W32/Cult-A emails itself to random email addresses, Sophos reported Friday. The email will have the following characteristics:
Subject line: Hi, I sent you an eCard from BlueMountain.com
Message text: To view your eCard, open the attachment. If you have any comments or questions, please visit http://www.bluemountain.com/customer/index.pd
Attached file: BlueMountaineCard.pif
When first run, the worm displays a false error message with the text: "The instruction at 0x776456de referenced memory at 0x6235525g3. The memory could not be read Click on OK to terminate the application," then copies itself to the Windows System folder as winupdate.exe and creates a registry entry so that winupdate.exe is run automatically each time Windows is started.
Read the entry and technical information on this Sophos Web page.
New Oror Variant Detected
Sophos is also reporting Friday the appearance of W32/Oror-T, a variant of the W32/Oror family of Internet worms.
W32/Oror-R is an Internet worm that spreads via network shares, file sharing on KaZaA networks and by emailing itself to addresses found within files on the local hard drive. The Oror worm chooses a random email subject line, message text and attachment filename from a variety of possibilities.
The worm also attempts to exploit a known vulnerability in Internet Explorer versions 5.01 and 5.5, so that the attachment is launched automatically when the email is selected for viewing. To prevent re-infection, Microsoft Outlook and Outlook Express users are being advised to install the following patch available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.
This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm. For more characteristics on the Oror worm, click here.
VBS_Grouch.A Infects MS Word Template and Targets Outlook Address Book
VBS-Grouch.A is a malicious, mass-mailing script that runs on Windows 9x, NT, 2000, and XP platforms.
Upon execution, after first checking if it has already infected the system, this malware infects MS Word Global template and sends itself via email to addresses found in the Microsoft Outlook Address Book, according to antivirus software vendor Trend Micro.
Read details of the email on this Trend Micro Web page.
Week in Review
Four worms, NiceHello, CodeRed.F, Deloder.A and Prom, and a Trojan called SysComm, were the focus of attention this week for malicious code.
NiceHello is particularly noteworthy because this week it knocked Klez.I off the top spot in the ranking of the 10 most frequently detected viruses by antivirus software vendor Panda Software. Klez.I has headed the list for several months.
NiceHello spreads via e-mail in a message that is easy to recognize, as the message text always contains the Spanish phrase: "es solo para vos" (it's only for you). After infecting a computer, this worm sends a copy of itself to all the addresses in the contact list of the instant messaging program MSN Messenger. Similarly, NiceHello sends an e-mail to the virus author, which contains the MSN Messenger user name and password of the user of the infected computer.
The second worm, CodeRed.F, is a variant of another worm called CodeRed.IIS.2, which differs by only two bytes from the original. This modification allows CodeRed.F to keep spreading until the year 34952, whereas CodeRed.IIS.2 could only do this until October 2001. CodeRed.F also exploits a vulnerability in Index Server 2.0, Indexing Service and Internet Information Server (versions 4.0 and 5.0). When it infects a computer, it creates a file with Trojan characteristics called "EXPLORER.EXE" that, in turn, generates two virtual drives, which it uses to access the computer it has infected.
From then on, as well as causing the computer to block for no apparent reason, every 48 hours CodeRed.F will restart computers with a Chinese operating system installed, and restart those with an operating system in any other language every 24 hours.
The third worm that appeared this week was Deloder.A, which spreads across local networks and the Internet and disables shared resources: C$, D$, E$, ADMIN$ and IPC$. This malicious code creates and runs a backdoor Trojan in the computers it infects. In order to gain remote access to other computers, Deloder.A tries to connect to certain IP addresses through the TCP port 445.
Prom is the final worm of the week, and it only affects computers running under Windows XP/2000/NT. This virus spreads via e-mail in a message that is difficult to recognize, as it has variable characteristics.
Finally, SysComm is a dialer Trojan that connects to a premium rate number ("906-xxx-xxx") when the system date is April 1 or later. SysComm mainly spreads via e-mail in a message that contains the following attached files: "FERIA.JPG.VBS", which is the file that carries out infection, "FERIA2.JPG," which contains an image, and "ATTXXXXX.ATT," which is empty.
For further information about these and other viruses, visit Panda Software's Virus Encyclopedia.
Compiled by Esther Shein.
Loading Comments...