Antivirus software vendor Symantec Friday issued an alert for W97M.Acus.A, a simple macro virus that infects Microsoft Word documents and the template. This virus also has a payload that has a one-in-one hundred chance of replacing a specific word with new text. Note: Beta Definitions dated prior to July 26th, 2003 may detect this threat as W97M.Suca.A. Technical details are at this Symantec page.

Warpigs.B Contains Long Password List

Warpigs.B is a network worm with an IRC backdoor and self-updating capabilities. Warpigs.B was written in Visual C++ and it spreads in UPX packed form with the size of around 67KB. Warpigs.B contains a really long password list with more than 1600 entries. The worm uses these when scanning for vulnerable hosts. If any of the passwords gives access to the victim the worm copies itself there. Warpigs.B has a copy of the psexec.exe tool in its body. Psexec is used to copy and run the worm on vulnerable hosts.

When Warpigs.B enters a system it copies itself to the System Directory as 'winupdate.exe'. It add references to this copy in the registry. View the registry and further information at this F-Secure page.

Week in Review

This week saw the presence of three worms, Gruel.E, Gruel.F and Cuydoc. The 'E' and F' variants of the worm Gruel spread via e-mail and through the P2P (peer-to-peer) file sharing program KaZaA. In addition, both of them have the following characteristics:

  • They are highly damaging, since they eliminate a series of files (like "AUTOEXEC.BAT" and "CONFIG.SYS"), that Windows needs to work correctly.
  • Their actions include: opening several windows in the Control Panel; opening and closing the CD-ROM tray; disabling the Taskbar and making it disappear; hiding the C: drive, preventing file searches from being performed; etc.
  • Once the infection has been carried out, these worms display a fake Windows error message on screen.
  • They create several entries in the Windows Registry, with different values -depending on whether the computer has been restarted or not-. By creating these entries, Gruel.E and Gruel.F ensure that they are run whenever a file with an 'EXE', 'COM', 'BAT', 'PIF', or 'HyperTerminal' extension is run.
  • The main difference between these two variants is that they spread via attached files with different names. "OFFICEXPTRIAL.EXE" is the name of the file in which Gruel.E spreads, and "PROTECT_REMOVE_TOOL.EXE" is the file in which Gruel.F spreads.

    The third worm was Cuydoc which, apart from spreading through the means normally used by viruses, can also spread across floppy disk drives. Specifically, Cuydoc automatically copies itself to the floppy disk drive under the name "CUPIDO.EXE".

    Cuydoc has damaging effects, since it deletes all of the Word documents (files with a 'DOC' extension) from the "My Documents" directory in the affected computer. In addition, in Spanish versions of Windows Me/98/95, Cuydoc prevents the user from running the 'REGEDIT.EXE' program, which allows the user to edit the entries in the Windows Registry, and the 'MSCONFIG.EXE' program, which allows the user to configure which programs will be loaded when Windows starts.

    For further information about these and other viruses, visit Panda Software's Virus Encyclopedia here.

    --Compiled by Esther Shein