|
|
 
Curiosity is, in great and generous minds, the first passion and the last.
Samuel Johnson (1709-84); English author, lexicographer.
- Weekly report on viruses and intrusions -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)
Madrid, February 29, 2004 - This week's report on viruses and intrusions
focuses on four worms: Netsky.C, Bizex.A, Nachi.D and Mydoom.F.
Netsky.C spreads via e-mail -in a message with variable characteristics- and
through peer-to-peer file sharing applications. This malicious code deletes
registry entries made by several worms including Mydoom.A and Mimail.T. In
addition, when the system date is February 26 2004, Netsky.C emits random
noises between 6.00 and 8.59 in the morning.
Bizex.A, on the other hand, spreads through the ICQ instant messaging
program. It also downloads and runs a copy of itself by exploiting two
recently detected flaws in Internet Explorer.
Bizex.A tries to steal information that users enter in websites of banks or
other financial entities as well as information transmitted via HTTPS (HTTP
over Secure Socket Layer) related to the login.yahoo.com and .passport
domains. The data gathered is sent to an FTP server.
The third worm we'll look at in this report is Nachi.D, which spreads to
computers with Windows 2003, XP, 2000 or NT. In order to spread as widely as
possible it downloads a copy of itself by exploiting three vulnerabilities:
Buffer Overrun in RPC Interface, WebDAV and Workstation Service Buffer
Overrun. This action causes an increase in network traffic through TCP ports
80, 135 and 445.
Nachi.D can uninstall the A and B variants of Mydoom and Doomjuice,
terminating their processes and removing any associated files. When the
system date is June 1 or later, Nachi.D deletes itself.
Finally, we'll look at the F variant of Mydoom, which spreads in an e-mail
message with variable characteristics. This is a destructive worm which
deletes all files with any of the following extensions: AVI, BMP, DOC, JPG,
MDB, SAV y XLS.
Mydoom.F installs a DLL which opens a backdoor and allows antivirus
processes to be terminated, which leaves the PC vulnerable to attack from
other malware. When the system date is between the 17th and 22nd of any
month (and year) this worm carries out a distributed denial of service
attack (DDoS) against w w w.microsoft.com and w w w.riaa.com (two out of
three of the attacks are against Microsoft).
In seven out of ten cases, Mydoom.F displays an error message in the
infected computer.
For further information about these and other Internet threats, visit Panda
Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia
Additional information
- FTP (File Transfer Protocol): A mechanism that allows files to be
transferred through a TCP/IP connection.
- HTTP (Hyper Text Transfer Protocol): This is a communication system that
allows web pages to be viewed through a browser.
More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx
NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
|
|
|
 |
|
No Comments Allowed for Anonymous, please register |
|
| |
|
Login |
|
 |
|
|
|
|
· New User? · Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
|
Average Score: 0
Votes: 0
|
|
|
