Virus Alert: Backdoor Maz Wreaking Havoc
A large amount of emails was sent out Wednesday in a new attempt to distribute the Maz/Jeem backdoor.
The author mass-mailed thousands of e-mails with the subject field "Mail delivery failed: returning message to sender." These messages contained an attachment called "messages.hta." This was a VBScript script that unpacked the Maz binary as C:\MWARE.EXE and executed it.
Software vendor F-Secure's Anti-Virus product detects and blocks this binary as: TrojanDownloader.Win32.Inor. This binary attempted to download an additional file UNWISE.EXE from a page at ADDR.COM. This page is currently being taken down. UNWISE.EXE is still under analysis but it seems to do additional mailing from firstname.lastname@example.org, F-Secure is reporting.
The backdoor is also known as Masteraz. People who downloaded the attachment became infected, and gave the backdoor data-stealing capabilities, according to F-Secure. It consists of two parts: a downloader called Inor and a backdoor called Jeem.
For more information on Jeem and Inor see this F-Secure page.
Backdoor Trojan Sdbot.C Making Rounds
Backdoor.Sdbot.C is a backdoor Trojan that is a variant of Backdoor.Sdbot, according to Symantec.
This variant has been packed and encrypted eight times using four different run-time packers and run-time encryptors. This route has ostensibly been taken to evade detection and to make it more difficult to analyze this backdoor Trojan.
For technical details on the Trojan, visit this Symantec page.
Panda Software is reporting the appearance of Oror.Q, a dangerous worm that looks for files corresponding to antivirus programs in order to delete them. It also looks for processes corresponding to antivirus programs and terminates them. However, the company says it poses a very low threat level.
Oror.Q primarily spreads through e-mail: the worm activates when the file attached to the message is opened or when the e-mail is viewed through Outlook's preview pane. This is due to the fact that Oror.Q takes advantage of the Exploit/iFrame vulnerability. It copies itself to the computers connected to the infected computer through a network.
Note that Oror.Q only looks for file on the C:\ drive, therefore if the antivirus program is installed on another drive in the infected computer, it will not be deleted.
For visible symptoms, visit this Panda Software page.
Compiled by Esther Shein.
January 22, 2003
A new email worm called Redlof.B., or VBS_Redlof.B., was making the rounds Wednesday, according to security vendors Panda Software and Trend Micro. This new malicious code is a variant of Redlof.A, which tops the list of the virus most frequently detected in Asia.