Worm_LOLOL.B, a variant of WORM_LOLOL, spreads via shared folders in the Kazaa peer-to-peer file sharing application, according to Trend Micro.
When memory-resident, it connects to a specific Internet Relay Chat (IRC) server where it receives commands from a remote user to process locally on the affected system. This malware (malicious software) works on Windows 95, 98, NT, 2000, ME and XP systems.
For technical details, visit this Trend Micro page.
Also out Thursday is Worm_OPASERV.Q, which spreads via network shared C:\ drives and downloads an executable file, from a specific Web site. The worm modifies the registry of its infected systems to automate its execution on subsequent Windows startups.
This worm runs on all Windows platforms. Unlike Worm_LOLOL.B, it is not considered destructive.
Technical details can be found on this Trend Micro page.
Roro is Back
Roro worm version 5.1 (according to F-Secure internal numbers), which came from France, first appeared at the beginning of 2003. It has similar functionalities as the Roro.P (version 4.1) worm, which can be found on this F-Secure page.
However, the worm version 5.1 has some differences:
1. The worm now displays one of its four fake error messages when its file is started for the first time:
Your version of WinZip Self-Extractor is not licensed, or the license information is missing or corrupted.
Please contact the program vendor or the web site (www.WinZip.com) for additional information.
If you downloaded this file, try downloading file again.
The
Upgrade your Windows version.
where the
2. The new worm variant has several additional message templates that it uses to send itself from an infected system. View them at this F-Secure site.
SubSeven Backdoor Dropping Programs in Windows
The latest versions of the SubSeven backdoor (first discovered in May, 1999) virus drop a small starter program (usually WINDOS.EXE) and register it to be run when any EXE file is started in Windows, according to F-Secure.
This ensures that its copy is always in the memory. All the recent versions of SubSeven are supplied with a server configuration utility that allows it to customize server part capabilities -- installation method, custom startup message, etc. This method was first introduced by the Back Orifice 2000 backdoor and it allows much more flexibility to backdoors.
The first samples of this backdoor were not packed, but later some packed versions appeared that were not easy to detect with current anti-virus programs that had no Win32 "Aspack" file compressor unpacking support. The backdoor is usually distributed under different names via newsgroups and e-mails.
When run, the backdoor copies itself to the Windows directory with the original name of the file it was run from or as SERVER.EXE, KERNEL16.DL, RUNDLL16.COM, SYSTEMTRAYICON!.EXE or WINDOW.EXE (names are different in different versions of SubSeven). Then it unpacks a single DLL file to the Windows System directory - WATCHING.DLL (some versions don't do this).
After that the backdoor patches Windows Registry so that its main application will be run during every Windows bootup (Run or RunServices keys). Finally, it creates and modifies some other Registry keys. The backdoor can also install itself to the system by modifying either the WIN.INI or the SYSTEM.INI file.
If the SubSeven backdoor task is being active in the memory (and invisible in Task Manager), it looks for TCP/IP connections and if they are established it listens to TCP/IP ports for commands from a client part. A person who has a client part gets control over the remote system where the server part is installed.
Read the list of the 113 capabilities the initial version of SubSeven had, and find out how to disinfect the backdoor on this F-Secure page.
Compiled by Esther Shein.
Loading Comments...