Virus Alert: New Trojan, Worm Give Hackers Remote Access

Anti-virus software vendor Symantec issued alerts Friday for a Trojan Horse, Backdoor.FTP_Ana.C, and a Worm, W32Kwbot.E.Worm, that both give hackers remote access to a computer.

Once Backdoor.FTP_Ana.C is installed, the attacker is notified by ICQ pager. The Trojan listens on port 666, by default.

Technical details are on this Symantec page.

W32.Kwbot.E.Worm attempts to spread across the file-sharing networks, such as KaZaA and iMesh. The worm also has a Backdoor Trojan capability that allows a hacker to control a computer. W32.Kwbot.E.Worm is packed with ASPack v2.12. W32.Kwbot.E.Worm is a variant of W32.Kwbot.Worm.

Technical details are here.

W32/Lovgate-E Targets Win2K, NT and XP Platforms

On the heels of the appearance of Lovgate-F this week, antivirus software vendor on Friday was tracking W32/Lovgate-E, a mass-mailing worm and a backdoor Trojan. This latest variant of the Lovgate family will only work on Microsoft NT/2000/XP platforms.

W32/Lovgate-E has two mass mailing routines. The first sends a message with certain characteristics to email addresses retrieved from unread messages in the infected user's Outlook folders:

Subject line: Re:

Read the text of the message and more on Lovgate-E at this Sophos page.

Week in Review

Four new malicious codes appeared this week: Rolark, SFC, Lovgate.F and Lovgate.G. Rolark is a Trojan that is designed to gain remote access and complete control of computers. It does this by exploiting a vulnerability in Web servers running Windows 2000 and version 5.0 of Internet Information Server. This flaw is a buffer overflow vulnerability in the ntdll.dll library, which is used by the WebDAV component in Internet Information Server 5.0.

Rolark is difficult to identify, because it does not display any warnings or messages that indicate that it has reached a computer or install or copy itself to the machine. Therefore, a hacker could attack servers that are not correctly updated.

The second malicious code, SFC, is a macro virus that spreads through the chat applications IRC and PIRCH and via e-mail. The email message that this virus uses to spread it is very easy to identify, as it always includes a Word document and a text that claims that computers that contain a file called 'SFC.EXE' are infected by a virus. However, 'SFC.EXE' is a Windows system file that exists on all computers running under Windows. SFC infects Word's global template and all the Word documents opened, closed or saved on the infected computer. It also prevents users from working with Word macros and disables the macro antivirus protection incorporated in this text editor.

This week also saw the appearance of the 'F' and 'G' variants of Lovgate, which are worms that spread via e-mail and local networks. In order to spread across local network drives, they create a large of copies of themselves in the shared directories and subdirectories that they gain access to. They also send a large number of email messages that included infected files to the senders of the messages in the Inbox and to the address they find in certain directories.

Lovgate.F and Lovgate.G are written in the programming language visual C++ and compressed with ASpack. The difference between the 'G' and 'F' lies in the name of the mutex they create in order to indicate that they are memory resident.

For further information about these and other viruses, visit Panda Software's Virus Encyclopedia.

Compiled by Esther Shein.