New User? Need help? Click here to register for free! Registering removes the advertisements.

Computer Cops
image image image image image image image image
Donations
If you found this site helpful, please donate to help keep it online.
image
Prime Choice
· Head Lines
· Advisories (All)
· Dnld of the Week!
· CCSP News Ltrs
· Find a Cure!

· Ian T's (AR 20)
· Marcia's (QA2)
· Bill G's (CO8)
· Paul's (AR 5)

· Ian T's Archive
· Marcia's Archive
· Bill G's Archive
· Paul's Archive
image
Security Central
· Home
· Wireless
· Bookmarks
· CLSID
· Columbia
· Community
· Downloads
· Encyclopedia
· Feedback (send)
· Forums
· Gallery
· Giveaways
· HijackThis
· Journal
· Members List
· My Downloads
· PremChat
· Premium
· Private Messages
· Proxomitron
· Quizz
· Recommend Us
· RegChat
· Reviews
· Search (Topics)
· Sections
· Software
· Statistics
· Stories Archive
· Submit News
· Surveys
· Top
· Topics
· Web Links
· Your Account
image
CCSP Toolkit
· Email Virus Scan
· UDP Port Scanner
· TCP Port Scanner
· Trojan TCP Scan
· Reveal Your IP
· Algorithms
· Whois
· nmap port scanner
· IPs Banned [?]
image
Survey
How much can you give to keep Computer Cops online?

$10 up to $25 per year?
$25 up to $50 per year?
$10 up to $25 per month?
$25 up to $50 per month?
More than $50 per year?
More than $50 per month?
One time only?
Other (please comment)



Results
Polls

Votes: 470
Comments: 13
image
Translate
English German French
Italian Portuguese Spanish
Chinese Greek Russian
image
image vrs: Weekly Summaries: Weekly report on viruses and intrusions image
Viruses


Ideas are, in truth, force.
Henry James (1843-1916); US writer.

- Weekly report on viruses and intrusions -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, May 16, 2004 - This week's report on viruses and intrusions will
deal with five worms -Sasser.F, Cycle.A, Bagle.AC, Sober.G and Wallon.A-,
and Qhost.gen.

Sasser.F spreads via the Internet by exploiting the LSASS vulnerability. In
the computers it infects, this worm causes a buffer overflow in the
LSASS.EXE program, restarts the computer and displays a message on screen.
Like previous variants of Sasser, variant F spreads automatically across
Windows XP/2000 computers. It also works in the rest of the Windows
operating systems, if the file carrying this worm is run by a malicious
user.

Like the malicious code mentioned above, Cycle.A also spreads via the
Internet by exploiting the LSASS vulnerability and causes affected computers
to restart. It also ends the processes of the Blaster, Sasser.A, Sasser.B,
Sasser.C and Sasser.D worms and launches Denial of Service attacks (DoS)
against several websites when the system date is any other than May 1 to 18,
inclusive.

The third worm in today's report is Bagle.AC, which ends the processes of
several IT security applications, such as antivirus and firewall programs,
and of several worms. It also tries to connect, through port 14441, to
various websites that house a PHP script in order to notify the virus author
that the computer has been infected.

Sober.G is a worm that spreads via e-mail. This message can be written in
English or German, depending on the domain in the user's e-mail address. It
looks for e-mail addresses in files with certain extensions on the affected
computer, and sends itself out to the addresses it finds using its own SMTP
engine.

The fifth worm is Wallon.A, which installs itself on computers by exploiting
the Exploit/MIE.CHM vulnerability. To do this, it uses the following
propagation routine: the user receives an e-mail containing a link to a
certain website, if the user accesses the web page, Wallon.A will be
downloaded to the computer.

Wallon.A collects all of the addresses in the Windows Address Book and sends
them to an e-mail address. This worm also changes the home page of Internet
Explorer and if the Windows Address Book does not contain any addresses, it
displays an error message on screen.

We are going to finish this week's report with Qhost.gen, a generic
detection routine for HOSTS files modified by several malware, including
variants of the Gaobot worm. This file contains a series of lines that are
the first lines used by Windows to translate names to IP addresses (before
other services like WINS or DNS).

The HOSTS files are modified by this malware so that a list of web address
is associated to the IP address 127.0.0.1, making the addresses included in
this list inaccessible. These web pages are usually those of security
software manufacturers, such as anti-malware solutions. For this reason,
users of computers affected by Qhost.gen will not be able to access these
pages and obtain information, update their solution, etc.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The address above may not show up on your screen as a single line.
This would prevent you from using the link to access the web page. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
Posted on Monday, 17 May 2004 @ 09:19:00 EDT by phoenix22
image

 
Login
Nickname

Password

· New User? ·
Click here to create a registered account.
image
Related Links
· TrackBack (0)
· PHP HomePage
· Microsoft
· HotScripts
· Babelfish Translator
· W3 Consortium
· More about Viruses
· News by phoenix22


Most read story about Viruses:
Xupiter Virus!

image
Article Rating
Average Score: 0
Votes: 0

Please take a second and vote for this article:

Bad
Regular
Good
Very Good
Excellent


image
Options

Printer Friendly Page  Printer Friendly Page

Send to a Friend  Send to a Friend
image
"Login" | Login/Create an Account | 0 comments
Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register