apdoor.B is a backdoor that allows hackers to gain remote access to the affected computer. In order to do so, it connects to an IRC server and joins a predefined channel. Once it is connected, a hacker can remotely access the computer in order to launch denial of service (DoS) attacks against other computers. Daol.A is a virus that exploits the 'Internet zone' and 'MHTML' vulnerabilities in order to enter a PC and run itself. This malicious code infects files with EXE, SCR, ASP, PLG, HTM, HTML, VBS and VBE extensions. When the infected file has an ASP, PLG, HTM, HTML, VBS or VBE extension, Daol.A encodes the original content of the file. Finally, Surfbar exploits the 'Internet Explorer Object Data Remote Execution' vulnerability to reach the computer and then create directories with different links to web pages, most of them with pornographic content. In addition, Surfbar changes the home page of the Internet Explorer browser. For further information about these and other viruses, visit Panda Software's Virus Encyclopedia here.

- Weekly virus report - Virus Alerts, by Panda Software (http://www.pandasoftware.com) Madrid, September 5, 2003 - This week's report focuses on Blaster.F, Mapson.D, Darby.A, Apdoor.B, Daol.A and Surfbar. Blaster.F, which only infects Windows 2003/XP/2000/NT computers, is a worm that exploits the 'Buffer Overrun in RPC Interface' vulnerability to spread to as many computers as possible. In this particular case, this worm exploits the vulnerability in order to download a copy of itself to the computer it infects. In order to do so, Blaster.F incorporates its own TFTP server (Trivial File Transfer Protocol). Indications that Blaster.F has infected a computer are increased network traffic on TCP 135 and 4444 and UDP 69 ports, and if the computer blocks and restarts. Mapson.D is a dangerous worm that spreads via e-mail, through peer-to-peer (P2P) file sharing programs, and via IRC channels. It ends many processes belonging to Windows, such as system tools as well as antivirus and firewall programs. By doing this, the worm leaves the infected computer vulnerable to attack from other viruses and worms. On Windows NT computers, Mapson.D starts a Telnet session with the user GEDZAC, which is given local administrator rights by the worm. This allows Mapson.D to validate the IP addresses received. The third malicious code in today's report is Darby.A, is a virus that shares characteristics with worms and, like Mapson.D, spreads via e-mail, through peer-to-peer file sharing (P2P) programs and via IRC. It also ends processes belonging to several antivirus programs and other applications, such as firewalls and system monitoring tools. Darby.A infects Word's global template (NORMAL.DOT file) and Excel's template (TEMPLATE.XLS file). All the Word documents and Excel spreadsheets based on these templates will then be infected. In addition, Darby.A disables the macro editing tools incorporated in these programs. Apdoor.B is a backdoor that allows hackers to gain remote access to the affected computer. In order to do so, it connects to an IRC server and joins a predefined channel. Once it is connected, a hacker can remotely access the computer in order to launch denial of service (DoS) attacks against other computers. Daol.A is a virus that exploits the 'Internet zone' and 'MHTML' vulnerabilities in order to enter a PC and run itself. This malicious code infects files with EXE, SCR, ASP, PLG, HTM, HTML, VBS and VBE extensions. When the infected file has an ASP, PLG, HTM, HTML, VBS or VBE extension, Daol.A encodes the original content of the file. We finish today's report with a description of Surfbar, which exploits the 'Internet Explorer Object Data Remote Execution' vulnerability to reach the computer and then create directories with different links to web pages, most of them with pornographic content. In addition, Surfbar changes the home page of the Internet Explorer browser. For further information about these and other viruses, visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/ Additional information: - Backdoor: This is an entry point, through either hardware or software, that can give access to a computer and could be used to take partial or complete control of the system. - Firewall: This is a barrier that can protect information in a system or network when there is a connection to another network, for example, the Internet. - Port / Communication port: Point through which a computer transfers information (inbound / outbound) via TCP/IP. More definitions of virus and antivirus terminology at: http://www.pandasoftware.com/virus_info/glossary/default.aspx NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL. --