Poor is the pupil who does not surpass his master.
Leonardo Da Vinci (1452-1519); Italian inventor, artist.

- Weekly report on viruses and intrusions -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, May 2 2004 - This week's report on viruses and intrusions focuses on
three variants of Bagle -Z, AA, and AB-, two variants of Netsky -AA and AB-,
and the Gimared.A and Gaobot.PX worms.

Even though they are all variants of the same malicious code, the three new
members of the Bagle worm family have some significant differences. For
example, in order to spread, Bagle.AA uses e-mail messages with variable
characteristics that contain images in the form of attached files with a
JPEG extension. Bagle.AB spreads via P2P file sharing programs as well as
e-mail.

Unlike the two variants above, Bagle.Z does not spread automatically. This
worm needs a malicious user's intervention to reach the affected computer.
The means of transmission it can use include floppy disks, CD-ROMs, e-mail
messages with attached files, Internet downloads, FTP, IRC channels,
peer-to-peer (P2P) file sharing networks, etc.

The three Bagle variants can connect to several web pages that host a
certain PHP script. By doing this, these worms notify their author when a
computer has been affected. They also end processes belonging to antivirus
and firewalls programs, as well as those corresponding to many worms.

Netsky.AA and Netsky.AB are two very similar variants. Both of them spread
via e-mail in a message with variable characteristics and an attached file
with a PIF extension. However, they have different effects: when run,
Nestky.AA displays a fake error message on screen, whereas Netsky AB deletes
the entries that other worms, like Bagle, insert in the Windows Registry.

Gimared.A is a malicius code that spreads via e-mail. When run on a Windows
NT computers, it displays a message on the screen about the social and
political situation in Cuba, the country where the worm was created.

Gimared.A also notifies the affected user of its presence by sending a
message to the user's mail account.

Gaobot.PX is a dangerous worm that can carry out several actions on affected
computers, as it has been designed to exploit several Windows
vulnerabilities and use backdoors opened by the worms Bagle.A and Mydoom.A
on infected computers.

Gaobot.PX also ends the processes belonging to antivirus programs and
firewalls, leaving infected computers vulnerable to virus attacks. It also
prevents many antiviruses from connecting to the web pages that allow them
to update.

Gaobot.PX connects to specific IRC servers and waits for instructions from
malicious users. In this way, it can download files, run commands or update
itself. It can also steal confidential data, obtain system information and
launch distributed denial of service (DDoS) attacks.

For further information about these and other computer threats, visit Panda
Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia

Additional information

- Script: The term script refers to files or sections of code written in
programming languages like Visual Basic Script (VBScript), JavaScript, etc.

- IRC (Internet Relay Chat): System that allows users to have written
conversations over the Internet in real time. It is based on a client-server
technology, that is, in order to use it it is necessary to have a program
(client) that establishes a connection with the computer (server) that
offers the service.

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.