andsome Posted November 17, 2003 Report Share Posted November 17, 2003 - Weekly virus report - Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)Madrid, November 16, 2003 - Today's report on malicious code will focus ontwo worms -Mimail.I and Sinala.A-, and two Trojans -Sdbot.BL and Webber.C-.The I variant of Mimail spreads via e-mail in a message with the subject:"YOUR PAYPAL.COM ACCOUNT EXPIRES", and an attached file calledpaypal.asp.scr or w w w.paypal.com.scr. After infecting a computer, thisworm looks for e-mail addresses in all the files that do not have any of thefollowing extensions: COM, WAV, CAB, PDF, RAR, ZIP, TIF, PSD, OCX, VXD, MP3,MPG, AVI, DLL, EXE, GIF, JPG and BMP, and saves them in the file el388.tmp.Mimail.I then sends itself out to all the addresses it has found, using itsown SMTP engine.Sinala.A spreads by exploiting the MHTML vulnerability in Outlook Express,which allows a hacker to send and run programs on the affected computer. Italso spreads through P2P programs, in files with an EXE or SCR extensionthat have the same icon as AVI video files. This worm reaches computers in amessage from [email protected], or from an address that it takes fromthe Outlook address book or MSN Messenger contact list on the affectedcomputer. The file attached to this message, which infects the computer whenit is run, is called ALANIS.EXE. A clear indication that Sinala.A has infected a computer is a fake Windowserror message displayed on screen. This malicious code also regularly checksif there is a floppy disk in the floppy disk drive and if there is, itcopies files to it. The first Trojan in today's report is Sdbot.BL, which mainly spreads viae-mail and IRC channels, in a message with an attached file. When this fileis run, the Trojan goes memory resident and connects to a specific IRCchannel. By doing this, it allows a hacker to carry out different actions onthe affected computer, such as scanning and redirecting ports, downloadingand running files and changing the security parameters in the WindowsRegistry and launching Denial of Service (DoS) attacks. Sdbot.BL is difficult to identify, as it does not display any messages orwarnings that indicate that it has reached a computer. However, if netshares are disabled or if certain programs that are running on the computerstop for no apparent reason, Sdbot.BL might have reached the computer.The last malicious code in this week's report is Webber.C which, when it isinstalled on a computer, downloads a file from the Internet. This filessteals the passwords for accessing different services that are stored on theaffected computer.Webber.C has been spammed in an e-mail message that seems to have been sentfrom a financial entity. The subject of this message is always: "RE: Yourcredit application" and it includes an attachment called W WW.CITIBANKHOMELOAN.HTM.PIF. This file has a double extension, and isdesigned like a web page in order to trick the user into opening it,allowing Webber.C to infect the computer.For further information about these and other malicious code, visit PandaSoftware's Virus Encyclopedia at:http://www.pandasoftware.com/virus_info/encyclopediaAdditional information- DoS / Denial of Service: This is a type of attack, sometimes caused byviruses, that prevents users from accessing certain services (in theoperating system, web servers, etc.).- Extension: Files have a name and an extension, separated by a dot:NAME.EXTENSION. A file can have any NAME, but the EXTENSION (if it exists)has a maximum of three characters. This extension indicates the type of file(text, Word document, image, sound, database, program, etc.). More definitions of virus and antivirus terminology at:http://www.pandasoftware.com/virus_info/gl...ry/default.aspxNOTE: The addresses above may not show up on your screen as single lines.This would prevent you from using the links to access the web pages. If thishappens, just use the 'cut' and 'paste' options to join the pieces of theURL.------------------------------------------------------------To unsubscribe from Oxygen3 24h-365d, please visit:http://www.pandasoftware.com/unsubscribe.aspTo contact with Panda Software, please visit:http://www.pandasoftware.com/about/contact/------------------------------------------------------------ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.