A memory-resident worm that spreads via popular file-sharing networks and network shared drives connects to an Internet Relay Chat (IRC) server, allowing its remote user to launch a Distributed Denial of Service (DDoS) attack, according to antivirus software vendor Trend Micro.

This worm is related to Worm_AGOBOT.C and enters machines via Kazaa, Grokster and Bearshare, as well as network shared drives. It regularly connects to an IRC server as a bot, enabling the remote user to launch a DDoS attack from infected machines, Trend Micro reported Friday.

The worm, which affects systems running Windows NT, 2000, and XP, also has backdoor server capabilities and can allow remote users to access and manipulate infected systems. It sends out a notification to its remote user that can contain sensitive information, including application serials and IP addresses.

While considered destructive, Trend Micro is giving the worm an overall low risk rating. For removal instructions, go to this Web page.

WM97/Van-A in Circulation

WM97/Van-A is a Word 97 macro virus. It infects active documents when an infected document is closed. It presently has a low risk rating from Sophos.

For removal instructions, visit this Sophos Web page.

Week in Review

This week saw the arrival of several variants, namely 'C' and 'E' of Lovgate, the Gibe.B worm, the CrazyBull Trojan and a macro virus called Ekiam.

Lovgate.C and Lovgate.E are worms/Trojans that have the following common characteristics:

  • They spread across local networks and via e-mail.
  • They reply to the messages they find in the Inbox of the e-mail client.
  • They send out a large number of e-mails with infected attachments to the addresses they find in the Inbox and in certain directories.
  • They are also programmed to act as Trojans. To do this they open a TCP port, leaving the affected computer vulnerable to remote attacks and they send an e-mail message to the virus author, containing confidential information, such as the IP address, the machine name and the user name.
  • They create a large number of copies of themselves in the shared network drives they access.
  • Both variants are written in the Visual C++ programming language.

    • The primary differences between the 'C' and 'E' variants of Lovgate are:

  • The TCP port they use when they act as Trojans. Lovgate.C usually opens port 10168, while Lovgate.E uses 1192 in NT computers and 10168 in the rest.
  • Lovgate.E also captures the keystrokes entered by the user of the affected computer.
  • The file that carries out the infection in Lovgate.C is 78,848 bytes in size and compressed with Aspack, compared with the Lovgate.E file, which is 99,296 bytes and compressed with a modified UPX compressor.

    Gibe.B is another worm that was spreading this week. Its effects are more annoying than damaging. This virus spreads rapidly via e-mail, the file-sharing program KaZaA, IRC chat and shared network drives. The messages sent by this worm mimic a Microsoft security update. Gibe.B exploits two vulnerabilities in Internet Explorer (Exploit IFRAME and Incorrect MIME header). Because of this, if this malicious code reaches computers via e-mail, the computer will become infected when the message carrying the worm is viewed through Outlook's Preview Pane.

    The CrazyBull backdoor Trojan allows hackers to gain remote access to the resources on the computers it infects (printer, programs, documents, etc.). This malicious code can only attack computers that are TCP/IP network clients.

    Finally, there was the macro virus Ekiam, which infects Word documents and the global template used by this application and disables the macro antivirus protection incorporated in Word. After carrying out its infection, Ekiam changes the name of the registered user of the operating system (if the Spanish version is installed).

    For further information about these and other viruses, visit Panda Software's Virus Encyclopedia.

    Top 10 Viruses Blocked by MessageLabs For February

    Klez.H-mm
    Yaha.Ke2a2
    Yaha.E-mm
    Sobig.A-mm
    BugBear-mm
    SirCam.A-mm
    LovGate.C-m
    CIH.1049
    Naith.A-mm
    Yaha.C-mm

    Compiled by Esther Shein