A man is not idle because he is absorbed in thought.
There is visible labour and there is invisible labour.
Victor Hugo (1802-1885); French novelist.

- Weekly report on viruses and intrusions -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, March 7, 2004 - This week has been a particularly prolific week for
viruses and intrusions. This is the result of a cyber war declared among
several unscrupulous virus authors, who have even used their code of their
creations to exchange insults.

We are going to start this report with 9 variants (C, D, E, F, G, H, I, J
and K) of the Bagle worm which have emerged over the last few days. All of
these variants are very similar to the original worm; the only differences
being the size of the file carrying the virus or the date on which they are
programmed to automatically run.

The new Bagle variants spread effectively through P2P file sharing programs
and via e-mail in messages with extremely variable characteristics.
Similarly, they open a backdoor through TCP port 2745.

However, it is important to highlight that some of these new Bagle variants
can reach computer in a password-protected ZIP file. As these files are
encrypted, antivirus programs cannot scan their content to check if they
contain malware before they are decompressed, which could give users a false
sense of security. In order to resolve this, Panda Software has incorporated
a specific detection routine for these types of files in its antivirus
protection, and therefore, its clients are protected.

Another family of worms that has wreaked havoc this week is Netsky, whose
variants D, E, F and G have been detected this week. In fact, Netsky.D is
the malicious code that has caused the most incidents worldwide this week
and over the last few days, it has held on to pole position in the ranking
of the viruses most frequently detected by Panda ActiveScan.

All of these worms are very similar; the main differences being the date
they are designed to emit a strange sound through the internal speaks of
affected computers and the format in which they are packed.

These worms have the capacity to spread extremely rapidly via e-mail in
messages with variable characteristics. They also spread very effectively by
opening several execution threads in order to send themselves out. Netsky.D,
for example, can open up to eight different processes.

The third contender in this cyber war is the Mydoom family, whose variants G
and H have also been detected by PandaLabs this week. These two variants are
very similar, as they both spread by sending themselves out via e-mail and
have been programmed to launch a denial of service attack against the
website of an antivirus manufacturer.

We are going to finish this report with Nachi.E. A new variant of a worm
that can spread directly via the Internet and exploits known
vulnerabilities, such as the Buffer Overrun in RPC Interface, WebDAV and
Workstation Service Buffer Overrun.

Nachi.E is also capable of uninstalling the worms Mydoom.A, Mydoom.B,
Doomjuice.A and Doomjuice.B, by ending their processes and deleting their
files.

For further information about these and other computer threats, visit Panda
Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Vulnerability: Flaws or security holes in a program or IT system, and
often used by viruses as a means of infection.

- Encryption / Self-encryption: This is a technique used by some viruses to
disguise themselves and therefore avoid detection by antivirus applications.


More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.