Symantec is reporting the appearance of Backdoor.Massaker, a backdoor Trojan that allows complete access to an infected computer.

By default it listens on port 7119. In addition, this Trojan horse attempts to terminate the processes of several security products.

Backdoor.Massaker is written in the Microsoft Visual Basic programming language and compressed with UPX. The VB run-time libraries must be installed on the computer for it to execute.

Symantec has given Backdoor.Massaker a low threat rating. However, it can cause system instability and may shutdown, restart or crash the system. The Trojan also compromises security settings and attempts to terminate the processes of several security products.

For technical details on the Trojan's impact and security best practices, visit this Symantec site.

The Week in Review

The focus of this past week as it pertained to malicious code was on worms. The week saw the presence of the "N" and "O" variants of Opaserv along with Horo, Sahay and a Trojan called Trj/W32.Sevic, according to Panda Software.

Opaserv.N and Opaserv.O spread through shared network drives by exploiting the Share Level Password vulnerability, which is based on an inconsistency in the protection of passwords used in Windows Me/98/95 operating systems. In order to spread to other computers, the "N" variant modifies entries in the Windows Registry and creates several files in affected computers. It also tries to connect to other drives in the same network as the affected computer and to random IP addresses.

Opaserv.O began activating on Dec. 24, 2002. When it activates it deletes all the data stored in the CMOS (BIOS or computer Setup) and the content of the hard drive. Once it has carried out its infection, it restarts the PC and displays a message that appears to be a warning about the version of Windows installed.

Horo is a mass-mailing worm that reaches computers in a file called "HOROSCOPE.SCR" attached to an e-mail message with the subject: "Today's free horoscope." This malicious code creates multiple copies of itself and inserts a large number of entries in the Windows Registry, which significantly reduces the memory available on the hard disk and could prevent the computer from starting up correctly. Once it has carried out its infection, Horo sends itself out to all the contacts in Outlook's Address book.

Another worm worth noting this week is Sahay, which is sent in a file called "MATHMAGIC.SCR" attached to an e-mail message with the subject: "Fw: Sit back and be surprised...". This malicious code tries to remove another virus called W32/Lentin and like Horo, it sends itself out to all the contacts in Outlook's Address book.

Sahay also modifies files with an "EXE" extension by adding its infection code to the original content of these files. When it has carried out its infection, it restarts the affected computer.

Lastly, there was the presence of Trj/W32.Sevic. This Trojan can block access to computers with versions of Windows in English. A clear indication that this Trojan has reached your computer is an animated GIF image of black silhouettes and obscene content, which is displayed the first time this Trojan activates.

For more information, visit Panda Software's virus encyclopedia.

Compiled by Esther Shein.