November 2004 - Posts
I just wanted to wish the Americans out there reading this a happy Thanksgiving season, and happy holidays in general to everyone.
Thanksgiving planning will occupy the rest of my day, so there won't be any new posts unless there is urgent breaking news until tomorrow or maybe late night tonight.
Yesterday, I covered the .A version of a worm dedicated to Asian singer Stefani Sun. Now, McAfee has elevated the .B variant to a Low-Profiled risk rating due to media coverage. Further information about this worm (which is not currently spreading at any significant rate) can be found here:
http://forums.mcafeehelp.com/viewtopic.php?t=35959
You'll have to pardon my rather brief and dry writing today. The hectic holidays are upon me and things are starting to get a little crazy here at the house... :)
Anzae, a family of four mass-mailing worms that spread using Spanish message bodies, has been assigned a low-profiled risk rating by antivirus company McAfee after media attention. Further coverage can be found here:
http://forums.mcafeehelp.com/viewtopic.php?t=35960
Secunia, which compiles virus descriptions from various vendors and assigns them an overall average risk, elevated the Sober.I (also known as Sober.J) worm to high risk at 11:37 PM last night. The upgrade comes after Panda Antivirus assigned a 4/4 risk. Other risks currently listed are F-Secure (2/3), Network Associates (4/7), Symantec (3/5), Trend Micro (2/3), Computer Associates (3/5), and Sophos (5/5). The good news is that this is mainly a “housekeeping” upgrade: different antivirus companies have different standards for ratings. A 4/7 at Network Associates is more or less equivilant to a 4/4 at Computer Associates. At this time, I still consider Sober.I a moderate threat, although it certainly is out there.
For now, until I receive information that spread is rising, I have removed the outbreak notification at the top of the page. The Secunia page can be found here.
If there's a good way to get the news media's attention in virus writing, it's to base your virus on anything to do with pop culture.
According to antivirus company F-Secure, a worm by the name of Yanz is getting some media attention in Asia because of the references in the emails sent by the mass-mailing worm to Asian singer Stefani Sun (Yanzi). The worm mails itself with subject headers like “Forevere Sun Yanzi” [sic] and “Sun-YanZi Mp3”. Attachment file names follow a similar pattern, and include LOVE_SUN.SCR and SUN_YANZI_MP3.ZIP
Yanz is a moderately complicated worm, and does search files on the user's hard drive for email addresses to send it to, but will not send emails to a range of antivirus company emails, plus those of Microsoft and, oddly, Google. It also is capable of spreading over P2P programs by copying itself to any folder containing the string “shar”.
As with many worms that get media attention, it is likely that Yanz is simply a case of overhyping. No antivirus companies note and reports and many have not even bothered to produce a write-up. However, as worms like AnnaK demonstrate, celebrity does sell, even when it comes to worms. Any spread of the Yanz worm is likely to be centered around Asia, although because it sends itself in English and takes its email addresses from cached web pages (which are more likely to contain international addresses than the infected user's address book) there is a possibility of some spread to other countries.
For now though, and probably forever, Yanz.A remains a low risk threat. Future variants could, however, be worth very close watching.
“Yanz” Worm Descriptions
F-Secure (not complete at time of writing)
Panda Software
Breaking News: Latest Sober Variant Continues Worldwide Spread
A new variant of the Sober worm family appeared on Friday. This latest version is known as Sober.I by all venders except for McAfee, which calls is Sober.J. For the purposes here, the worm will be referred to as Sober.I to conform to naming standards.
Like all versions of the Sober family, Sober.I is a polymorphic mass-mailing worm that uses a range of emails. However, unlike recent worms such as Netsky, Mydoom, and Bagle, Sober.I's polymorphism is limited. It contains only 13 possible subjects, 3 possible email bodies, and 2 possible attachment names with 5 possible attachment extensions (.exe, .com, .bat, etc.)
When the infected file is open, the worm will display a fake WinZip error message (courtesy of McAfee):
Most major antivirus companies have released descriptions. Courtesy Harry Waldron from the McAfeeHelp.com Forums:
http://secunia.com/virus_information/13463/win32.sober.i/
http://vil.nai.com/vil/content/v_130130.htm
http://www.sarc.com/avcenter/venc/data/w32.sober.i@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.I
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=40797
http://www.f-secure.com/v-descs/sober_i.shtml
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=54761&sind=0
Symptoms of infection include connections to web servers of mostly German origin. The Sober family is believed to have been written in Germany. Sober.I initially appeared in France, Germany, and Australia, but has since spread worldwide.
I'll continue following the spread of this worm in the unlikely event of a major further development.
Antivirus companies have been reporting small numbers of users who have had their mobile phones running the Symbian operating system hit by the "Skulls" Trojan.
Skulls is a destructive Trojan Horse that replaces all program icons with a picture of a skull. After this occurs, no applications on the phone will any longer function and the phone will only be able to receive and place calls. An infected machine looks like this (image courtesy of F-Secure):
Skulls is distributed in a file named "Extended theme.SIS" for the Nokia 7610 smartphone, written by "Tee-222". If you see this file, do not download it. If you have installed Skulls, do not reboot your machine.
Skulls does NOT spread by itself and requires the user to manually download it. As always, any download - even to mobile phones - should only come from a reliable web site and should be researched first.
More information can be found from the F-Secure web site here.