Anti-virus vendor Symantec, however, gives Backdoor.SubSeven.2.15 an overall low risk assessment. For technical details of the virus, check this Symantec Web page.
Worm_Cydog.A Sends Fake Error Message
This worm mass-mails copies of itself using Microsoft Outlook to all email addresses found in the infected system's Outlook address book, according to antivirus software vendor Trend Micro.
Worm_Cydog.A also spreads copies of itself via Kazaa and other popular peer-to-peer file sharing networks. It drops copies of itself into the following shared folders of the peer-to-peer file sharing programs:
Kazaa - KaZaa\My shared Folder
Bearshare - Bearshare\Shared
Grokster - Grokster\My Grokster
Morpheus - Morpheus\My Shared Folder
EDonkey2000 - eDonkey2000\Incoming
Worm_Cydog.A displays a message box with the following text:
Title: Fatal Error in Windows Kernell
Message: Fatal Error in Windows Kernell
"Please allow a 10 MINUTES access for windows to send an error report to Microsoft in hope they solve this error. This operation could take a few moments but it will help Microsoft to make a Windows Update If a dialog is prompted from MS Outlook then please click the yes button to allow Windows to send the e-mail!"
Once a user clicks the OK button on this fake error message box, this worm continuously runs instances of itself, consuming system resources and eventually hanging the system. It drops a batch file detected as BAT_CYDOG.B and designed to delete certain files. However, the dropped batch file contains errors and does not execute its destructive routine.
This UPX-compressed, memory-resident worm runs on Windows 95, 98, ME, NT, 2000 and XP. To read more, visit Trend Micro here.
Troj/Slacker-A Trojan a Variant of Troj/Yabinder
Troj/Slacker-A is a complex Trojan that may be installed by Troj/Yabinder or any other generic Trojan dropper, according to antivirus vendor Sophos.
The Trojan may be delivered separately or packed within cnn3.exe, which is a variant of Troj/Yabinder. When executed cnn3.exe creates a new folder in the root folder with the name SP and extracts the following files to the new folder, setting their attributes to hidden:
abc.bat
main.exe
psexec.exe
slacke-worm.exe
Cnn3.exe then spawns slacke-worm.exe. Slacke-worm.exe runs in the background as a "netbios auto-router by eRiC" VB application and searches for available IP addresses with no password or a weak password (on port 445). Slacke-worm.exe then calls abc.bat, with the relevant computer name, which tries a list of passwords for the administrative accounts and then uses psexec.exe to copy over and run main.exe on the remote computer.
Main.exe is detected as Troj/SDBot-S. Psexec.exe is a legitimate "Sysinternals PsExec" application. For instructions on removing Trojans, visit this Sophos site.
Loading Comments...