Today's roundup of virus alerts: Troj/Backsm-A - A backdoor Trojan horse program that connects to a third-party IRC server to give an attacker access to the affected machine. (Sophos) Mimail.B - Another Trojan horse. This one spreads via e-mail entitled "Fraudulent escrow service" with an attachment called "INFO.ZIP". The virus logs keystrokes on the infected machine. (Panda Software) Gaobot.L - Another backdoor program that spreads similar to Blaster by exploiting the RPC DCOM vulnerability in Windows. The virus uses port 9900 to connect to an IRC server and waits for commands. (Panda Software) Vote.K - An e-mail virus that attempts to overwrite a number of popular file types on the infected machine. (Panda Software)

Use Trojan Remover to erase all of them automatically... easy to use and excellent result guaranted: Trojan Remover at: http://www.simplysup.com/tremover/details.html

New Blaster Variant in the Wild September 16, 2003 Panda Software Tuesday issued an alert for Blaster.G, a worm that infects only Windows 2003/XP/2000/NT computers. Blaster.G exploits the Buffer Overrun in RPC Interface vulnerability to spread to as many computers as possible. Blaster.G launches denial of service (DoS) attacks against the windowsupdate.com website. Whenever the system date is between the days 15 and 31 of every month, or every day during the months September through December of every year, Blaster.G sends a 40 byte packet every 20 milliseconds, using the TCP port 80. Blaster.G spreads by attacking IP addresses generated at random and exploits the vulnerability mentioned above to download a copy of itself to the compromised computer. In order to do this, Blaster.G incorporates its own TFTP (Trivial File Transfer Protocol) server. If a computer has Windows 2003/XP/2000/NT, Sophos highly recommends the downloading of a security patch from the Microsoft web site. Click here to access the web page for downloading the patch. For information about visible symptoms and other details, visit this Panda Software page. Worm Sends Email Containing 'Support Message' Subject Line Reksa.A is a worm without destructive effects that spreads via e-mail in a message with the subject Support Message and the attachment MSNUPDATE.exe. Once it is run, Reksa.A displays a message on screen. View what the message looks like and other information at this Panda Software page. Worm Spreads Through File-Sharing Program Backterra.A is a worm without destructive effects that spreads through the peer-to-peer (P2P) file sharing program eDonkey2000. Backterra.A tricks the user into thinking that it is a key generator for computer applications and games. For more information, visit this Panda Software page. Batch File Worm Spreads Through File-Sharing Networks BAT.Deav.Worm is a batch file worm that spreads using the KaZaA and iMesh file-sharing networks. This worm also deletes files from the system. Technical details are at this Symantec page. Macro Virus Drops VBS Script WM97/Simuleek-C is a macro virus that drops a VBS script detected by Sophos Anti-Virus as VBS/Simuleek-C. VBS/Simuleek-C is added to the WIN.INI so that the script runs on startup. The virus has the ability to re-infect the Word environment. WM97/Simuleek-C may attempt to replace occurrences of the word "Ranuya" with the word "John". More information is at WM97/Simuleek-C is a macro virus that drops a VBS script detected by Sophos Anti-Virus as VBS/Simuleek-C. VBS/Simuleek-C is added to the WIN.INI so that the script runs on startup. The virus has the ability to re-infect the Word environment. WM97/Simuleek-C may attempt to replace occurrences of the word "Ranuya" with the word "John". More information is at this Sophos page. Worm Targets Network Shares with Weak Passwords W32/Sluter-B, also known as W32.Randex.F, is a worm that propagates over network shares with weak passwords. The worm copies itself to the Windows system folder as netd32.exe and sets the following registry entries so as to run on system startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Microsoft Network Daemon for Win32 = netd32.exe and HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ Microsoft Network Daemon for Win32 = netd32.exe Additionally, W32/Sluter-B acts as an IRC based backdoor Trojan, allowing a remote intruder unlimited access to the affected machine. Instructions for removing worms are at this Sophos page. Trojan Exploits IE Vulnerability Troj/JSurf-B arrives via an HTML email exploiting a vulnerability reportedly fixed in the Cumulative Patch of Internet Explorer (MS03-032). The email contains a Object Data tag that runs a VBS script on a remote site. The script drops an EXE in the C:\ drive as SFBAR.exe. This component of Troj/JSurf-B connects to a remote website, downloads a DLL to C:\Program Files\win32.dll and then runs regsvr32.exe to register it on the system. The Trojan relies upon a vulnerability in Microsoft's software. Microsoft issued a patch that reportedly fixes the problem, in August 2003. The patch can be found here.

Thanks for the warning!

Exploit Code Arises for Latest Windows Flaws September 16, 2003 Adding more fuel to the fears that another Windows worm is on the horizon, security experts said Tuesday afternoon that they have seen working exploit code in the wild for the latest pair of vulnerabilities in the Windows RPC DCOM interface. The discovery of the code, which can be used to attack the two buffer overrun flaws in the interface, comes just two days after someone posted to a security mailing list exploit code for a denial-of-service weakness in the same interface. The RPC DCOM problems are particularly troubling and potentially dangerous because they affect nearly every current version of Windows, including the new Windows Server 2003. ADVERTISEMENT A previously discovered buffer overrun in the interface was exploited by the Blaster worm that tore through the Internet in August. The newly released exploit code gives attackers the ability to get privileged access to vulnerable machines and also allows for the creation of a new account with a preset password. The exploit tool also gives attackers the option of targeting specifically configured machines, i.e., Windows 2000 Service Pack 3 or machines that have the patch for the original RPC DCOM flaw installed but the fix for the more recent vulnerabilities, according to an analysis by iDefense Inc., based in Reston, Va. Ken Dunham, malicious code manager at iDefense, said he expects to see widespread compromise of vulnerable PCs in the next few days and also anticipates the release of a worm based on this code. The exploit code has been posted to at least one well-known cracker Web site. "We've seen it, we've brought it into the lab and it works. We haven't seen any infections yet, but it's only a matter of time before it gets going in the wild," said Bruce Schneier, CTO and founder of Counterpane Internet Security Inc., in Cupertino, Calif., a managed security monitoring provider. "When [a new worm] hits, it's likely to be a fast-spreader. Someone could just take the old Blaster code, rip out the old infection mechanism, drop this one in, and you're done." The new code exploits two buffer overruns in the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) interface in Windows. Specifically, the problems lie in the portion of the service that handles RPC messages for the activation of the DCOM. Microsoft Corp. released a patch for the flaws last week. At the time the vulnerabilities were disclosed, many security experts said the flaws were ripe for a worm attack, given the widespread usage of Windows and the nearly identical nature of the problems to the flaw that Blaster attacks.

wavedance - why dont you just put a link to the original site? The ORIGINAL article at http://www.eweek.com/article2/0,4149,1270462,00.asp is much more readable than ur cut and paste job.

wawadave, the cut/pastes are great. Speaking of cutting and pasting: "Whenever the system date is between the days 15 and 31 of every month, or every day during the months September through December of every year" -way too much time on thier hands. I guess someone had to play cut-and-paste code for blaster.g.