|
|
Common sense is an instinct for the truth.
Max Jacobs (1876-1944); French writer.
Madrid, December 28, 2003 - This, the last report of the year, will look at the C variant of the Sober worm, and two other examples of malware: Firedaemon.A and Memwatcher.B.
Sober.C sends itself -via e-mail- to all the addresses that it finds in files with the following extension: WAB, CFG, NSF, LDIF, NAP, ADP, ADE, VAP, MHT, HTT, RTF, DOC, XLS, INI, MDB, TXT, HTM, HTML, PST, FDB, LDB, EML, ABC, NAB, MDW, MDA, MDE, SLN, DSW, DSP, PHP, ASP, SHTML, SHTM, DBX, HLP or NFO. If the domain extension of the address is de, ch, at, li, nl or be, the worm sends the message in German and if not, it sends it in English. To send itself out it uses its own SMTP engine validating itself in mail servers as MailerVB.de.
Sober.C creates two copies of itself that go memory resident and check if both are currently running. If one of the processes is ended or one of the files is deleted, the other creates it again. Also, in the Windows system directory of the infected computer, it creates the following files: REGEAPI.EXE, CRYPTFQ.EXE and SYSHOSTX.EXE.
To ensure that it runs every time the system is started, Sober.C creates several entries in the Windows registry. Once this worm has activated it is easy to recognize, as it displays a false error message.
Firedaemon.A is a hacking tool which allows Win32 applications to be run as services in Windows 2003/XP/2000/NT computers. It allows a complete setup of the service: name, default directory, priority, autostart, different run modes, etc. Firedaemon.A itself does not represent a threat, but it could be used by other malware to register itself as a Windows service.
Memwatcher.B on the other hand is an adware program, which opens ad banners in Internet Explorer. It also generates traffic at the following addresses: rads01.quadrogram.com and w w w.sandboxer.com.
In the Windows system directory, Memwatcher.B creates several files, with random names of between 4 and 8 characters. Some of the files are 433KB, and will run when Windows is started up, while others are 221KB and go memory resident.
For further information about these and other viruses, visit Panda Software's Virus Encyclopedia.
Definitions of virus and antivirus terminology at http://www.pandasoftware.com/virus_info/glossary/default.aspx#
|
|
|
 |
|
No Comments Allowed for Anonymous, please register |
|
| |
|
Login |
|
 |
|
|
|
|
· New User? · Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
|
Average Score: 0
Votes: 0
|
|
|
