True science teaches, above all, to doubt and to be ignorant.
Miguel de Unamuno (1864-1936); Spanish philosopher and author.

- Weekly report on viruses and intrusions -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, April 4, 2004 - This week's report will focus on five worms that
spread via e-mail- variants R and Q of Netsky, V and U of Bagle, and E of
Sober- and the Trojan Seeker.O.

The actions carried out by Netsky.R and Netsky.Q include the following:

- They delete the Registry entries belonging to several worms, such as
Mydoom.A, Mydoom.B, Mimail.T and variants of Bagle.

- They try to launch Denial of Service (DoS) attacks against various
websites.

Netsky.Q activates automatically when the message carrying this worm is
viewed through the Preview Pane in Outlook. It does this by exploiting the
Exploit/Iframe vulnerability that affects versions 5.01 and 5.5 of Internet
Explorer and allows attached files to be run automatically. Netsky.Q is
programmed to emit several random tones between 5:00 a.m. and 10:59 a.m.
when the system date is March 30, 2004.

Bagle.V and Bagle.U spread in e-mail messages that are easy to recognize, as
both the subject and message body are blank and although the attached file
has a variable name, it always has an EXE extension. Similarly, these
variants only run when the system date is January 1, 2005 or earlier and
after this date, they stop functioning.

When the files carrying variants V and U of Bagle are run, they open TCP
port 4751. Through this port, they try to connect to a web page in order to
send out data on the affected computer, so that the virus author can gain
access to it. As well as these common characteristics, these worms also have
the following differences:

- The icon of the attached file that contains Bagle.V is an image of a
syringe, whereas the icon corresponding to Bagle.U is a clock.

- Bagle.U opens the Windows Hearts game, if this application is installed on
the affected computer.

The fifth worm in today's report is Sober.E, which downloads a file from the
Internet if the system date is later than March 24, 2004. It also tries to
connect to several NTP servers in order to check the current date. It is
easy to know if a computer has been infected by this worm, as when it is run
it opens Windows Paint or displays the following text on screen: Graphic
Modul not found.

We are going to finish today's report with Seeker.O, a Trojan that goes
memory resident. Once an hour, this Trojan tries to open a different
advertising web page. Some of the pages it opens try to download and install
spyware and adware on the affected computer.

For further information about these and other computer threats, visit Panda
Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The address above may not show up on your screen as a single line.
This would prevent you from using the link to access the web page. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.