|
|
José Ortega y Gasset (1883-1955); Spanish philosopher and essayist.
- Weekly virus report -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)
Madrid, September 28, 2003 - Today's report on malicious code focuses on
three worms: Gaobot.M (with backdoor characteristics), Opaserv.Y and
Colevo.A.
Gaobot.M infects Windows XP/2000/NT computers and it exploits the RPC DCOM
and WebDAV vulnerabilities to spread to as many computers as possible.
Gaobot.M also spreads by attempting to copy itself to network shared
resources. It gains access to these shared resources by using passwords that
are typical or easy to guess. Once it is run, Gaobot.M connects to a
specified IRC server through the port 6667 and waits for control commands.
As a backdoor, Gaobot.M lets malicious users obtain information on the
affected computer, run files, launch Distributed Denial of Service (DDoS)
attacks, upload files by FTP, etc. In addition, this worm ends processes
belonging to antivirus programs, firewalls and system monitoring tools. This
leaves the affected computer vulnerable to the attack of other viruses or
worms. It also ends the processes of Nachi.A, Autorooter.A, Sobig.F and
several variants of Blaster.
One indication that Gaobot.M has reached the computer is that the network
traffic increases on the ports 135 and 445, as the worm attempts to exploit
the 'RPC DCOM' vulnerability.
Opaserv.Y spreads to other computers by attacking IP addresses, in which it
tries to make copies of itself to the existing shared network drives. It
attempts to access these shared drives -through port 137- by exploiting the
'Share Level Password' vulnerability in Windows Me/98/95.
Opaserv.Y creates the file 'SPEEDY.SCR', which is a copy of the worm, and
the files 'PODRE!!', 'BANDA!', 'VACAS!' and 'VAGABU!'. These files contain
information on scanned and affected computers, and are encrypted with
Crypto-Algorythm.
We finish this report with Colevo.A that spreads via e-mail and sends itself
out to all the contacts in MSN Messenger's Contact list. In order to do so,
Colevo.A incorporates its own SMTP engine. Similarly, Colevo.A opens the
communication port 2536, and allows hackers to remotely control the affected
computer. It opens the Internet Explorer browser and randomly accesses
several web pages that contain pictures of the Bolivian leader Evo Morales.
For further information about these and other viruses, visit Panda
Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/
Additional information
- Encryption / Self-encryption: This is a technique used by some viruses to
disguise themselves and therefore avoid detection by antivirus applications.
- DoS / Denial of Service: This is a type of attack, sometimes caused by
viruses, that prevents users from accessing certain services (in the
operating system, web servers etc.).
- SMTP (Simple Mail Transfer Protocol): This is a protocol used on the
Internet exclusively for sending e-mail messages.
More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx
NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
|
|
|
 |
|
No Comments Allowed for Anonymous, please register |
|
| |
|
Login |
|
 |
|
|
|
|
· New User? · Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
|
Average Score: 1
Votes: 1
|
|
|
