New User? Need help? Click here to register for free! Registering removes the advertisements.

Computer Cops
image image image image image image image image
Donations
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
image
Prime Choice
· Head Lines
· Advisories (All)
· Dnld of the Week!
· CCSP News Ltrs
· Find a Cure!

· Ian T's (AR 20)
· Marcia's (QA2)
· Bill G's (CO9)
· Paul's (AR 5)
· Robin's (AR 1)

· Ian T's Archive
· Marcia's Archive
· Bill G's Archive
· Paul's Archive
· Robin's Archive
image
Security Central
· Home
· Wireless
· Bookmarks
· CLSID
· Columbia
· Community
· Downloads
· Encyclopedia
· Feedback (send)
· Forums
· Gallery
· Giveaways
· HijackThis
· Journal
· Members List
· My Downloads
· PremChat
· Premium
· Private Messages
· Proxomitron
· Quizz
· Recommend Us
· RegChat
· Reviews
· Search (Topics)
· Sections
· Software
· Statistics
· Stories Archive
· Submit News
· Surveys
· Top
· Topics
· Web Links
· Your Account
image
CCSP Toolkit
· Email Virus Scan
· UDP Port Scanner
· TCP Port Scanner
· Trojan TCP Scan
· Reveal Your IP
· Algorithms
· Whois
· nmap port scanner
· IPs Banned [?]
image
Survey
How much can you give to keep Computer Cops online?

$10 up to $25 per year?
$25 up to $50 per year?
$10 up to $25 per month?
$25 up to $50 per month?
More than $50 per year?
More than $50 per month?
One time only?
Other (please comment)



Results
Polls

Votes: 561
Comments: 14
image
Translate
English German French
Italian Portuguese Spanish
Chinese Greek Russian
image
image vrs: Weekly Summaries: Weekly report on viruses and intrusions image
Viruses


Common sense is calculation applied to life.
Henri Frederic Amiel (1821-1881); Swiss philosopher.

- Weekly report on viruses and intrusions -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, May 9, 2004 - This week's virus activity has centered around the
epidemic caused by the appearance of four variants of the Sasser worm.
However, they are not the only malicious code that have emerged this week.
Therefore, as well as describing the Sasser worms, this week's report will
also look at Netsky.AC, three new hacking tools called DSScan, JohnTheRipper
and Brutus.A, and the Briss.A Trojan.

The appearance of the A, B, C and D variants of the Sasser worm have caused
a widespread epidemic that has affected users worldwide. These malicious
code are designed to exploit a vulnerability recently discovered in some
versions of Windows called LSASS. By exploiting this vulnerability, they do
not need to use traditional means of transmission to infect computers, as
they can get into computers directly through the Internet. The four variants
of Sasser are very similar to one another, and only differ in the name of
the files they create on the system or the number of processes they load in
memory in order to spread.

The Sasser worms cause a buffer overflow that results in the affected
systems restarting every 60 seconds. In order to solve this problem, as well
as using an updated antivirus to scan and disinfect the computer, it is
essential to install the patch released by Microsoft to fix the LSASS
vulnerability, which can be downloaded from
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx.

As computers are restarted every minute, users may not have enough time to
eliminate the worm from the computer and download the Microsoft patch. To
avoid this problem, one of the options available to users is to put back the
system clock by following the steps below:

- When the window warning that the computer is going to be restarted
appears, double click on the clock that appears in the bottom right corner
of the monitor.

- When the date and time settings screen opens, in the textbox in which the
hours and minutes appear, change the time to a few hours earlier than the
time that appears.

Panda Software has made its PQRemove tools available to users. These
applications not only disinfect computers but also restore system
configurations altered by the worm.

One of the PQREMOVE tools is specifically designed for networks, and removes
Sasser and all its variants from any network that could have been affected.
This tool can be downloaded from: http://www.pandasoftware.com/support. The
other PQREMOVE applications can disinfect any computer attacked by any of
the variants of the Sasser worms. These can be downloaded from:
http://www.pandasoftware.com/download/utilities.

Netsky.AC is a new variant of this family of mass-mailing worms that has
been attacking the Internet over the last few months. However, the most
interesting aspect of this worm is the message hidden in its code, which
boasts that the authors of the Netsky worms also created the Sasser worms:

Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah
thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server
code with the one from Skynet.V!!! LooL! We are the Skynet...'
Here is an part of the sasser sourcecode you named so, lol

However, until these delinquents are caught, users should continue to keep
their guard up against the highly probable appearance of new viruses.
Considering how the previous attacks were carried out, it is likely that the
authors of the Sasser and Netsky worms are putting the final touches to an
extremely dangerous malicious code that -as they have done up until now -
they will unleash at the weekend.

These authors could try to create a virus that spreads via e-mail as well
as exploiting the LSASS vulnerability. By doing this, it could get round the
firewall protection that blocks the Sasser worms. This could be especially
dangerous for companies that, as they have firewall protection installed,
have not applied the Microsoft patches, says Luis Corrons, head of
PandaLabs.

DSScan.A, JohnTheRipper and Brutus.A are three new hacking tools. These are
legitimate tools that, in theory, are not designed to cause any damage.
However, they can also be used by hackers to carry out malicious actions.

DSScan.A is a network tool that detects computers affected by the LSASS
vulnerability. JohnTheRipper.A allows hackers to steal passwords from
computers running Unix or Windows operating systems.

Brutus.A is a program that allows malicious users to crack passwords using
brute force attacks. This technique involves trying every possible
combination until the correct password is found.

Finally, Briss.A is a Trojan that goes memory resident and installs other
malware on the computer every 24 hours, without the user realizing. It also
carries out other actions, such as capturing certain key combinations.

Like many other Trojans, Briss.A cannot spread by itself; it needs the help
of a malicious user. The means of transmission it uses include: floppy
disks, e-mail messages with attachments, Internet downloads, etc.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Trojan: Strictly speaking, a Trojan is not a virus, although it is often
thought of as such. Really they are programs that, enter computers appearing
to be harmless programs, install themselves and carry out actions that
affect user confidentiality.

- Vulnerability: Flaws or security holes in a program or IT system, and
often used by viruses as a means of infection.

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
Posted on Monday, 10 May 2004 @ 04:46:22 EDT by phoenix22
image

 
Login
Nickname

Password

· New User? ·
Click here to create a registered account.
image
Related Links
· TrackBack (0)
· Microsoft
· Microsoft
· HotScripts
· W3 Consortium
· More about Viruses
· News by phoenix22


Most read story about Viruses:
Xupiter Virus!

image
Article Rating
Average Score: 0
Votes: 0

Please take a second and vote for this article:

Bad
Regular
Good
Very Good
Excellent


image
Options

Printer Friendly Page  Printer Friendly Page

Send to a Friend  Send to a Friend
image
"Login" | Login/Create an Account | 0 comments
Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register