Panda Software offers users the free removal utility for Sober.A - Virus Alerts, by Panda Software (http://www.pandasoftware.com) Madrid, October 30, 2003 - Given the increase in incidents received by PandaLabs involving the Sober.A worm, Panda Software has made its PQREMOVE application available to all users to repair any possible damage caused to computers by this malicious code. This utility can be downloaded free of charge by anyone who needs it, from: http://www.pandasoftware.com/download/utilities/ As Panda Software has previously reported, Sober.A is a worm that spreads via e-mail with highly variable subjects and message texts in English or German. The message also includes an attachment which, if run, causes a false error message to appear. Sober.A sends itself to all the addresses it finds in a number of files on the computer, using its own SMTP engine. It stores all the addresses it finds in the file %sysdir%\MACROMED\HELP\MEDIA.DLL. One of the main dangers of Sober.A is that it leaves two resident copies of itself running continually. If a user terminates one of the processes, or deletes one of these copies, the other will start it up or create it again. To prevent possible infections, Panda Software advises users to treat all e-mails received with caution, and to update their antivirus solutions if they haven't already done so. The company has already made the updates to its products available to users to ensure their solutions can detect and eliminate Sober.A. Those whose software is not configured to update automatically, should update their solutions from http://www.pandasoftware.com/. Users can also scan their computers using the free, online antivirus, Panda ActiveScan, which is available on the company's website at http://www.pandasoftware.com Detailed information about Sober.A and other malicious code is available from Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/. NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL. --

Today's roundup of virus alerts: Sober virus in the wild but slow-moving An e-mail-borne virus that apparently originated in Germany is in the wild but has not yet spread widely or affected many users, an anti-virus researcher said Monday. IDG News Service, 10/28/03. <http://www.nwfusion.com/news/2003/1028sobervirus.html?nl> W32/Holar-I - A worm that spreads via e-mail and peer-to-peer networks and causes the infected machine to stop responding after the virus has run 30 times. (Sophos) W32/Marq-A - This virus spreads via e-mail and requires the recipient to click on a link. The Web page the link directs users to contains the viral code. (Sophos) W32/Agobot-AF - Another variant of the Agobot worm family. This one too exploits Windows RPC DCOM vulnerability. (Sophos)

Malware Has Worm, Backdoor Capabilities October 30, 2003 Trend Micro issued an alert Thursday for Worm_Moega.C, malware that has both worm and backdoor capabilities. To propagate, it scans for hosts in the affected system's domain. This worm then drops a copy of itself in target hosts, which have shares with weak passwords. As a backdoor, it connects to a remote Internet Relay Chat (IRC) server and joins a channel. Once it is in the IRC channel, a malicious user can then send commands, which the malware executes on the compromised machine. It runs on Windows NT, 2000 and XP systems. More information is at this Trend Micro page. Network-Aware Worm Tries to Connect to IRC Server W32.Randex.S is a network-aware worm that attempts to connect to a predetermined IRC server to receive instructions from its author. Technical details are at this Symantec page. Worm Tries to Spread Through KaZaA Network W32.HLLW.Franriv is a worm that attempts to spread through the KaZaA file-sharing network. More information is at this Symantec page. Trojan Causes Windows to Repeatedly Restart Computer Trojan.Obsorb is a Trojan Horse that causes Windows to continuously restart the computer at the end of the startup process. Because it is written in Visual Basic (VB), it requires the VB run-time libraries to execute. Also, Windows must be installed in C:\Windows. Technical details are at this Symantec page. Downloader Collects Proprietary Information Downloader.Dluca.B, a variant of the Downloader.Dluca Trojan Horse, sends information about your computer to a specific Web site. Read more at this Symantec page. Backdoor Trojan Allows Remote Access to Computer Like other backdoors, BDS/Sinit would potentially allow someone with malicious intent remote access to a computer. If executed, the backdoor will add the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit"="C:\\WINDOWS\\System32\\userinit.exe,C:\\WINDOWS\\System32\\svcinit.exe" "Userinit"="C:\\WINDOWS\\System32\\userinit.exe It will remain memory resident. BDS/Sinit was originally received as "svcinit.exe". Find out more at this Central Command page. Virus Tries to Infect .exe Files W32/Infeme is not a crypted PE file infector virus. When run, the virus attempts to infect .exe files. The virus contains bugs and seems able to infect files only when they are in a directory named "C:\INFECTME". Find out more at this McAfee page. Downloader Installs File, Adds Registry Key Downloader-EV is a detection is for a file that serves as a downloading/updating component. Upon execution on the target machine, the file installs itself into the application data folder, using a random 4-letter filename. For example: C:\WINDOWS\APPLICATION DATA\ESCN.exe C:\DOCUMENTS AND SETTINGS\USERNAME\APPLICATION DATA\CSRR.exe This file is 67,592 bytes in length. A Registry key is added to execute this file at subsequent system startup - the string name used for this key will vary. For example: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Run "Otss" = C:\WINDOWS\ESCN.exe Once running, an attempt to made to connect to a remote server (sought by a DNS request). A HTTP GET request.is then sent to the server, passing information such as: install, update or warning version details message

Hey thanks Dave!!!!!!!

Dave: Thanks!

Thanks, looks like more to follow. Not getting any better people, takes longer to rid yourself of a virus, then it is to update.

helo and your wellcome heres some more news Worm Uses Own SMTP Engine to Send Messages October 31, 2003 Several security vendors Friday issued medium-level threat alerts for W32/Mimail-C, a worm that spreads via email using addresses harvested from the hard drive of the infected computer. All email addresses found on the computer are saved in a file eml.tmp in the Windows folder. In order to run automatically when Windows starts up W32/Mimail-C copies itself to the file netwatch.exe in the Windows folder and adds the following registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetWatch32 The emails sent by the worm have the following characteristics: Subject line: Re[2]: our private photos Message text: Hello Dear! Finaly i've found possibility to right u, my lovely girl :) All our photos which i've made at the beach (even when u're without ur bh:)) photos are great! This evening i'll come and we'll make the best SEX :) Right now enjoy the photos. Kiss, James. Attached file: photos.zip W32/Mimail-A spoofs the From field of the sent emails using the email address james@. Photos.zip is a compressed file which contains an executable file named photos.jpg.exe. More information is at this Sophos page. Symantec recognizes the worm as W32.Mimail.C@mm, which is a variant of W32.Mimail.A@mm that spreads by e-mail and steals information from a user's system. The e-mail has the following characteristics: Subject: Re[2]: our private photos Attachment: photos.jpg.exe The threat captures information from certain windows on a user's desktop and emails it to specific mail addresses. his threat takes advantage of known vulnerabilities: MS02-15 and MS03-14. A Microsoft patch is located here. Symantec encourages system administrators to apply the Microsoft patch to prevent infection by this worm. The worm is packed with UPX. More information is at this Symantec page. Trend Micro recognizes the memory-resident Internet worm as Worm_Mimail.C, and says it propagates through email using its own Simple Mail Transfer Protocol (SMTP) engine. The email arrives in the following format: To: admin@??? Subject: Re[2]: our private photos ??? Message Body: Hello Dear!, Finally i've found possibility to right u, my lovely girl :) All our photos which i've made at the beach (even when u're without ur bh:)) photos are great! This evening i'll come and we'll make the best SEX :) Right now enjoy the photos. Kiss, James. ??? (Note: ??? is a variable string) Attachment: photos.zip It runs in Windows 95, 98, ME, NT, 2000 and XP. Technical details are at this Trend Micro page. McAfee reports that due to the increased number of samples of W32/Mimail.c@MM that it has received, the risk assessment of this threat has been raised to medium. This mass-mailing worm spreads as a .ZIP file and contains a denial of service payload. It bears similarities to a previous worm, W32/Mimail@MM. However, this variant does not use the code base (MS02-015 ) and MHTML (MS03-014 ) exploits that the previous variants did. A summary of the virus characteristics are as follows: contains it own SMTP engine for constructing messages mails itself as a ZIP attachment harvests email addresses from the local machine sends large volume of data (garbage) to a remote server--suggestive of a DoS payload. Users are reminded that the scanning of compressed files should be enabled for optimal detection. More information is at this McAfee page. Worm Executes Screen with Russian Text McAfee is also reporting that multiple variants of W32Sexer.worm are now known. Presently, this worm contains bugs which may cause the worm to fail on different systems. After the worm is executed, a screen with Russian text is displayed. This may not happen for all variants. The worm attempts to access the Windows Address Book (WAB) and MAPI service probably in an attempt to mail itself out. More information is at this McAfee page. Trojan Opens TCP Sockets That Accept Commands from Hacker BackDoor-BBO is a detection for a remote access Trojan written in Delphi. The Trojan might come with an installation exe. Upon execution, the installation exe copies the trojan into the %Windir% directory as messenger.exe. (Where %Windir% is the Windows directory, for example C:\WINDOWS) The installation exe creates the following registry key to hook system startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Messenger-" = "%Windir%\Messenger.exe" Once running on the victim machine, the Trojan component opens TCP sockets accepting commands sent from the hacker on port 9696, 3000. The Trojan connects to login.icq.com as ICQ client. Find out what actions the Trojan performs by visiting this McAfee page. Worm Attempts to Spread Through KaZaA Network W32.Kwbot.Y.Worm is a worm that attempts to spread through the KaZaA file-sharing network. It also has backdoor Trojan capabilities, which allows an attacker to gain control of a compromised computer. W32.Kwbot.Y.Worm is a variant of W32.Kwbot.Worm and is packed with FSG. More information is at this Symantec page. Week in Review This week's report on malicious code will focus on three worms--Sober.A, Lohack.D and Sexer.B--and two Trojans called Alof.A and Initsvc.D. Sober.A spreads via e-mail in a message with a variable subject and message body, in either English or German. This worm sends itself out to all the addresses it finds in a large number of files on the affected computer using its own SMTP engine. The message includes an attached file that, when it is run, displays a false error message. When Sober.A infects a computer it creates two memory resident copies of itself which are constantly running. If one of the processes associated to the worm is ended, the other will restart it, and if one of the copies is eliminated, the other will create a copy of the deleted file. The second worm of the week was Lohack.D, which spreads via e-mail, computer networks and the P2P file sharing program KaZaA. In order to trick users, it sends itself in messages in Spanish that seem to have been sent from the Spanish Ministry of Science and Technology or Panda Antivirus and refer to the Spanish law on Information Society Services and Electronic Commerce. Lohack.D automatically activates when the message carrying the worm is viewed through the Preview Pane in Outlook. It does this by exploiting a vulnerability known as Exploit/Iframe, which affects versions 5.01 and 5.5 of Internet Explorer and allows e-mail attachments to run automatically. The third worm that appeared this week, Sexer.B, also spreads via e-mail in a message written in Cyrillic characters and includes an attachment called KAVUTIL.exe. Sexer.B sends a copy of itself to all the contacts it finds in the Windows address book on the affected computer and changes the Windows wallpaper for a text with Cyrillic characters. Finally, Alof.A and Initsvc.D, two Trojans surfaced this week that allow hackers to gain remote access to computers, allowing them to perform actions that compromise user confidentiality and interfere with the user's work. Alof.A has been spammed in a message with an attached file called WMDVM.exe. Alof.A connects to an IRC server and opens 24653.