November 2005 - Posts
It's not often we get prior warning of worms spreading. But yesterday, German officials warned that we would see a new Sober variant using the attachment names “Word Text.zip” or “registration.zip” and, sure enough, we have Sober.V. Unfortunately, on the same day, we also have Sober.S, Sober.T, and a fairly minor variant, Sober.U. Although none are spreading extremely rapidly, both have been reported in the United States, Germany, and several other countries.
An article from About.com is available here. Amusingly, as the article points out, antivirus vendor Trend Micro published a description for the worm (as WORM_SOBER.AD) before it was released - and dubbed it as in the wild! Impressive forethought, indeed.
Users should be careful with any executables or files that can contain executables (like .zips), of course. Conventional common sense is the key to avoid infection with worms like Sober. Filenames associated with these threats are reg_text.zip (Sober.S), excel_table.zip (Sober.T), tabelle.zip (Sober.T), registration.zip (Sober.V), and Word-Text.zip (Sober.V).
Trend Micro has reported that they have found a worm in the wild that abuses the recently-discovered MS05-053 vulnerability, according to their analysis here. The vulnerability, published three days ago, was rated as critical. The discovery of a worm in the field this quickly could make for one of the fastest turn-arounds from patch publishing to discovery in the wild. But, Trend Micro says, upon further review, it's unclear whether the detection is accurate. CNET News's Joris Evers reports:
Trend Micro on Wednesday reported the discovery of a Trojan horse that it said attacked Windows users through an image rendering flaw in Windows, a day after Microsoft provided a fix for the bug. But it isn't so sure anymore.
The Trojan is referred to as "emfsploit.a" by the Tokyo-based antivirus company. Initially the antivirus software maker reported that the malicious code would crash "explorer.exe" on unpatched Windows machines. Explorer runs key parts of the Windows graphical user interface, including the Start menu, taskbar, desktop and file manager.
But late Thursday Trend Micro said its initial analysis of the Trojan might be incorrect.
"We asked another team to start the disassembly process again," said Raimund Genes, chief technologist for Trend Micro in Europe. That means researchers will reinvestigate the Trojan code to see what it does.
The full article is available here, and a brief mention at the Internet Storm Center is available here.
It's been a fairly slow week, but today we see a new Linux worm. Lupper takes advantage in a PHP vulnerability.
The Register has details
here, and the Internet Storm Center has technical details
here.
Two new viruses worth mentioning today - one a mass-mailer spreading, one an interesting conceptual specimen.
Bagle-Based “Lodear“ Appears
A new worm family, Lodear, has appeared. The first variant seems to be spreading some in the wild. Information can be found here. Some antivirus companies consider this a variant of Bagle itself, and the family may be merged with the Bagle name. Lodear is similar to past Bagle variants. The primaray symptom of infection is a file called hloader_exe.exe in the Sytem folder.
First KiXTart Virus Appears
A virus infecting .KIX (KiXTart Script File) files has appeared. This is unlikely to effect most people, but it is the first example of such a virus. Information is here. KiXTart is a batch processing script that runs at logon on some Windows computers. For more information on KiXTart, see here.