Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog

 
Archive

<< 2005 >>
Jan Feb Mar
Apr May Jun
Jul Aug Sep
Oct Nov Dec
About Diary's Authors
About Diary's Authors

The Analyst's Diary is a weblog maintained by virus analysts from Kaspersky Lab headed by Eugene Kaspersky. Find out more about the authors of this weblog.
Securelist Polls
How would you prefer to pay for your antivirus solution?
Using a prepay card
Via your mobile (SMS)
Via the Internet using a debit\ credit card
Using cash\ credit\ debit in a shop
Using an e-payment system (e.g. PayPal)
Other
  View responses
 

  Home / Weblog / January 2005

Analyst's Diary

Malicious code spreading via MySQL server


  January 28, 2005 | 12:47  GMT

comment  

We've received a new variant of Backdoor.Win32.Wootbot, an IRC Trojan. The file is detected as Backdoor.Win32.Wootbot.gen, but contains an additional function: it will penetrate machines with MySQL server installed.

When the malicious program launches it connects to one of a range of IRC servers where it listens for commands, including command to start propagating. Then it scans a given range of IP addresses and if it finds an open MySQL server port on one of the addresses, the program tries to gain administrator access. It does this by bruteforcing the administrator password using a list of passwords coded into the malicious program. If it succeeds, the worm sends its body to the victim machine, penetrating via a vulnerability which was identified in the middle of 2004, and launches itself on the victim machine.

In addition to its propagation routine, the malicious code has standard functions of IRC backdoors, which will give the remote malicious user almost complete control over the victim machine. The worm opens four ports, port 69 and three chosen at random.

Internet Storm Center estimates that several thousand machines have already been infected.

The malicious program doesn't exploit any vulnerability for the initial connection to MySQL server. Bacause of this, administrators can protect their servers simply by choosing a strong password.

And the Bagles keep on coming


  Yury       January 28, 2005 | 10:25  GMT

comment  
In the past two days, we've detected seven new versions of Bagle! The new variants range from Bagle.ax to Bagle.ba. Variants from Bagle.ba onwards are currently detected as Bagle.ba.

All these new variants are basically the same file, but packed, and they are very slightly different from each other. The full description of Bagle.ay basically covers all the new versions.

We're continuing to monitor the situation, and will post any further news about the new Bagles here.

Bagle.ax and Bagle.ay descriptions published


  Yury       January 27, 2005 | 14:41  GMT

comment  
Full descriptions of Bagle.ax and Bagle.ay are now available.

Email-Worm.Win32.Bagle.ax and Bagle.ay


  Yury       January 27, 2005 | 12:28  GMT

comment  
There are new variants of Bagle circulating actively at the moment: Email-Worm.Win32.Bagle.ax and Email-Worm.Win32.Bagle.ay. When the worms search the victim machines for email addresses to send themselves to, they won't send emails to addresses containing the following text:


  • @avp.
  • @foo
  • @iana
  • @messagelab
  • @microsoft
  • abuse
  • admin
  • anyone@
  • bsd
  • bugs@
  • cafee
  • certific
  • contract@
  • feste
  • free-av

  • f-secur
  • gold-certs@
  • google
  • help@
  • icrosoft
  • info@
  • kasp
  • linux
  • listserv
  • local
  • news
  • nobody@
  • noone@
  • noreply
  • ntivi

  • panda
  • pgp
  • postmaster@.
  • rating@
  • root@
  • samples
  • sopho
  • spam
  • support
  • unix
  • update
  • winrar
  • winzip

By doing this, the new Bagles are hiding from antivirus companies. This explains the relatively small number of samples that we've received so far.

Here's a sample of what a Bagle.ay message looks like:

Full description of the new Bagles will be available in the Virus Encyclopedia in the near future.

Update If the infected attachment has a .cpl extension, it will be detected as Email-Worm.Win32.Bagle.at.

Trojaned build of DC++ found in the wild


  Roel       January 25, 2005 | 17:42  GMT

comments (11)  
We have received word that a trojaned version of DC++, which is a P2P program, is available for download on several legitimate sites, including download.com.

From what we know only build 0.668 is affected. The trojaned version installs several malware onto the system upon execution of the installer.

It installs TrojanDownloader.Win32.Istbar.er, Trojan.Win32.Krepper.ag and Trojan.Win32.Agent.ba - these files are all in a way related to the installation of AdWare.

Once again we're seeing that a single package is downloading a huge amount of AdWare. All in all we detected about 50 infected objects on an infected system.

It's interesting to note is that the trojaned version of DC++ actually is smaller in size than the clean one.

The size of the clean build is 2.452.326 bytes while the trojaned version is 2.385.151 bytes in size.

We advise everybody who has installed DC++ build 0.668 to check their systems properly for infections.

MD5 for clean version: 9041a4c53a30bb45fcd6a81669241045
MD5 for trojaned version: 02ffde276505191525e84cf084cb85e9

Update:
Cnet has been notified and is taking steps to remove the malicious DC++ package from download.com.

Update2:
The DC++ listing on download.com has been removed.

Viruses coming aboard?


  Eugene       January 24, 2005 | 17:16  GMT

comments (4)  
A user asked us this weekend how to cure a virus, which "infected the onboard computers of automobiles Lexus LX470, LS430, Landcruiser 100 via a cell phone."

We haven't been able to trace whether or not Toyota/Lexus uses Symbian in their onboard electronics so far. However, we do know that car manufacturers are integrating existing operating systems into their onboard computers (take the Fiat and Microsoft deal, for instance).

If infected mobile devices are scary, just thinking about an infected onboard computer ...

I get nervous even thinking about our virus lab budget and the test stand size.

BTW, does anyone out there have any idea of which OS is installed in A-380 onboard stuff?

Trojans masquerade as Microsoft AntiSpyware


  Yury       January 20, 2005 | 10:17  GMT

comment  
The computer underground keeps a close eye on Microsoft. The AntiSpyware tool, despite being only a beta, has already inpsired new malware:

We urge users to treat unsolicited files from the Internet with suspicion. These Trojans have been added to our databases and descriptions will be available soon.

Update A description for Trojan-Clicker.Win32.Agent.bm is now available.

Cabir in the UK


  David       January 18, 2005 | 15:59  GMT

comment  
Our UK support department has now had reports of Cabir. Looks like the virus is continuing to spread: this brings the tally to 10 countries.

Credit card gang busted in Italy


  Aleks       January 18, 2005 | 07:49  GMT

comments (1)  
Police in Italy have arrested almost 40 people so far in conjunction with credit card fraud. So far, there is evidence that the gang has pocketed around 600,000 euros, but police are still investigating.

The criminals developed software that harvested credit card numbers via the Internet from users with Visa, Amex and other major credit cards.

Another blow against cyber crime, and another reminder to users that extreme caution is needed when using credit cards online.

It's the end of your computer system as you know it ... NOT


  David       January 17, 2005 | 15:19  GMT

comments (3)  
We've just received a report of a destructive virus that will wipe all data from the hard disk. We're not the least bit worried though. Why? Well, it's just a hoax.

So what is a hoax? Typically, a hoax takes the form of an e-mail message that carries a warning about the 'imminent danger' posed by a non-existent threat. The aim is to scare users into sending the false warning to their contacts: friends, family, colleagues. Hoaxes cause no direct harm to data. However, a user's well-meaning action in forwarding the message gives credence to the hoax, spreads the fear, doubt and uncertainty even further and clogs up networks with increasing amounts of 'self-inflicted spam'.

Trying to stamp out a hoax can be as difficult as putting out a forest fire: 'successful' hoaxes often come back again and again, like recurrent bouts of malaria. To make matters worse, sometimes a real threat will model itself on the 'look-and-feel' of a previous hoax.

So how do you decide if something's a hoax or not? Here are some general guidelines.


  • Don't simply forward such an e-mail message without checking first to see if it's a hoax.
  • If it didn't come from a security vendor's news or alert service, check out the hoax sections of specialist security web sites.
  • If in doubt, check with your anti-virus vendor, or send it to 'newvirus@kaspersky.com' for analysis.
  • Never click on attachments in e-mails that come from an unknown source.

Smartphone clean up


  Yury       January 15, 2005 | 14:18  GMT

comments (6)  
We have put together a new removal tool that detects and disinfects malware on smartphones and other mobile devices running Symbian OS.

This new version cleans up after Lasco and Skuller as well as Cabir.

It's available for download and is effective until May 1, 2005.

System Requirements:

OS Supported: Symbian OS 6.1, 7.0.
Devices supported: Series 60 smartphones.

Note: This version was tested on Nokia 3650, Nokia 7650, Nokia 6600, Siemens SX1.

Download the utility directly to your smartphone via WAP or download it to your PC and copy it to the device(size is 9.2 KB).

Install it as a common Symbian application package by opening the message that you recieve when downloading the file.

You will need to download and install the utility again every time you would like to update the antivirus databases (we recommend that you do this when you hear of new malware for Symbian OS).

What is public isn't safe


  Costin       January 14, 2005 | 09:50  GMT

comments (9)  
I spent part of my winter holidays in Andalucia. Granada, Malaga, Cadiz, Sevilla and Cordoba , then we went to Barcelona, truly a magnificent city, full of culture, life and history. Gaudi, Columbus, Gruell, La Rambla, the Gothic Quarter, these are just a few of the things which make Barcelona what it is.

We rented what Americans would call a 'loft' - a big living space without walls. In our case, it had simple yet cozy decoration, utilities, a TV and of course, a computer connected to the Internet for the guests to check their mail, running Windows XP Home edition.

Being an inquisitive type, the first thing for me to do on the loft computer was to run Regedit and look at some of the standard Run keys. Unsurprisingly, there were at least four entries there which looked suspicious, files such as "clock.exe" in the system32 directory being executed at startup and sure enough, Taskman showed them running in memory.

I quickly brought up the web browser and pointed it to a beta copy of the Kaspersky Online Scanner - a free, rich-featured web-based scanner using the standard KAV engine but which doesn't require any special installation or purchase.

The scan results were impressive, or maybe a better word is scary - this single machine was running two popular worms - Mabutu.A and LovGate.AE, and no less than 15 different trojans and spying software. There were a couple of TrojanSpy binaries which are supposed to steal e-banking information, some which steal common website login/passwords and of course, some which record every keystroke and mail it to a certain address from time to time.

But not all the suspcious Run entries were detected. One of them came up clean, and that made me even more curious. The relevant software seemed to be a commercial application called "Kechua". Poking a little bit at it with various tools showed me that it took a capture of the screen every 5 minutes, besides intercepting information entered via the keyboard. I found a subfolder in the "Kechua" installation directory with over 5000 capture files, dating almost 2 years back. Needless to say, lots of people over this time had checked mail, talked to the relatives back home on IM, browsed the web, and so on...

I temporarily deactivated this program, deleted the captures of me scanning the computer, called the owner and suggested he buys an antivirus. Then I turned the machine off and focused on the city and its inhabitants. My mail can wait. Public computers are simply too unsafe to use.

Cabir spreading in Moscow


  Yury       January 13, 2005 | 15:18  GMT

comments (3)  
Once we at Kaspersky confirmed a Cabir infection here in Moscow, we've had several more reports of Cabir on the loose. In fact, someone has reported that they were infected as far back as 2 weeks ago.

In all cases, infected users had their Bluetooth set to 'visible to all'. We really do urge all users to turn the 'visible to all' option off and to take advantage of our Cabir removal tool available on our wap site.

Cabir reaches Moscow


  Aleks       January 12, 2005 | 11:49  GMT

comment  
Today someone brought us a Nokia 7610 phone infected by Cabir. After analysis, it proved to be Cabir.a.
This is first documented infection by Cabir in Russia.

Mikko Hypponen from F-Secure has also told us that they've received reports about Cabir from Turkey and Vietnam, so Russia moves to ninth place in the list of countries where Cabir has been spotted in the wild:

1. The Philippines
2. Singapore
3. United Arab Emirates
4. China
5. India
6. Finland
7. Turkey
8. Vietnam
9. Russia

New Net-Worm.Win32.DipNet.d


  January 12, 2005 | 01:19  GMT

comments (2)  
Internet Storm Center has been registering high traffic on port 11768 since the end of December. The appropriate graph is available at http://isc.sans.org/port_details.php?port=11768.

There also have been numerous reports from internet systems administrators on getting frequently repeated network packets with source port 445 and destination port 11768 stated. The latter makes the traffic look like activity of a Net-Worm opening a backdoor on 11768 and spreading via 445.

We've recently got a virus that opens a backdoor on 11768 and spreads via 445. The virus is a modification of Net-Worm.Win32.DipNet (Net-Worm.Win32.DipNet.d). Howewer, it seems that the previous modifications of the virus didn't listen on port 11768.

An antivirus database update is already available. A detailed description of the virus will be available in the Virus Encyclopedia in the near future.

MS AntiSpyware and file locations


  Roel       January 11, 2005 | 15:47  GMT

comments (4)  
Microsoft has released a beta version of its antispyware program.
Response from the IT community has been mixed so far, not surprisingly.

For instance, today we received a report about MS AntiSpyware flagging
a suspicious file:

"c:\winnt\system32\notpad.exe" was detected as a Remote Administration Tool.

This file - which was a French version of notepad - would normally be called notepad.exe. For some reason, we don't know why, the file was renamed as notpad.exe.

When we looked closely, it was clear what this file was. So we figured that MS AS had a faulty signature meaning this particular French version of notepad is detected as ItEye RAT.

Not every version (language, build) of every (Windows) file gets tested to check for false alarms, so this might have slipped by.

However we quickly realized that it was the combination of file name/location that made MS AntiSpyware go off.

In fact, the beta version of MS AntiSpyware detects any file with the name "notpad.exe" - even a completely empty one - residing in %sysdir% as being this particular RAT.

So at least a part of the "ItEye RAT" detection is strictly based on filename/location, which can result in situations like these.

Because of this, we think it's best to detect files by file signatures, not location.

Compromised WMV files in P2P networks


  Yury       January 11, 2005 | 14:49  GMT

comments (1)  
Several potentially dangerous WMV (video files) are currently floating around P2P networks. If downloaded and opened, these files will direct computers to infected web resources instead of the safe ones named in the original video files. The infected web resources have downloadable malware: adware and Trojans.

We are detecting the compromised WMV files as Trojan-Downloader.WMA.Wimad.a and Trojan-Downloader.WMA.Wimad.b.

New Worm.SymbOS.Lasco.a


  January 10, 2005 | 15:39  GMT

comments (1)  
Analysis of the new virus mentioned in the previous posting showed that it's a SymbianOS worm, based on Cabir source code, that spreads itself via BlueTooth. It also has a file infection functionality.

Upon execution, the virus searches for nearby BlueTooth devices (those which are in discoverable mode) and tries to transmit itself to any accessible ones. It also initiates a drive-wide scan for SIS-files and tries to infect them by inserting virus code directly into an SIS archive.

We've called this virus Worm.SymbOS.Lasco.a. An antivirus database update is already available.

A detailed description of the virus will be available in the Virus Encyclopedia in the near future.

UPDATE: the description of Lasco.a is now online.

The first file infector for Symbian-based cellular phones


  January 10, 2005 | 13:03  GMT

comments (1)  
We have just received a new virus for SymbianOS mobile phones directly from its author. The is an interesting speciment because it is the first known SIS-files infector. It is provided in two variants: a Windows application and a SymbianOS SIS application.

We are conducting a detailed analysis of the virus. We will post more information a little bit later.

"The meaning of life, the universe, and everything"


  Costin       January 07, 2005 | 16:38  GMT

comments (1)  
"The meaning of life, the universe, and everything"... is of course 42, as we know from one of Douglas Adams' excellent books. In our case, it is all about 42/TCP, a port used by WINS (the Microsoft Windows Internet Naming Service) which is the target of an increasingly popular stream of exploits over the Internet.

This vulnerability has been designated MS04-045 by Microsoft. An advisory as well as updates can be found at the following address:

http://www.microsoft.com/technet/security/Bulletin/MS04-045.mspx

Our network of honeypots has registered a record number of port 42 exploits today, hence we are urging all the customers to patch their systems and update to the latest definitions which should be able to detect the malware reponsible for the increase.

During the past days the number of exploits was also increased, but not this high; we can state that the number we registered today is greater than all the attacks we've received on port 42 for the past week.

The names reported by KAV for the malware which is causing this increase in port 42 traffic are Backdoor.Win32.Hzdoor.a and Exploit.Win32.MS04-011. The second detection will be improved in the next update to correctly report the MS04-045 specific code.

I, Spy


  Costin       January 06, 2005 | 18:36  GMT

comments (6)  
Microsoft has just announced the availability of their Anti-Spyware software tool, based on previous code purchased at the end of the past year from NY-based "Giant". The software download is a 6.4MB executable which can be obtained from:

http://www.microsoft.com/athome/security/spyware/software/default.mspx

Keep in mind that as any other beta software, this may have unexpected results. Test it on a spare system before running it on your production servers!

Also keep in mind that KAV can detect and remove many kinds of spyware by simply activating the download and usage of 'extended databases', in the Updater Configuration panel.

Plenty more 'phish' in the sea


  David       January 06, 2005 | 12:02  GMT

comment  
Phishing is once again on the rise. This is a cyber crime that involves tricking computer users into disclosing their personal details [username, password, PIN number or any other access information] and then using these details to obtain money under false pretences.

The number of phishing attacks, and the associated costs, are increasing. According to the Anti-Phishing Working Group Phishing Activity Trends Report - November 2004, there was a 34% month-on-month growth in the number of new, unique phishing e-mail messages between July 2004 and November 2004; and a 28% month-on-month growth in the number of unique fraudulent web sites.

This growth is clearly being driven by the potential to make money from unsuspecting users and we would urge users to be cautious about the way they conduct online transactions.

  • Don't divulge passwords, PINs, etc.
  • Don't fill out forms contained in e-mails
  • Don't click on links in e-mails
  • If you're using Internet Explorer [IE], use the lock symbol in the IE status bar to confirm the site you're accessing
  • Check bank accounts regularly and report anything suspicious

    • Different spam runs for same malware


      Roel       January 05, 2005 | 23:32  GMT

    comment  
    We have now seen at least two spam runs which try to convince the recipient to install Trojan-Spy.Win32.Goldun.a.
    This Trojan tries to steal bank related info.

    What's interesting is that the two spam runs used different techniques.

    The first run had the following message body:


    Hi!
    Clients Database.
    Clients.rar attached. In clients.rar: clients.csv - database in Microsoft Excel.
    X.chm - help file with another information about our clients.
    Password on archive: 123.
    Best regards, Alex.

    As you can see a passwordprotected rar archive was used. The mentioned .chm archive contained an exploit to run Trojan-Spy.Win32.Goldun.a, which also resided in the .chm file.

    The second message is a 'true' fraud mail.
    It pretends to be from E-Gold, which is a banking site, and has a .zip archive attached to it. This .zip archive contains "setup.exe", which is Trojan-Spy.Win32.Goldun.a.

    So we see two different (social) engineering techniques used in two different spam runs for the same malware.
    I expect that we will see a growing number of similar cases in the future, as blackhats relentlessly keep trying to make money out of the web.

    		 

    Copyright © 1996 - 2010
    Kaspersky Lab
    Industry-leading Antivirus Software
    All rights reserved
     

    Email: webmaster@viruslist.com