Computing.Net > Forums > Security and Virus > virus alert!!

Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Howtos

Site Search

Message Find

Data Recovery

About

virus alert!!

Reply to Message Icon
Original Message
Name: wawadave
Date: September 29, 2003 at 09:00:39 Pacific
Subject: virus alert!!
OS: IBI (i built it) win 3.1-
CPU/Ram: 1.3 gig amd /512 ram
Comment:

Weekly virus report -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, September 26, 2003 - Today's report on malicious code focuses on
three worms: Gaobot.M (with backdoor characteristics), Opaserv.Y and
Colevo.A.

Gaobot.M infects Windows XP/2000/NT computers and it exploits the RPC DCOM
and WebDAV vulnerabilities to spread to as many computers as possible.
Gaobot.M also spreads by attempting to copy itself to network shared
resources. It gains access to these shared resources by using passwords that
are typical or easy to guess. Once it is run, Gaobot.M connects to a
specified IRC server through the port 6667 and waits for control commands.

As a backdoor, Gaobot.M lets malicious users obtain information on the
affected computer, run files, launch Distributed Denial of Service (DDoS)
attacks, upload files by FTP, etc. In addition, this worm ends processes
belonging to antivirus programs, firewalls and system monitoring tools. This
leaves the affected computer vulnerable to the attack of other viruses or
worms. It also ends the processes of Nachi.A, Autorooter.A, Sobig.F and
several variants of Blaster.

One indication that Gaobot.M has reached the computer is that the network
traffic increases on the ports 135 and 445, as the worm attempts to exploit
the 'RPC DCOM' vulnerability.

Opaserv.Y spreads to other computers by attacking IP addresses, in which it
tries to make copies of itself to the existing shared network drives. It
attempts to access these shared drives -through port 137- by exploiting the
'Share Level Password' vulnerability in Windows Me/98/95.

Opaserv.Y creates the file 'SPEEDY.SCR', which is a copy of the worm, and
the files 'PODRE!!', 'BANDA!', 'VACAS!' and 'VAGABU!'. These files contain
information on scanned and affected computers, and are encrypted with
Crypto-Algorythm.

We finish this report with Colevo.A that spreads via e-mail and sends itself
out to all the contacts in MSN Messenger's Contact list. In order to do so,
Colevo.A incorporates its own SMTP engine. Similarly, Colevo.A opens the
communication port 2536, and allows hackers to remotely control the affected
computer. It opens the Internet Explorer browser and randomly accesses
several web pages that contain pictures of the Bolivian leader Evo Morales.

For further information about these and other viruses, visit Panda
Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Encryption / Self-encryption: This is a technique used by some viruses to
disguise themselves and therefore avoid detection by antivirus applications.


- DoS / Denial of Service: This is a type of attack, sometimes caused by
viruses, that prevents users from accessing certain services (in the
operating system, web servers etc.).

- SMTP (Simple Mail Transfer Protocol): This is a protocol used on the
Internet exclusively for sending e-mail messages.

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

--


Report Offensive Message For Removal

Response Number 1
Name: wawadave
Date: September 30, 2003 at 10:09:36 Pacific
Subject: virus alert!!
Reply: (edit)

Today's roundup of virus alerts:

W32/Dumaru-E - Another worm that spreads under the guise of a
Microsoft-issued patch. Like previous variants, the infected
message looks like it's from " <mailto:security@microsoft.com> "
with a subject line of "Use this patch immediately !" and an
attachment called "patch.exe." The virus attempts to disrupt
security applications on the infected machine and opens port
2283 and 10000 for backdoor access. (Sophos)

Opaserv.Y - A virus that spreads via port 137 and attempts to
exploit a "share level password" vulnerability in Windows 95, 98
and ME. (Panda Software)

Colevo.A - This virus spreads to everyone listed in an MSN
Messenger contact list. It uses its own SMTP engine to send
infected messages and opens port 2536 to allow an attacker
access to the infected machine. (Panda Software)

W32/Randex-G - Another network worm that spreads via IRC
channels and can provide an attacker with remote access to the
infected machine. (Sophos)


Report Offensive Follow Up For Removal

Response Number 2
Name: wawadave
Date: September 30, 2003 at 18:08:54 Pacific
Subject: virus alert!!
Reply: (edit)

Worm Exploits Multiple Microsoft Vulnerabilities
September 30, 2003


Symantec Tuesday issued an alert for W32.HLLW.Gaobot.AN, a minor variant of W32.HLLW.Gaobot.AF, which attempts to spread to network shares that have weak passwords and allows attackers to access an infected computer through an IRC channel.

The worm takes advantage of multiple vulnerabilities including:


The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. Using this exploit, the worm specifically targets Windows XP computers.
The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445.
W32.HLLW.Gaobot.AN is compressed with UPX. Technical details are at this Symantec page.

Trojan Steals Passwords, User Information

Trojan.PWS.QQPass.E is another variant of the Trojan.PWS.QQPass family. It is a password-stealing Trojan Horse that steals passwords and user information. The Trojan is a Visual Basic application that requires the presence of Microsoft Visual Basic run-time libraries for it to run. Technical details are at this Symantec page.

Trojan Targets Processes With Specific Name

Trojan.Vardo is a Trojan Horse program that attempts to close any windows that belong to the processes using the name Ravmon.exe. This is a file that belongs to the Reliable AntiVirus program (RAV). More information is at this Symantec page.

Mass-Mailing Worm Sends Itself to Files With Extensions

W32.Galil.C@mm is a mass-mailing worm that sends itself to the email addresses it finds in the files that have the .htm, .html, .eml, and .txt file extensions. The email will have a variable subject line and attachment name. The original sample received had a .scr file extension.

This worm sends itself to all the contacts in the Microsoft Outlook Address Book and MSN messenger contact list, and it attempts to spread itself through the KaZaA file-sharing network.

This threat is written in the Microsoft Visual Basic programming language and is compressed with UPX.

Read more at this Symantec page.

Exploit-ByteVerify Allows Attacker to Execute Malicious Code

This detection covers Java applets that attempt to exploit the Microsoft Security Bulletin MS03-011 vulnerability. This severity of this vulnerability is considered to be critical. It allows an attacker to execute malicious code, simply by visiting an infectious Web site. Detections of this exploit do not necessarily mean that any malicious code was executed. It simply means that a Java applet was found to contain the exploit code. Conversely malicious code may have been run, which could result in any number of modifications to the system.

All vulnerable systems should apply the patch from Microsoft. Patched systems are immune from the effects of the exploit code. However, detection will still occur on files attempting to make use of this exploit.

More information is at this McAfee page.

Exploit-ObjectData Attempts to Exploit Vulnerability

This detection covers HTML documents that attempt to exploit the Microsoft Security Bulletin MS03-032 vulnerability. This severity of this vulnerability is considered to be critical. It allows an attacker to execute malicious code, simply by visiting an infectious Web site. Detections of this exploit do not necessarily mean that any malicious code was executed. It simply means that an HTML document was found to contain the exploit code. Conversely malicious code may have been run, which could result in any number of modifications to the system.

All vulnerable systems should apply the patch from Microsoft. Patched systems are immune from the effects of the exploit code. However, detection will still occur on files attempting to make use of this exploit.

More information is at this McAfee page.

Trojan Allows Hacker to Gain Remote Access to Computer

Petala.A is a backdoor Trojan that allows a hacker to gain remote access to the affected computer in order to carry out actions that compromise the user confidentiality or impede the task performed.

Petala.A allows the intruder to copy files, end processes, access the computer via FTP, access Web pages of the attacker's choice, etc. These actions are controlled by means of IRC commands.

Petala.A spreads via IRC and across networks. Find out more at this Panda Software page.



Report Offensive Follow Up For Removal







Use following form to reply to current message: 

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: virus alert!!

Comments:
         

 


  Homepage URL (*): 
Homepage Title (*): 
         Image URL:
 
Data Recovery Software



all fonts are gone

Xp only boots with ext. drive in

Problem with my IP address?

no newline with a new

Home directories

All Posts Awaiting Replies