Anti-virus developer Panda Software on Tuesday reported the appearance of Kazoa.C, alias Gool, a new worm/Trojan programmed in Delphi that spreads through the popular file sharing application KaZaA and through the chat program IRC.
Kazoa.C/Gool impacts Windows XP/2000 Pro/NT/Me/98/95. When installed on the affected computer, it changes entries in the Windows Registry in order to ensure that it is run every time Windows is started up. Kazoa.C/Gool also opens a port (usually 31337) and sends out the IP address of the affected computer via the Internet, leaving the computer vulnerable to remote attacks. An attacker would be able to carry out the following actions on the affected computer:
Send messages
Hide the Taskbar that appears on the desktop
Delete the CMOS
Provoke an error in the computer
Use up memory
Handle and send files
Capture screens and keystrokes
Obtain data on the operating system and characteristics of the machine.
Kazoa.C/Gool modifies the default shared file folder in the application KaZaA and creates a large number of files, which contain the worm's code, with names like Catherine Zeta Jones, Pamela Anderson, Sandra Bullock, Shakira or Pokemon.
This worm tries to trick users into running these files by suggesting that they contain erotic photos, cracks for hacking operating systems etc. These files always have a double extension, but the real extension is .exe. If a computer is not configured to show all file extensions, these icons will be displayed as inoffensive jpg or .txt files. When the executable file is run (by double-clicking on the icon), Kazoa.C/Gool displays a screen.
If this malicious code detects the presence of certain antivirus and security programs, it terminates them. Find out if your computer is infected by checking whether the following files are in the Windows system directory:
EXPLORER.EXE
Explorer.VBS
RealWayToHack.exe
Panda Software is giving this virus a very low threat rating. For technical details, visit this page.
JS/Seeker-C Trojan Attempts to Disrupt IE
JS/Seeker-C is a malicious script that attempts to modify Internet Explorer settings, such as the Start Page and Search setting, according to Sophos.
It appears the script has been designed to do this to redirect traffic to Web sites (typically, but not limited to pornographic sites). The Trojan writes to registry values under:
HKCU\Software\Microsoft\Internet Explorer.
JS/Seeker-C does not forward itself to other users, but has to be deliberately installed on a Web site or forwarded via email from a malicious user.
For removal instructions, visit this Sophos page.
W32.Yalat.Worm Spreads via MAPI
W32.Yalat.Worm attempts to spread by using MAPI and by copying itself to shared folders. It also attempts to stop the processes of some antivirus programs. However, the worm does not work as intended due to bugs in the code. For technical details, visit this Symantec page.
W32.HLLW.Maax Worm Chooses File-Sharing Programs, E-mail to Spread
Symantec is also reporting the appearance of the W32.HLLW.Maax worm, which uses several file-sharing programs and Microsoft Outlook to spread.
The file-sharing programs include KaZaA, Morpheus, Edonkey, Grokster, Limewire and Bearware. The e-mail would have a subject chosen from a predetermined list and an attachment with a filename of Tca.exe.
This worm attempts to terminate the processes of antivirus and security- related programs. It is written in Microsoft Visual Basic version 6 and is packed with UPX. Read the technical details here.
Compiled by Esther Shein.
Rethinking the Datacenter
Putting the Green into IT
Managing the Modern Network
Evaluating Software as a Service for Your Business
Is Your Disaster Recovery Plan Good Enough? 
IE 7
Firefox 2.0
