The Supova worm writes the following text to a file with random name and '.txt' extension:

 W32.Supernova - Ban religion
 ---------------------------------------------------
 Religion = War
 Religion = Based on fairytales
 Wars based on fairytales?
 Ban religion, welcome to the truth
 ---------------------------------------------------

The worm deletes files and displays the following messages: 

0wned by the blasting star
Religion=war
Patch the leaks... Or the ship will sink....

Read more about Supova on this F-Secure Web page.

Two Trojans Causing Nuisance

Symantec is reporting the appearance of two low-threat Trojans.

Trojan.Idly attempts to gather system information, including a user's dial-up networking user name and passwords, and send them to the hacker. Read here what happens when the Trojan is executed.

The other Trojan, W32.Yinker.Trojan, creates a new user named Yinker and adds this user to the Administrator group on Windows NT4.0/2000/XP. It also stops and restarts the Telnet service.

Removal instructions can be found here.

Week in Review

Three worms (Lovgate.A, W32/Tang and Kingpdt) and two Trojans (Nzlog and Aileen) were the focus of scrutiny for malicious code this week.

Lovgate.A spreads across local networks and via e-mail, and is also programmed to act as a backdoor Trojan. When activated, the worm does the following:

  • It creates a large number of copies of itself in shared network directories and subdirectories. These files will be accessible from the other computers in the same local network as the computer infected by Lovgate.A. If a file is run on one of these computers, it will also be infected by the Trojan.

  • It opens a TCP communications port (usually 10168), leaving the computer vulnerable to remote attacks.

    • The second worm was W32/Tang, which is not only transmitted via e-mail, IRC Mirc, Pirch and Virc, but also uses the most popular file-sharing applications, such as Kazaa, BearShare, Edonkey and Morpheus to spread.

    This virus looks for files with the following extensions: scr, pif, mp3, mp2, gif, bmp, dib, png, jpg, jpeg, jpe, tif, tiff, mpg, mpeg, mpe, avi, mov, tmp, txt, lnk, bat, mdb, ppt and pps, in the default shared directories of these applications. If it finds them, it replaces them with a copy of itself.

    W32/Tang also infects Excel workbooks, Word's global template and Access files.

    Like W32/Tang, Kingpdt also spreads rapidly via e-mail, IRC chat channels and peer-to-peer file-sharing programs, such as Kazaa, Edonkey and Morpheus. If it finds files with the following extensions on the affected computer, it overwrites them with its code: mp3, mp2, mpg, mpeg, mpe, avi, mov, dir, jpg, jpeg, png, gif, png, tif, tiff, pic, art and url.

    In terms of Trojans, this week also saw the appearance of Nzlog, which goes memory resident and captures the keystrokes entered by the user of the affected computer. It logs this information, which can include the user name and password, in a file called NZLOG.TXT that this virus creates in the directory C:\Program Files.

    Aileen was the other Trojan that appeared this week. Aileen also goes memory resident and opens and closes the CD_ROM tray. When it is run, it sometimes creates a file called WINCOPY.EXE in the Windows system directory. Similarly, it creates a key in the Windows Registry so that it is run every time the affected computer is started up.

    For further information about these and other viruses, visit Panda Software's Virus Encyclopedia.

    Compiled by Esther Shein.