Panda Software reports the appearance of Lohack.C - Virus Alerts, by Panda Software (http://www.pandasoftware.com) Madrid, October 23, 2003 - PandaLabs has detected the appearance of a new worm called Lohack.C (W32/Lohack.C), which is causing incidents in Spain. In order to trick users, Lohack.C spoofs the address of the message carrying the worm so that it seems to have been sent from Panda Software or the Spanish Ministry of Science and Technology. The message text can refer to the Spanish Information and E-business Services Law (LSSI in Spanish) or an antidote for a new virus. When Lohack.C is run, it sends itself out to all the contacts in the Windows address book on the affected computer. Similarly, it also tries to obtain the contact list from MSN Messenger and uses Google to search for domains that could contain addresses to send itself to. Apart from e-mail, this worm also spreads across network drives. The e-mail messages that Lohack.C sends out are usually in html and, depending on the subject of the message, they take advantage of certain web pages that contain images. Lohack.C automatically activates when the message carrying the worm is viewed through the Preview Pane in Outlook. It does this by exploiting a vulnerability -known as Exploit/Iframe- that affects versions 5.01 and 5.5 of Internet Explorer and allows e-mail attachments to run automatically. When it is run, Lohack.C carries out the following actions: - It moves the mouse, obstructing the tasks performed. - It copies messages in Spanish that refer to the Spanish Information and E-business Services Law (LSSI in Spanish) to the affected computer. - It creates several entries in the Windows Registry to ensure it is run whenever the computer starts up. - It looks for web servers in the network in order to modify the home page. Panda Software advises users to treat all e-mails received with caution, and to update their antivirus solutions immediately. The company has already made the updates to its products available to users to ensure their solutions can detect and eliminate Lohack.C. Those whose software is not configured to update automatically, should update their solutions from http://www.pandasoftware.com. Users can also detect this and other malicious code using the free, online antivirus, Panda ActiveScan, which is available on the company's website at http://www.pandasoftware.com. For further information about Lohack.C and other malicious code, visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/ NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL. --

0

Flea Worm Continues to Spread, Change IE Settings October 24, 2003 Antivirus vendors continued to issue alerts Friday for JS/Flea.A, a slow email worm that operates as a signature in an HTML formatted mail. To hide itself and to make analysis more difficult, Flea uses several encryption layers. F-Secure has received reports of this worm from Asia and Europe. The worm is also known as Flea.A, JS/Flea.A, VBS/Flea.A.Dropper and REG/Flea.A, according to F-Secure. Flea activates when an infected email message is opened. At this point, the worm connects to a Web site in Spain (a private page under terra.es), and silently downloads and executes a JavaScript code available in a Web site. This JavaScript code will download another script written in Visual Basic Script and execute it. This code will contain the actual worm code. The Visual Basic script code changes Internet Explorer settings so, that any URL entered into address bar without a specific protocol prefix (usually "http:" part in the beginning of the URL) will be directed into worm code, causing that the system will be re-infected. The worm also attempts to add a number of buttons to Internet Explorer with labels "SEARCH", "ANTIVIRUS", "PILLS" and "SECURITY". Selecting any of these buttons will cause the worm to re-infect the system. More information is at this F-Secure page. Network Associates detects the threat as JS/Fortnight@M. According to the vendor, the virus spreads by inserting a snippet of HTML code into every message sent through Microsoft Outlook Express. This is accomplished by creating a new HTML file, and setting it as the default signature file used by Outlook Express. The virus is received as HTML code in any email message. This code uses an IFRAME tag with the SRC set to a remote Web site. When the message is accessed, that remote site is contacted. The worm makes several Internet Explorer setting changes, designed to drive the user to the virus author's Web site, seemingly for advertisement purposes. Such program tactics used for this purpose are sometimes referred to as "scumware." Read more at this Network Associates page. Agobot Variant Creates Registry Entries W32/Agobot-AC is a variant of the Agobot family of worms with a backdoor component. This version drops the file regloadr.exe into the Windows system folder and creates the following registry entries to run automatically when Windows boots up: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Registry Loader HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ Registry Loader Instructions for removing worms are at this Sophos page. Worm Attempts to Spread to Poorly Protected Network Shares W32.HLLW.Gaobot.BB is a variant of W32.HLLW.Gaobot.AE that attempts to spread to network shares that have weak passwords, and allows access to an infected computer through an IRC channel. The worm also attempts to terminate the processes of various antivirus and firewall programs. The worm uses multiple vulnerabilities to spread, including: The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135 The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445 The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. W32.HLLW.Gaobot.BB is packed with Petite. Technical details are at this Symantec page. Week in Review This week's report on malicious code focuses on three worms--Lohack.C, Flop.A and Sexer.A-, a Trojan called Sdbot.N and the virus Vix.A. Lohack.C spreads via e-mail and across network drives. The message carrying this worm tries to trick users by referring to the Spanish Information Society and E-business Services law. It also spoofs the sender's address, so that it seems to have been sent from the Spanish Ministry of Science and Technology or Panda Antivirus. Lohack.C automatically activates when the message carrying the worm is viewed through the Preview Pane in Outlook. It does this by exploiting a vulnerability -known as Exploit/Iframe- that affects versions 5.01 and 5.5 of Internet Explorer and allows e-mail attachments to run automatically. Finally, one of the effects of Lohack.C is that it moves the mouse pointer around the screen. The second worm that appeared this week is Flop.A, which spreads by copying itself to all the floppy disks used on the affected computer, provided that they are not write-protected. When this malicious code is run, it displays a message in Spanish describing how to enlarge the male member. The file carrying Flop.A has the same icon as Word documents. Sexer.A is a worm that spreads via e-mail in a message written in Cyrillic characters and includes an attachment called WIN2DRV.exe. When Sexer.A has infected a computer, it sends a copy of itself to all the contacts it finds in the Windows address book and changes the Windows wallpaper for a text with Cyrillic characters. The fourth malicious code of the week is a Trojan called Sdbot.N. This Trojan has been mass mailed in a message with the subject: "Microsoft Security Update" and an attachment called MS03-047.exe. The message text also tries to trick the user into believing that the message has been sent by Microsoft. However, when the attached file is run, Sdbot.N goes memory resident and connects to an IRC channel. This channel sends the Trojan remote control commands in order to carry out the following actions, among others: scan ports, download and run files, launch Denial of Service (DoS) attacks, etc. Finally, Vix.A is a virus with worm characteristics that infects PE files and spreads via the P2P (peer-to-peer) file sharing programs KaZaA, iMesh and Shareaza. A file that has been infected by this virus cannot be disinfected and will therefore be rendered unusable. For further information about these and other malicious code, visit Panda Software's Virus Encyclopedia here.

0

hello this virus speaks spainish! http://www.esecurityplanet.com/alerts/article.php/3097971

0