April 2004 - Posts
The First MS04-011 Worm Family, Sasser, Low Risk
McAfee has posted a write-up for the first version of a new line of worms, W32/Sasser.worm. This worm spreads using the name avserve.exe. The MS04-011 vulnerability is used in order to spread. This is the first individual family to use this feature (variants of the large W32/Gaobot.worm family were the first worms period) but it does not appear that it is very successful. Subsequent versions, however, could be dangerous. Users should remain vigilant and apply the appropriate patches. This worm spreads on TCP port 5554.
McAfee Description
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125007
When There's No News, Recommended Links Will Appear
I have added a quick JavaScript that selects from a range of excellent security-related links and displays one along with a description. Certain links come up more often than others; a randomization method is used (and the JavaScript is indeed poor; I will improve it when I get a chance, but I was going for functionality on the most part.) I hope you will all enjoy this feature, and I also hope to add a wider range of links in the future.
Follow-Up: Bagle.AA Consensus Points to Medium, Not High
In watching risk statuses closely over the past few years, I've noticed one think, and that is that some companies just happen to receive more companies of a given worm than others. This ends up in a certain virus being given a Medium-High risk rating when companies that usually tend to be more liberal with risk assessments still rate it only Medium. This seems to be the case with W32/Bagle.AA-mm, which is probably more Medium at this point than Medium-High.
The worm appeared a while ago and was rated Medium-On-Watch by McAfee, but Medium by nearly every other company. This is not an inaccuracy, but just a case of McAfee receiving an unusual number of submissions (current stats rate it at #7 for submissions in its pure .exe form.)
Thus, I have removed the graphic from the left side of the page. Next time an outbreak warning is submitted, I'm going to try to make the picture smaller since it caused problems at low resolutions. Sorry about that.
On another note, I would like to stress that outbreak warnings are little more than notifications of important outbreaks. They aren't scientific, nor should they be used as a meter for the level of risk for a certain virus.
Pre-Millennium Social Engineering Still in Use
W32/Misodene-mm, also known as Bertad, has been reported as spreading a bit in Latin American countries. The worm sends itself purporting to be naked pictures of Jennifer Lopez, a refused mail error, a .zip about “famous,” or Pentagon secrets. So far, spread has been low. Another variant is known. For some reason, the McAfee and Symantec descriptions vary on what the worm mass-mails as.
Symantec Description
http://www.sarc.com/avcenter/venc/data/w32.misodene@mm.html
McAfee Description
http://vil.nai.com/vil/content/v_124872.htm
Rate of Appearing Variants On the Rise
Symantec is reporting W32/Gaobot.worm variants .AFC, .AFJ, and .AFW, all of which use the MS04-011 exploit. None of them are believed to be spreading very rapidly, but unprotected machines remain at risk.
http://www.sarc.com/avcenter/venc/data/w32.gaobot.afc.html
http://www.sarc.com/avcenter/venc/data/w32.gaobot.afj.html
http://www.sarc.com/avcenter/venc/data/w32.gaobot.afw.html
It is also notable that we are already up to AFW; AAA was just achieved a bit over a week ago, which means that the rate at which new versions of W32/Gaobot.worm variants appear is increasing at an impressive rate. The Trojan Horse has, in under a year, became the largest family of malware ever, and the first family to go into triple digits.
There is No Reason to Let Executables Through
The latest Bagle variant adds a few new extensions to the mix: .cpl being the most notable. .CPL is a control panel extension, and has been used in earlier worms such as W32/Datom-mm. Here is a list of files that should be blocked at the gateway:
http://googleit.aptonline.net/pages/emailblocklist.html
Of these, the most common viral extensions are .bat, .com, .exe, .pif, .scr, and .vbs. Slightly less common extensions that are used by viruses include .bas, .cmd, .eml, .hlp, .hta, .js, .ocx, .ovl, .shs, .sys, and .vbe. Additionally, .zip has been used by recent worms but is not included on the list, as it also has some viable uses.
This is an excellent list and all webmasters should strongly consider enforcing it on their systems. There is no reason that any of the most common extensions should be sent through email on a corporate system, anyway, so blocking them prevents both worm traffic and joke mails that take up employee time.
Rare, but Solvable Annoyances; Users Should Upgrade Anyway
Microsoft has announced the known problems with the MS04-011 patch that some users have encountered during upgrade. This is a standard procedure and all users should still upgrade. A solution for each of these problems is provided in the document. The file can be found here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;835732
Gaobot.ALI Exploits Recent Vulnerability
Harry Waldron, a fellow MVP, has shared this bad news on the McAfeeHelp.com Forums:
==BEGIN QUOTE=
Symantec has also classified this first MS04-011 variant as W32.Gaobot.AFJ. The "good news" is that it is not an active threat as the dependant IRC server has been shutdown, however the "bad news" is that it provides a model for more crafting work on MS04-011 exploitable worms.
First MS04-011 Worm emerges: W32/Gaobot.worm.ali
http://vil.nai.com/vil/content/v_125006.htm
http://www.incidents.org/diary.php?date=2004-04-28
http://www.incidents.org/diary.php?date=2004-04-27
At the time of this writing, there are more than 900 variants of the Gaobot virus in existence. The source code for Gaobot was posted to various websites resulting in many new variants being created each week.
W32/Gaobot.worm.ali stands out from some others as it seems to be the first variant that incorporates code to exploit a MS04-011 vulnerability (LSASS Vulnerability (CAN-2003-0533)).
This particular variant is not currently a threat as it is dependant on an IRC server, which is no longer available. However, it is presumed that other variants will likely follow soon, which are functional. Details of those variants will likely vary from this one.
For maximum protection against the Gaobot family, users are recommended to:
* use the latest engine/DATs combination
* ensure the scanning of compressed files is enabled
* keep Windows systems patched by using Windows Update
* ensure weak username/passwords are not used
* run a personal desktop firewall application
The virus contains lots of remote access functionality, including:
* Create/Remove services
* Denial of service attack
* FTP/HTTP functions (upload, download files, etc)
* IRC functions
* Retrieve system information (RAM, CPU, Disk Space)
* Secure/insecure Windows shares
* Shutdown/reboot/logoff computer
* Sniffer
* Steal CD and product keys for various products
* Terminate running processes
==END QUOTE=
The good news here is that this worm has not yet been seen spreading significantly in the field. However, it has the potential to. We are fast approaching the time where W32/Blaster.worm appeared relative to the patch that covered it last summer. It is likely that lessons have been learned to some extent, but another Blaster-like success is still a possibility.
All users should, obviously, patch immediately.
List Dominated by Bagle, NetSky Additions
The WildList has been released for the month of March. It can be found here.
The following viruses have debuted on the main list directly (number of reports in parentheses):
W32/Bagle.N-mm (8)
W32/Bagle.P-mm (9)
W32/Bagle.Q-mm (4)
W32/Bagle.R-mm (2)
W32/Bagle.S-mm (2)
W32/Bagle.T-mm (3)
W32/Bagle.U-mm (9)
W32/Lovgate.Q-mm (3)
W32/Lovgate.U-mm (2)
W32/Mywife.A-mm (2)
W32/Nachi.C (3)
W32/Netsky.K-mm (3)
W32/Netsky.L-mm (2)
W32/Netsky.M-mm (6)
W32/Netsky.N-mm (4)
W32/Netsky.O-mm (4)
W32/Netsky.P-mm (9)
W32/Netsky.Q-mm (6)
W32/Netsky.T-mm (2)
W32/Sober.D-mm (5)
The following viruses went from the supplemental list to the main list (supplemental listing date; number of reports in parentheses):
W32/Bagle.D-mm (2/04; 3)
W32/Bagle.G-mm (2/04; 5)
W32/Bagle.H-mm (2/04; 6)
W32/Bagle.I-mm (2/04; 4)
W32/Bagle.J-mm (2/04; 8)
W32/Doomjuice.B (2/04; 3)
W32/Mydoom.H-mm (2/04; 4)
W32/Netsky.E-mm (2/04; 2)
W32/Netsky.F-mm (2/04; 4)
W32/Netsky.H-mm (2/04; 2)
W32/Netsky.J-mm (2/04; 5)
W32/Raleka (2/04; 2)
The following viruses debuted on the supplemental list:
VBS/Terrosist
W32/Annil-mm
W32/Cone.C-mm
W32/Delder
W32/Lovgate.P-mm
W32/Lovgate.R-mm
W32/Lovgate.S-mm
W32/Lovgate.X-mm
W32/Netsky.I-mm
W32/Netsky.S-mm
W32/Opaserv.AI
W32/Oror.V-mm
W32/Pesin.A
W32/Philis
W32/Protoride.E
W32/Protoride.G
W32/Protoride.H
W32/Reur.L
W32/Sober.E-mm
W32/Sober.F-mm
W97M/Ethan.EK
W97M/Marker.DJ
X97M/Barisada.AA
X97M/Kbase
X97M/Morx
X97M/VCX.C
The following viruses reappeared on the supplemental list after falling off:
W32/Cabanas.B (Last listed March 2003 as W32/Cabanas.E; First listed January 2001)
W97M/Bleck (Last listed June 2003; First listed January 2003)
X97M/Laroux.AI (Last listed as XM.Laroux.AI; First listed December 1997)
The following virus fell from the main list to the supplemental list:
W32/Choke.A
Follow-Up: The Why, How, and When
I should explain the “outbreak notification” warning for Bagle.AA. This is mainly there because I want to post additional news, but Bagle.AA is so news-worthy it should remain somewhat prominent so people browsing this page would see it. Thus, the idea for the outbreak warning was developed.
An outbreak warning is basically little more than a notification on the screen added when the following conditions are met:
- The worm in question is spreading quickly and is at least Medium-High at one location with strict ratings.
- Most antivirus companies at least rate the virus Medium.
- Spread potential is quite high (mass-mailers mostly.)
- Detection for this worm was instituted in response to the sudden outbreak, as opposed to just starting to spread after a week or so.
Exceptions will be made to the last two rules if necessary.
For worms that constitute a Medium-High risk, the warning period is between 24 and 48 hours; a High risk worm would be 48 to 72 hours and until it is downgraded to Medium, while a High-Outbreak worm would be until it is downgraded to Medium or at least a week has passed.
The company ratings I look at most are McAfee and Symantec's, as they tend to put the most stock into their risk ratings. Symantec rates on a 1-5 scale, 1 being equivalent to McAfee's Low, 2 to their Low-Profiled, 3 to their Medium, 4 to their High, and 5 to their High-Outbreak (Symantec has never rated a worm this.) Typically, Medium-on-Watch worms at McAfee are either 3's or 4's.
Bagle.AA will probably be downgraded in 24 hours or so unless more companies upgrade it to High risk.
Follow-Up: NetSky.AB Goes Medium Most Places
W32/NetSky.AB-mm has been upgraded to Medium by both Symantec and McAfee, making it more or less Medium by standard. This follows Trend Micro's earlier upgrade.
BREAKING NEWS: Trend Micro Upgrades Latest NetSky Variant to Medium
An extremely busy day today as Trend Micro has upgraded W32/NetSky.AB-mm (there listed as WORM_NETSKY.AB) to a Medium risk following reports of localized outbreaks in Korea, Taiwan, Japan, and France. More information can be found here:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.AB
EDIT AS OF 10:30 AM PST APRIL 28TH, 2004: F-Secure has just upgraded this worm to MEDIUM (radar level 2).
BREAKING NEWS: Internet Storm Center Announces Troubling New Phatbot Variant
The Internet Storm Center has announced the discovery of yet another variant of the “Phatbot” family of worms. This variant appears to exploit a recent vulnerability. This would be the first worm to do so. From the diary of handler Tom Liston:
=====BEGIN QUOTE=====
PhatBot exploiting LSASS?
The ISC has come into possession of what appears to be a new version of PhatBot that contains code to exploit the LSASS (LSASS: Local Security Authority Subsystem Service) vulnerabilities patched under MS04-11. Reference these old diary entries:
http://isc.sans.org/diary.php?date=2004-04-26
http://isc.sans.org/diary.php?date=2004-04-25
We are currently focusing on some keywords found in the executable that indicate that an LSASS exploit has been added, specifically, the command string "CScannerLSASS".
We are currently investigating the code, and will update the diary as new information becomes available.
Traffic matching this bot was first observed yesterday evening (EDT) at multiple US .edu's.
The bot appears to inherit all other functions usually associated with 'phatbot'.
=====END QUOTE=====
It is unknown at this time whether the worm is spreading much, but this could become a Medium-risk event if the worm is seeded well enough.
BREAKING NEWS: Bagle.AA is Approaching Outbreak Levels
W32/Bagle.AA-mm has been assigned a Medium-on-Watch risk by McAfee, meaning a HIGH risk assessment is a possibility. Users should upgrade their antiviruses as soon as detection is available. A pandemic (high risk from most vendors) is not immediately likely, as Bagle.AA is narrowly an outbreak at this time.
More info is available here and a description can be found here.
BREAKING NEWS: Bagle “Z“ Wants to Be Your Friend; Spreads Rapidly
W32/Bagle.Z-mm (or “W) has been found spreading quickly throughout the field. Most antivirus companies rank this as a Medium threat.
The worm spreads by using email messages that sound like requests for pen pals who don't exactly speak English that great. An example email is titled “Re: Msg reply“ and reads “I very much love productive leisure, to prepare for new exotic dishes, at leisure to leave with friends on the nature, to float, I like to go for a drive on mountain skiing, to visit excursions, travel. Very easy going. Read the attach. Have a good day, Christie.“
Other emails are similarly humorous. Full information can be found here.
“E“ Variant of BugBear Appears Quietly Today
W32/BugBear.E-mm, which is unrelated to W32/BugBear.C-mm (accidentally named .E by a few antivirus companies), has appeared quietly. It is not believed to be in the Wild, although it does have some interesting features. First, the zero day exploit used in .C has been removed from .E. Next, it logs actions such as words typed, clipboard entries, cookies, and text from open windows and sends it to the writer, who is believed to be in Malaysia. More information about the latest variant can be found here.
CIH Activation Today; More for Nostalgia than Anything
It's been five years since the W95/CIH, or Chernobyl, virus first activated. The virus, which became a pandemic, especially in Asia where it infected poorly protected, pirated software, has destroyed progressively fewer machines since its first payload, which was a major media event. Most experts agree that 2001 was the last time the W95/CIH activation caused any significant damage (the virus itself has nothing to do with the nuclear disaster - it just activates on that date.) However, the BIOS-flashing, which damaged some retro-era motherboards, is still a risk to some users. Infections are still somewhat common in the Asian countries, and outbreaks of W95/CIH due to pirated software is an occasional event.
Chen Ing-Hau (whose abbreviations lend the virus its name) was detained by Taiwanese authorities in 2000 following legal roadblocks that prevented his arrest. Sophos reflects on this and other parts of the history of W95/CIH here.
Correction: NetSky.X's Tropical Typo
There is a minor correction to be made about the previous coverage of W32/NetSky.X-mm. This worm does NOT compile messages in the language of the Turks and Caicos. It compiles messages in Turkish and sends them to addresses in the Turks and Caicos. This is a logic error on the part of the worm author; the Turks and Caicos have the domain suffix .tc, while Turkey has .tk. The author intended to put .tk, so the worm will mail Turkish messages to Turkish emails, but made a typo, so these messages will only be sent to the Turks and Caicos. This should have been more apparent considering that the lone official language of the Turks and Caicos is English.
Thanks to F-Secure for the information. Sorry for the error.
“Osama Capture“ Trojan Horse More Widespread Than Thought
A number of field reports have been received about an email with the subject “Osama bin Laden Captured“ that uses a recent vulnerability to drop a Trojan Horse onto infected computers. This was previously mentioned in a recent news post. The email message, it is important to note, does not spread on its own. It is believed that the Trojan Horse was mass-spammed to millions of addresses worldwide. Users who reported receiving emails usually received “several“ copies, with few reporting just one copy. Although this threat is still a low risk, it is out there, so be vigilant.
US Defends “Cybercrime Treaty“
The Register reports that the United States government is currently on the defensive in respect to the “Convention on Cybercrime,“ introduced by the Council of Europe. The measure, which the Senate has not ratified, seeks to globally outlaw computer intrusion (“hacking,“) child pornography, commercial copyright infringement, and online fraud.
Some civil libertarians are worried about the scope of the treaty, potentially allowing countries with corrupt governments to utilize American surveillance power. Betty Shave, who heads the Department of Justice's international computer crime division, admits that the measure does not contain any dual criminality. “There is no requirement that the act that is being investigated be a crime both in a nation that is asking for assistance, and the nation that is providing assistance,“ says Barry Steinhardt of the left-leaning civil rights group the American Civil Liberties Union (ACLU).
Although 34 European nations in addition to Canada, Japan, South Africa, and the U.S. have signed on to the treaty, only five have ratified it: Albania, Croatia, Estonia, Hungary, and Lithuania.
This Week's Top Viruses
Here are the counts of the most common viruses in my inbox this week:
W32.Swen.A-mm (22)
W32.NetSky.B-mm (14)
W32.NetSky.S-mm (6)
W32.NetSky.P-mm (5)
W32.Klez.H-mm (5)
W32.MyDoom.F-mm (4)
W32.NetSky.D-mm (4)
W32.NetSky.Q-mm (4)
W32.Parite.B (3)
W32.Dumaru.Z-mm (2)
W32.MyDoom.A (2)
W32.Bagle.J-mm (2)
W32.HLLP.Hantaner.A (1)
W32.HLLW.Upering.A-mm (1)
W32.Parite.A (1)
W32.SirCam.A-mm (1)
W95.Hybris.B-mm (1)
Commentary: The Google Situation
Due to a lack of news today, there probably will not be any Daily Update unless a few more news stories are released that are worthy of inclusion. Because of this slow day, I decided that I might as well comment on a situation that has interested me as of late. Please note that this is an opinion, and any views here do not reflect those of Microsoft, the MVP program as a whole, etcetera, etcetera.
For those of you who do not know, Google has recently experienced a fall from grace of sorts. The previously near-spotless reputation of the company has lately been marred by security concerns about an unreleased service, GMail (short for “Google Mail.”) GMail, which has no official release date and probably won't be hurried up anytime soon, has turned Google into - in the words of BroadbandReports - “this month's whipping boy.” And it's true enough. The beloved search company has made some questionable announcements about security. After the initial raving about its one gigabyte (!!!) storage capacity and its chance of being an April Fools joke (information was released on April 1st - perhaps a successful marketing strategy for generating buzz,) it became clear that the big news would be the security problems. Less than a week ago, a California Democrat in the senate filed a lawsuit to block GMail.
The primary concern lately has been GMail's security. For advertising purposes, Google announced that GMail (currently being beta-tested) would mechanically read the user's message and then append a short text ad to the bottom based on the contents of the message. An email forward about caring for puppies, for instance, might have an ad for Petco at the bottom. At first glance, this isn't a major problem to many people. However, privacy advocates quickly came out saying there is little difference between a machine and person reading it. The organizations argue that they are both a breach of privacy. And, frankly, they probably are.
I am not going to argue that it is impossible to be safe on the Internet, even though it is indeed impossible to be completely safe (of course, without shutting off the Internet or the computer.) The best Joe Enduser can do is run an updated firewall, updated antivirus program, and not do anything really stupid. The perception of Internet security is one of falsity. Every system has a hole, whether or not it is waiting to be uncovered. These are established facts, and in no way rationalize going about installing backdoor servers on your machine, since it will “inevitably happen anyway.” The sad fact is, most users that don't have firewalls will never be hacked. If you never open email attachments, keep your Windows patching up to date, there is a good chance that you will never find the need to utilize an antivirus program. But many machines do get infected, and many do get hacked. It is not an inevitability, although it is increasingly becoming more common; however, neither is one's house burning down, but there is no reason not to have a fire alarm.
By this logic, GMail is guilty of unnecessarily privacy invasion, but most email providers are guilty of it, too. Services with junk mail folders have to read received emails to determine whether they are spam. This can be turned off, but most people do not. Although I obviously don't have real statistics on this, I'd assume 95 per cent of cases in which junk mail filtering is disabled are because legitimate mail was marked as spam. Email is simply not a secure method of transferring information. GMail does make it more insecure, but webmail is not the venue to transmit anything that would cause criminal or legal problems if it was leaked.
The question is really one of subjectivity and preference. Considering what sort of emails you are receiving (and sending to a lesser extent,) would you be willing to risk a small chance of total data leakage in exchange for one gigabyte of storage space? And will those sending you email want to risk it? With twenty-two pieces of spyware installed on the average user's computer, it will be a long time before GMail is the biggest threat out there, but it still does show a mainstream movement toward less security. Google will recover, but will never have a spotless reputation again in the minds of some. A few years from now, though, it is doubtful that many will even remember the uproar over the service. Only time will tell.
Links: For
”The Fuss About Gmail and Privacy: Nine Reasons Why It's Bogus” - Tim O'Reilly. A well-done article, although the title is somewhat misleading. It is more about the benefits of GMail as a whole, although plenty of security topics are included.
Links: Against
”Gmail Privacy Alert” - GoogleWatch. Although this site brings to mind those old “NETWORK SOLUTIONS IS A BAD COMPANY” pop-up ads with its irrelevant pictures, it still highlights some disturbing aspects of GMail.
Links: News Coverage
”Google's 'Gmail' Under Fire” - CNN. Excellent CNN coverage of the outcries from organizations against GMail.
Links: Other
”E-Mail Ads Can Read Between the Lines” - Curt “Digital Slob” Brandao/Honolulu Star-Bulletin. A funny look at some of the more interesting possibilities of what Google's context-based ads could render.
“Psyme“ Variant Spammed in Form of Osama Capture Information
Panda Software reports that a new variant of VBS/Psyme is currently spreading. The latest nefarious pathogen comes in the form of an email with the subject “Osama Bin Laden Captured”. The message goes like this:
Hey, Just got this from CNN, Osama Bin Laden has been captured! Goto the link below to view the pics and to download the video if you so wish: (DANGEROUS ADDRESS REMOVED) “Murderous coward he is”. God bless America!
The message may also come as a source from BBC. Either way, when the victim-to-be clicks on the machine, a variant of VBS/Psyme is downloaded by the name of VBS/Psyme.C. The VBS/Psyme family uses the overwriting of local files by exploiting ADODB.Stream object.
One must suspect that Panda is slightly hyping this; one would be right. These sort of spammings are not rare, but if indications are true, the spam is a tad wider than average. Users should be cautious and not click on suspicious links such as these.
Improved Site Categories
A quick note: You'll notice now that security and virus alerts are sorted by urgency. This should allow easier access to this information sorted by risk. Note that every category includes higher risks, so “Security (Medium)” will also include risks in “Security (Urgent)” and “Security (Very Urgent)”. How does the scale work? Low is a notable inclusion that really isn't that viable in the field. Medium is a risk between low and medium, or an exploit/virus likely to be seen in the field soon, but now. Urgent is either fast spread or a potentially very dangerous exploit/virus that could spread quickly. Very Urgent is a very dangerous exploit/virus that is spreading. For instance, this VBS/Psyme variant is low, while the notification to patch because exploits for the April patches were found in the wild was Urgent, and a new NetSky variant found in the field but getting mostly low (but a few medium) risk ratings was rated as Medium.
Britons to British Government: “We Want ID Cards, But You'll Mess Them Up“
The Register reports that the British want ID cards, but believe even more strongly that there's a snowball's chance in a warm locale that the government will be able to maintain the high-tech gizmos properly.
According to IT consultant company Datica, 80 per cent of Britons interviewed say that they would be either moderately or strongly in favor of the identification cards, with only 11 per cent moderately or strongly against. Civil liberties were not a major concern of those interviewed. The most major issue, in fact, is the public's distrust of the British government's ability to handle the cards. Sixty per cent of those interviewed don't believe the government could make a smooth rollout; 41 per cent of respondents just don't trust the government with the technology.
Despite all of this, most experts agree that the public is misinformed about the benefits of ID cards. A spokesperson for Datica agreed that the results were somewhat disappointing, noting that the belief that the cards will stop illegal immigration in its tracks is largely a myth.
And, of course, the perennial result of any survey involving anything costing more than $50: just shy of half of those surveyed think the ID cards should be absolutely free.
“Mercurycas“ Trojan Horse Reported in the Field
Symantec has posted a write-up on their site for Trojan.Mercurycas, and reports that it is moderately in the Wild. As this is a Trojan Horse, and thus does not spread itself, email mass-spammings were probably the source of the infections.
The Trojan Horse, which serves as a spamming proxy on infected machines, connects to www.mercuryloungecasino.com (hence its name) to upload a file. At the time of this writing, this site was unavailable. However, a quick bit of detective work reveals that a Mr. Jeroen Puttemans of Perk, Belgium operates the site, as well as sister site TurnKeyCasino.com, which also appears to be down. Additionally, the Trojan Horse contacts an IP address that resolves to a Mexican AOL service. The connection is for backdoor purposes and is on port 25.
“Blaster“ Variant Spotted in the Wild
W32/Blaster.T (aka .F, .G, .I, and .L to various companies) has been spotted in the field by Symantec. The company reports that only 3-9 sites have been infected, which is a fairly trivial number. However, various companies are reporting higher statistics. The extent to which W32/Blaster.T is spreading is unknown, but it is out there. As it only uses the old W32/Blaster vulnerabilities, users are strongly urged to run Windows Update and get current with their patches. Most unpatched systems will probably end up experiencing infection every few minutes and constant reboots (stop this by going to the Start menu, then Run, and then typing “shutdown -a“ without the quotes.)
New “MyDoom“ Borrows from BugBear, But Seems Bust
W32/MyDoom.J-mm is yet another variant of the W32/MyDoom.A-mm worm, which appeared earlier this year and became the fastest-spreading email worm in history. The only other variant of the original to be very successful, W32/MyDoom.F-mm, was at most a medium-risk occurrence. The latest version, W32/MyDoom.J-mm, isn't even in the Wild. The only thing notable about it, in fact, is that it borrows a good degree of code from W32/BugBear-mm. Otherwise, it is the same old stuff to be expected, with similar message bodies to the original, W32/MyDoom.A-mm.
More Posts
Next page »