When we thought that we had all the answers,
suddenly all the questions changed.
Mario Benedetti (1920); Uruguayan writer.

- Weekly report on viruses and intrusions -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, March 28, 2004 - The report for the last week of the month will
focus on five worms -Mywife.A, Snapper.A, Cone.E, Netsky.P and Witty.A-, and
a hacking tool called Starr.A.



Mywife.A is a worm that spreads via e-mail in a message with variable
characteristics. It deletes the entries related to various antivirus and
security applications from the Windows Registry, and as a result, these
programs will not automatically run when Windows starts up. This means that
computers infected by Mywife.A will be unprotected against attacks from
other malware.

Snapper.A is a worm that spreads via e-mail. It is run automatically when
the message carrying the worm is viewed through the Preview Pane in Outlook.
It does this by exploiting the Exploit/Iframe vulnerability, which affects
versions 5.01 and 5.5 of Internet Explorer and allows file attached to
e-mail messages to run automatically.

Through this exploit the Snapper.A worm downloads the file banner.htm which,
in turn, will download a file with a CGI extension that exploits another
vulnerability called Object Data Remote Execution to run Visual Basic Script
code. When this code is run, a DLL is created in the Windows directory.

Cone.E is a worm that spreads via e-mail in a message with variable
characteristics, and through P2P (peer to peer) file sharing programs.
Cone.E is easy to recognize when it is run, as it displays several messages
on screen. It also launches Denial of Service (DoS) attacks against the
website of the Official News Agency of Iran and is programmed to reply to
the messages in the Inbox on the infected computer.

The next worm in today's report is Netsky.P which, like the aforementioned
malicious code, spreads via e-mail in a message with variable
characteristics, and through P2P (peer to peer) file sharing programs. It
also exploits the same vulnerability as Snapper.A, Exploit/Iframe, to run
automatically.

Netsky.P carries out several actions on the computers it infects, such as
deleting the entries that belong to several worms -including Mydoom.A,
Mydoom.B, Mimail.T and several variants of Bagle-, creating files in the
Windows directory and deleting entries from the Registry.

The last of today's worms is Witty.A, which spreads through the Internet by
exploiting a vulnerability in certain versions of BlackIce's ICQ parser.
This worm sends its malicious code to random ports of random IP addresses
and if it reaches a vulnerable computer, it is run and the worm carries out
its actions, such as overwriting random sectors of the hard drive, which
could lead to information loss and eventual system failures.

We are going to finish today's report with Starr.A. This hacking tool allows
Internet and system activities to be to monitored, for example, it allows
keystrokes to be logged. It also incorporates a protection system at
kernel-level, which makes it difficult to detect. Starr.A is not dangerous
but it could be used for malicious purposes.

For further information about these and other computer threats, visit Panda
Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Exploit: This can be a technique or a program that takes advantage of a
vulnerability or security hole in a certain communication protocol,
operating system, or other IT utility or application.

- Preview Pane: A feature in e-mail programs that allows the content of the
message to be viewed without having to open the e-mail.

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.