For it is far better to know something about everything
than to know all about one thing. This universality is the best.
Blaise Pascal (1623-1662); French scientist and philosopher.

- Weekly report on viruses and intrusions -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, February 8, 2004 - In this week's report we are going to look at
Mydoom.A, that appeared on January 27 and has continued spreading widely.
Then we will turn to five totally different type of malware: Mimail.T,
Sdbot.MH, Gaobot.DQ, X-Scan.A and Y2k.

Although the number of infections caused by Mydoom.A stabilized at the
beginning of this week, it still infected a high percentage of computers.
This worm has caused almost five times more infections than Downloader.L,
the second virus most frequently detected by Panda ActiveScan.

Mydoom.A is the fastest spreading malicious code in computing history and
has caused the biggest virus epidemic ever. As you know, it spreads via
e-mail in a message with variable characteristics and through the P2P
(peer-to-peer) file sharing program KaZaA. If the date on the affected
computer is between February 1 and 12, 2004, it launches Distributed Denial
of Service (DDoS) attacks against the website w w w.sco.com. From February
12, 2004, Mydoom.A stops its actions, preventing them from being run when it
activates.

The T variant of the Mimail is sent in an e-mail message with variable
characteristics and a compressed -password-protected- file, which contains
the worm's code. Every so often, it checks in an Internet connection is open
and tries to access to the website w w w.google.com. Furthermore, in order
to prevent its process from appearing in the list in the Task Manager,
Mimail.T registers itself as a Windows service.

Today's third malicious code is Sdbot.MH. This backdoor goes memory resident
when it is run and connects to a server in order to access a specific IRC
channel and receive command controls such as, download and run files, scan
ports, etc.

Gaobot.DQ is a worm that affects computers running Windows 2003/XP/2000/NT.
It spreads by making copies of itself in the shared network resources it
manages to access, and by exploiting the RPC Locator, RPC DCOM and WebDAV
vulnerabilities. A clear indication that Gaobot.DQ has reached a computer is
a significant increase in the volume of network traffic through the TCP
ports 135 and 445, as the worm attempts to exploit these vulnerabilities.

When it is run, Gaobot.DQ connects to a specific IRC server and waits for
control commands. It also ends the processes belonging to antivirus
programs, firewalls, system monitoring tools and other malicious code like
Nachi.A and Sobig.F.

X-Scan.A is a hacking tool that scans computers and networks for
vulnerabilities. If it finds a vulnerability, it logs all the keystrokes
entered during the session. It obtains information from the affected
computer, such as the type and version of the operating system, the status
of standard ports, information on the Windows Registry, SNMP and NETBIOS
protocols, CGI/IIS/RPC vulnerabilities, SQL/FTP/SMTP/POP3 servers, etc.

We are going to finish this week's report with Y2K, a joke that displays a
message on screen pretending to carry out a test in order to check if the
affected computer is Y2K compliant. During this fake test, it opens and
closes the CD-ROM tray, it makes the screen flicker, changes the mouse
pointer, etc. Once the so-called test is finished, Y2k informs that it has
found a flaw in the PC-Speaker and, unless this problem is solved, the user
will not be able to start the computer during the year 2000. Finally, the
program announces that it was only a joke.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia

Additional information

- Hacking tool: Program that can be used by a hacker to carry out actions
that cause problems for the user of the affected computer (allowing the
hacker to control the affected computer, steal confidential information,
scan communication ports, etc.).

- POP (Post Office Protocol): This is a protocol for receiving and sending
e-mails.

More definitions at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.