A mass-mailing worm that uses Microsoft Outlook to send itself to all contacts in the Outlook address book opens a program that looks like a shooting game, according to antivirus software vendor Symantec.

When W32.Bibrog.B@mm is executed, it also may change a system's Windows wallpaper. The email message has the following characteristics:

Subject: Fwd:La Academia Azteca
Message: La cacademia azteca (muy bueno) !no es virus!
Attachment: Academia.exe

This worm also attempts to spread through the KaZaA, Grokster, and Morpheus file-sharing networks, as well as through ICQ. See what the game looks like on this Symantec Web page.

Backdoor.Plux Trojan Opens Listening Port

The Backdoor.Plux Trojan opens a listening port on a computer, possibly enabling a hacker to remotely control the computer.

Backdoor.Plux uses web.icq.com to send a message to the hacker's ICQ Unified Messaging Center. This message includes the IP address of the infected computer. Technical details can be found here.

VBS Worm Targets Web Site for DOS Attack

VBS.Lunnet.A is a Visual Basic Script worm that attempts to spread using the KaZaA and Grokster file-sharing networks. The worm also attempts a Denial of Service (DoS) attack on www.ytunnel.digitalcitrus.com.

VBS.Lunnet.A adds a command to the Autoexec.bat file to format the hard drive the next time the computer is started.

Find out more here.

Randon Trojan Has No Destructive Effects

Antivirus software developer Panda Software has detected the appearance of Randon (W32/Randon), a new worm/Trojan. Other antivirus companies have reported receiving incidents involving this worm this week.

Randon uses IRC channels and resources shared across LANs in order to spread. It starts out by listening to communication port 445. If it manages to establish communication, the worm runs two files (sencs.bat and incs.bat), trying to find resources to access in remote machines and connect to them using a predetermined list of passwords.

If a successful connection is made, the worm accesses the computer through port 445, and simultaneously sends a Trojan called Trj/W32.Apher. This in turn downloads -- from Internet addresses which vary according to the version of the Trojan -- a file designed to create a backdoor in the computer.

Similarly, Randon downloads other files onto the system which let it connect to an IRC server and carry out denial of service and 'channel flooding' attacks. It then goes on to check port 445 on other computers connected via IRC. Finally, Random creates a number of entries in the Windows registry to ensure it is run permanently on the affected system.

Even though Randon has no destructive effects, its modus operandi could cause it to collapse networks. For more information, visit Panda Software.

Cydog-A Still Making the Rounds

Also still out in force is W32/Cydog-A, a P2P and email worm. When run the worm attempts to delete DLL and EXE files from C:\Program Files\Common Files\Symantec Shared\ and C:\Program Files\Norton AntiVirus\. W32/Cydog-A copies itself into the Windows folder as CyberWolf.exe, Rundll32.exe, System\explorer.exe, System\system.exe and into the Windows system folder as CyberWolf.exe, Kernell32.exe, Ms-Dos.com, regedit32.exe, service.exe, system.exe, system32.exe and Windows.scr.

W32/Cydog-A spreads in a number of P2P networks. View them on this Sophos Web page.

Week in Review

Three worms have been the focus of attention this week: Randon and the 'P' variants of Lentin and Opaserv.

Randon spreads through IRC chat channels and shared network resources. The most important characteristics of this malicious code is that it is a dropper type worm that inserts several files on the computers it infects, many of which are other viruses with varying effects. The actions they carry out include opening ports, running applications, propagating and launching DoS and flooding attacks. Randon connects to a Web page and downloads a backdoor type Trojan. An indication of the presence of this worm in a computer is an increase in the network traffic through ports 445 and 6667.

The second worm, Lentin.P spreads via e-mail in a message with highly variable characteristics. This virus also exploits a vulnerability in versions 5.01 and 5.5 of Internet Explorer to run automatically when the message carrying the worm is viewed through Outlook's Preview Pane. It also spreads across networks, as on Wednesdays it copies itself to the shared network drives. Lentin.P ends antivirus and firewall programs, launches DoS attacks against five Web sites, changes the home page of Internet Explorer and closes the Windows Task Manager.

Opaserv.P spreads across networks and shared resources. When this worm activates, it displays a message in an MS-DOS window and deletes the content of the hard drive. It also intercepts a large number of processes in the computer it infects and looks for IP addresses in the network with port 137 open. If it receives a reply, it spreads through port 139 by copying itself to the C: directory. Another interesting characteristic of Opaserv.P is that it patches the files 'IO.SYS' and 'COMMAND.COM' in Windows NT 4 computers and in Windows Millennium computers it patches the file 'REGENV32.EXE'.

For further information about these and other viruses, visit Panda Software's Virus Encyclopedia.

Compiled by Esther Shein.