Jump to content

Weekly virus report -

andsome

By andsome,
in Security Chat

 Share

Recommended Posts

andsome Newbie

andsome

Posted
Posted

- Weekly virus report -

Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, November 16, 2003 - Today's report on malicious code will focus on

two worms -Mimail.I and Sinala.A-, and two Trojans -Sdbot.BL and Webber.C-.

The I variant of Mimail spreads via e-mail in a message with the subject:

"YOUR PAYPAL.COM ACCOUNT EXPIRES", and an attached file called

paypal.asp.scr or w w w.paypal.com.scr. After infecting a computer, this

worm looks for e-mail addresses in all the files that do not have any of the

following extensions: COM, WAV, CAB, PDF, RAR, ZIP, TIF, PSD, OCX, VXD, MP3,

MPG, AVI, DLL, EXE, GIF, JPG and BMP, and saves them in the file el388.tmp.

Mimail.I then sends itself out to all the addresses it has found, using its

own SMTP engine.

Sinala.A spreads by exploiting the MHTML vulnerability in Outlook Express,

which allows a hacker to send and run programs on the affected computer. It

also spreads through P2P programs, in files with an EXE or SCR extension

that have the same icon as AVI video files. This worm reaches computers in a

message from [email protected], or from an address that it takes from

the Outlook address book or MSN Messenger contact list on the affected

computer. The file attached to this message, which infects the computer when

it is run, is called ALANIS.EXE.

A clear indication that Sinala.A has infected a computer is a fake Windows

error message displayed on screen. This malicious code also regularly checks

if there is a floppy disk in the floppy disk drive and if there is, it

copies files to it.

The first Trojan in today's report is Sdbot.BL, which mainly spreads via

e-mail and IRC channels, in a message with an attached file. When this file

is run, the Trojan goes memory resident and connects to a specific IRC

channel. By doing this, it allows a hacker to carry out different actions on

the affected computer, such as scanning and redirecting ports, downloading

and running files and changing the security parameters in the Windows

Registry and launching Denial of Service (DoS) attacks.

Sdbot.BL is difficult to identify, as it does not display any messages or

warnings that indicate that it has reached a computer. However, if net

shares are disabled or if certain programs that are running on the computer

stop for no apparent reason, Sdbot.BL might have reached the computer.

The last malicious code in this week's report is Webber.C which, when it is

installed on a computer, downloads a file from the Internet. This files

steals the passwords for accessing different services that are stored on the

affected computer.

Webber.C has been spammed in an e-mail message that seems to have been sent

from a financial entity. The subject of this message is always: "RE: Your

credit application" and it includes an attachment called W W

W.CITIBANKHOMELOAN.HTM.PIF. This file has a double extension, and is

designed like a web page in order to trick the user into opening it,

allowing Webber.C to infect the computer.

For further information about these and other malicious code, visit Panda

Software's Virus Encyclopedia at:

http://www.pandasoftware.com/virus_info/encyclopedia

Additional information

- DoS / Denial of Service: This is a type of attack, sometimes caused by

viruses, that prevents users from accessing certain services (in the

operating system, web servers, etc.).

- Extension: Files have a name and an extension, separated by a dot:

NAME.EXTENSION. A file can have any NAME, but the EXTENSION (if it exists)

has a maximum of three characters. This extension indicates the type of file

(text, Word document, image, sound, database, program, etc.).

More definitions of virus and antivirus terminology at:

http://www.pandasoftware.com/virus_info/gl...ry/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.

This would prevent you from using the links to access the web pages. If this

happens, just use the 'cut' and 'paste' options to join the pieces of the

URL.

------------------------------------------------------------

To unsubscribe from Oxygen3 24h-365d, please visit:

http://www.pandasoftware.com/unsubscribe.asp

To contact with Panda Software, please visit:

http://www.pandasoftware.com/about/contact/

------------------------------------------------------------

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Privacy Policy

  I accept