Virus Alert: NiceHello Email Worm Using Spanish Phrases
The NiceHello e-mail worm was still being reported Tuesday by various antivirus software vendors. NiceHello reaches computers in an e-mail with variable characteristics, notably the use of Spanish phrases in the subject field, message text and attachments.According to Panda Software, W32/NiceHello has the ability to spread rapidly. NiceHello reaches computers in an e-mail with variable characteristics. The subject field, message text and attachments could have any combination of the following Spanish phrases and names:
Subject:
The message text and attached file are also in Spanish.
Digg
del.icio.us
Newsvine
Facebook
Google
LinkedIn
MySpace
Reddit
Slashdot
StumbleUpon
Technorati
Twitter
Windows Live
YahooBuzz
FriendFeedMore detailed information about this worm is available in Panda Software's Virus Encyclopedia.
Serious Flaw Reported in PeopleSoft Application
A vulnerability in enterprise application vendor PeopleSoft, Inc.'s PeopleTools software may compromise the product's embedded Web server and possibly other PeopleSoft applications, according to a security vendor.
An attacker could gain access to the server's confidential information, using it to attack other PeopleSoft applications, according to an advisory from Internet Security Systems, based in Atlanta.
The culprit is a Java servlet known as a SchedulerTransfer. This servlet, which runs on PeopleSoft's Web server, can be accessed without authentication.
ISS said the flaw can be found in PeopleTools versions 8.10-8.18, 8.40 and 8.41.
For more details, check this ISS Web page.
Several Low-Risk Backdoor Trojans Reported by Symantec
Backdoor.Beasty.D is similar to Backdoor.Beasty, Backdoor.Beasty.B, and Backdoor.Beasty.C.
This Trojan is a Delphi application and is packed with UPX, v0.76.1-1.20. Backdoor.Beasty.D gives a hacker complete access to a computer. By default, the Trojan listens on port 666 and notifies the hacker through email or ICQ. The Trojan attempts to terminate various security products and system monitoring tools.
Technical details can be found on this Symantec Web page.
Backdoor.Bridco uses MSN Messenger (NET messenger). This Trojan allows a hacker to access a computer by stealing an MSN Messenger password and sending messages using the MSN messenger service. Technical details are here.
Backdoor.MSNCorrupt uses MSN Messenger to connect to a computer. It also uses the aliases Backdoor.MSNCorrupt [KAV] and Backdoor.:Win32/MSNCorrupt [RAV]. Read more here.
Two Trojans Targeting Month of April
Fourcourse, also going by the names Feria and VBS/Fourcourse.A, is a Visual Basic Script Trojan that consists of two VBS files, according to antivirus software vendor F-Secure.
The first file carries another Visual Basic Script that it drops in the root of C: drive as sysw32.vbs. It also changes Windows registry by adding the following key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sysw32= C:\sysw32.vbs
Then the next time the system is restarted, the Trojan in sysw32.vbs is executed. If the system date is after April 1, 2003 the script code in sysw32.vbs tries to use all four COM ports to dial a phone number.
SysComm is a dialer type Trojan that after infecting a computer connects to a premium rate number (906-xxx-xxx) when the system date is April 1 or later, according to Panda Software. SysComm mainly spreads via e-mail in a message that contains three attached files:
SysComm is easy to recognize because it spreads in an e-mail message with certain characteristics. Read what they are on this Panda Software page.
W32/Lovgate-A Still Spreading
Antivirus software vendor Sophos continues to receive reports of W32/Lovgate-A, a worm and backdoor Trojan that has been spreading since mid-February. The worm spreads across the local network by copying itself into folders with the following names:
billgt.exe
Card.EXE
docs.exe
fun.exe
hamster.exe
humor.exe
images.exe
joke.exe
midsong.exe
news_doc.exe
pics.exe
PsPGame.exe
s3msong.exe
searchURL.exe
SETUP.EXE
tamagotxi.exe
W32/Lovgate-A also attempts to spread via email by sending itself to email addresses collected from *.ht* files. Emails sent to these addresses will have the following characteristics. Read them on this Sophos Web page.
W32/Yaha-Q Using Several Email Subject Lines and Message Texts
Also still spreading is W32/Yaha-Q, a worm that most commonly arrives in an email, but may also find its way on to a computer via network shared drives.
The email that the worm arrives in can have any one of a very large selection of subject lines and message texts. The email may also be spoofed, meaning it may not necessarily have arrived from the sender listed in the "From" field of the user's email client.
W32/Yaha-Q copies itself to the files exeloader.exe and mstask32.exe in the Windows system folder. Certain registry entries will be created to start the worm when Windows starts up. View them here.
