No Holiday Week for Viruses, Worms
A number of viruses and worms were reported Monday by security software vendors.
W32.HLLW.Merkur.E@mm is a mass-mailing worm that uses Microsoft Outlook to send itself to all contacts in the Outlook Address Book. It also attempts to spread through the KaZaA, KaZaA Lite, Bearshare and eDonkey file-shaing networks, as well as through mIRC.
The email message has the following characteristics:
Subject: (Note: Subject line is one of the following)
Free Virus Remover.
Windows Update (Build: win1.19001281)
Email Virus Remover.
Install/Update: Please run the attatchment to Install/Update your software, The program will scan for any Infected Files then continue to install/update. Regards, Bill Hanes - Nakitomi Corp.
This threat is written in the Microsoft Visual Basic programming language and is compressed with UPX. Technical details are at this Symantec page.
Worm Uses Own SMTP Engine to Send Itself Out
W32.Vivael@mm is a mass-mailing worm that uses its own SMTP engine to send itself to all MSN messenger contacts of the user. The email has the following characteristics:
Subject: El adelanto de matrix ta gueno Message: Oye te ? paso el programa para entrar a cuentas del messenger Z y facilingo te lo paso a voz nomas, prometeme que no se lo pasas a nadie, ya? u Respondeme que tal te parecio. chau
Technical details are at this Symantec page.
Keylog-Kjie Installs Files to Windows Directory
This detection is for a keylogging Trojan written in MSVC. The Trojan carries two DLLs in its resources required for logging keystrokes and dispatching logs via SMTP. When the Trojan is run on the victim machine, it installs the following files to the Windows directory:
The following directory is created in the system temporary directory: _KJTMPXXXP
Keystroke logs are written to this directory. Strings within the Trojan suggest it uses the system default SMTP server for mailing out logs, although this was not observed in testing. The default SMTP server is determined from values within the following Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager\Accounts
Read more at this McAfee page.
Worm Spreads via MSN Messenger
W32/Colevo@MM is a mass-mailing worm that spreads via MSN Messenger. It launches Internet Explorer and connects to various news Web sites, displaying images of Bolivian Aymara Indian leader Evo Morales. The Web sites it connects to are:
When run, the worm copies itself to %WINDIR% directory with certain filenames. View them and other information at this McAfee page.
Linux/Exploit-Honeymoon Uses Remote Exploit to Spread
This malware uses a remote exploit present in the wu-ftp server versions <= 2.6.0 running on Linux or Freebsd to spawn a remote shell on the victim's system.
The spawned shell runs with the privileges of the daemon and could be used to further propagate the malicious code. As such it could be found both in hacking tool kits or as part of a worm. The wu-ftp server is shipped whith many Linux distribution including RedHat, Cladera, Conectiva, Debian, Mandrake, Suse and TurboLinux.
If the system is running the wu-ftp server v <= 2.6.0 consult the vendor of the operating system to apply the required patches. More information is at this McAfee page.
Linux/Exploit-CrisCras Uses Remote Exploit to Spawn Shell on Victim Machine
This malware uses a remote exploit present in some sshd implementations to spawn a remote shell on the victim's system.
The spawned shell runs with the privileges of the daemon, typically root, and could be used to further propagate the malicious code. It could be found both in hacking tool kits or as part of a worm. More information can be found here.
Linux/Exploit-Da2 Pretends to be Game Called 'Dama'
The Linux/Exploit-Da2 detection was added to cover for a malicious ELF file that is able to listen to specified ports. The uploaded ELF binary "da2" (name might vary) had a filesize of 53,742 bytes. The binary was compiled for the Linux environment.
The exploit code allows a hacker to listen to specified ports to intercept data between incoming/outgoing data traffic. It pretends to be a game called "Dama game," written by "Gildo," Italy. Upon running it might display errors but will try to monitor traffic on ports.
Find out more at this McAfee page.
Unix/Exploit-LuckRoot Spawns Shell to Run with Remote Privileges
This malware uses a remote exploit present in some rpc.stad (portmap) implementation to spawn a remote shell on the victim's system. The spawned shell runs with the privileges of the daemon, typically root and could be used to further propagate the malicious code. As such it could be found both in hacking tool kits or as part of a worm.
This malware is mostly found as two separate files. Names and sizes may vary depending on the version and platform. The names used below are those of the sample found.
More information is at this McAfee page.
Worm_Mofei.B Attempts to Access Remote Systems with List of Names
This destructive, memory-resident worm attempts to log on to remote machines using a list of user names. It then drops and executes a copy of itself on the remote machines. This worm, which runs on Windows 95, 98, ME, NT, 2000, and XP, also has backdoor capabilities.
When run under Windows 95, 98, and ME, this worm simply drops a copy of itself and does not propagate.
Technical details are at this Trend Micro page.
Compiled by Esther Shein.