W32/Hawawi-A is composed of four parts, all of which are dropped within the Windows system folder. Media player.exe emails the worm and places copies of the worm in the KaZaA shared folder; SYS32 .EXE attempts to use the ICQ network to spread the worm and SMTPMAILER.DLL is a DLL plug-in that contains the SMTP commands.
W32/Hawawi-A has a destructive payload. The worm reduces files with the following extensions to zero bytes: ZIP, DOC, MDB, XLS, TXT, PPT, PPS, JPG, PDF, RAR, RAM, MP3, FRM, DPR, PHP, CPP, SWF, SQL, MDE, MDE, WAV, RM, MPEG.
For more information on the subject line and text of the email messages, visit this Sophos Web page.
Gibe.d Pretending to be Microsoft Update
The Gibe.d worm spreads itself via e-mail, IRC, local network and P2P (peer-to-peer) networks. The worm pretends to be an update from Microsoft when it spreads via e-mail.
The file that spreads via e-mails is a dropper. It is a 167-kilobyte file written in Visual Basic. It is a dropper that contains a few compressed files in its body. Technically the .D variant is not much different from .B variant of the worm. However, unlike the earlier version, there are some changes:
The dropper now uses randomly generated key name to hold its settings:
The dropper has an extended list of names that it uses to drop itself to Kazaa shared folders. View them and other effects of Gibe.d on this F-Secure page.
Lovgate Worm Keeps Spreading
On Monday there was Lovgate.F. On Tuesday, Lovgate.G made its appearance, spreading across local networks and via e-mail but posting a very low threat, according to antivirus software vendors.
Lovgate.G creates a large number of copies of itself in the shared network drives that it manages to access. It also sends out a large number of e-mail messages to the contacts it finds in the Inbox and to the e-mail addresses it finds in a series of directories.
Read more on this Panda Software page.
This worm is an exact replica of Worm_Lovgate.F, except for the name of the event that it creates to indicate memory-residency, according to Trend Micro. It is Aspack-compressed and propagates through network shares by dropping copies of itself to shared folders with read/write access.
The files that it drops can have any of the several file names. View them here.
Backdoor.OptixPro.12.b May Steal Cached Passwords
Backdoor.OptixPro.12.b is a Backdoor Trojan Horse that gives a hacker full access to a computer. By default the Trojan opens port 2060 for listening. The Trojan may steal cached passwords and compromise security settings.
Technical details are on this Symantec page.
Backdoor.Rsbot Also Gives Hackers Unauthorized Computer Access
Symantec also is reporting the appearance of Backdoor.Rsbot, a Backdoor Trojan horse that gives a hacker unauthorized computer access. Several variants have been found, all written in the Microsoft Visual C++ programming language.
Prior to March 25, 2003, some variants of the Trojan have been detected as W32.IRCBot. More information can be found on this Symantec page.
Backdoor-ASE Attempts to Connect to Remote IRC Server
This detection is for an IRC-based remote access Trojan, written in Visual Basic.
The exact filename of the Trojan may vary -- at least one field sample seen by AVERT has used the name MSAPP.EXE. Once running on the victim machine, the IRC bot hooks system startup by adding the following Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"WinApp32" = MSAPP.EXE
It also creates a hook in the SYSTEM.INI file, for example:
[boot]
The IRC Trojan attempts to connect to a remote IRC server, sending notification data concerning the victim machine (username, machine name), if successful. It then tries to join a remote IRC channel in order to await commands.
Exact functionality between versions may vary, but typically include remote command such as:
delete files
More information can be found on this McAfee page.
Kit-Verg Creates Simple Batch Script Trojans
McAfee is also reporting detection of Kit-Verg, a kit that can be used to create simple batch script Trojans. The kit is written in Pascal, and compiled with the Free Pascal Compiler (FPC).
When the kit is initially run, the user is presented with a brief disclaimer. View it on this McAfee page.
Annoying Cartoon Image Circulating
Sevgi is a simple Trojan that has been written as a nuisance to the end-user, according to McAfee. When executed the Trojan displays a cartoon image. It also randomly moves the mouse pointer -- making program termination awkward. Once running, the Trojan cannot be killed via the Windows task list (Windows 9x). The Trojan also adds the following Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Windows Netagent" = c:\windows\system\sysfile.exe
However, the Trojan failed to copy itself as SYSFILE.EXE on the victim machine in testing, rendering the system startup hook useless. View the cartoon here.
Compiled by Esther Shein.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Internet Settings\
EXPLORER.EXE MSAPP.EXE
download file
return system information (memory, computer details etc)
initiate UDP flood
remote share scan (scan for remote accessible shares, eg. IPC$)
self update
Loading Comments...