Panda Software Tuesday issued an alert for Blaster.G, a worm that infects only Windows 2003/XP/2000/NT computers. Blaster.G exploits the Buffer Overrun in RPC Interface vulnerability to spread to as many computers as possible.

Blaster.G launches denial of service (DoS) attacks against the windowsupdate.com website. Whenever the system date is between the days 15 and 31 of every month, or every day during the months September through December of every year, Blaster.G sends a 40 byte packet every 20 milliseconds, using the TCP port 80.

Blaster.G spreads by attacking IP addresses generated at random and exploits the vulnerability mentioned above to download a copy of itself to the compromised computer. In order to do this, Blaster.G incorporates its own TFTP (Trivial File Transfer Protocol) server.

If a computer has Windows 2003/XP/2000/NT, Sophos highly recommends the downloading of a security patch from the Microsoft web site. Click here to access the web page for downloading the patch.

For information about visible symptoms and other details, visit this Panda Software page.

Worm Sends Email Containing 'Support Message' Subject Line

Reksa.A is a worm without destructive effects that spreads via e-mail in a message with the subject Support Message and the attachment MSNUPDATE.EXE. Once it is run, Reksa.A displays a message on screen. View what the message looks like and other information at this Panda Software page.

Worm Spreads Through File-Sharing Program

Backterra.A is a worm without destructive effects that spreads through the peer-to-peer (P2P) file sharing program eDonkey2000.

Backterra.A tricks the user into thinking that it is a key generator for computer applications and games. For more information, visit this Panda Software page.

Batch File Worm Spreads Through File-Sharing Networks

BAT.Deav.Worm is a batch file worm that spreads using the KaZaA and iMesh file-sharing networks. This worm also deletes files from the system. Technical details are at this Symantec page.

Macro Virus Drops VBS Script

WM97/Simuleek-C is a macro virus that drops a VBS script detected by Sophos Anti-Virus as VBS/Simuleek-C. VBS/Simuleek-C is added to the WIN.INI so that the script runs on startup. The virus has the ability to re-infect the Word environment.

WM97/Simuleek-C may attempt to replace occurrences of the word "Ranuya" with the word "John". More information is at WM97/Simuleek-C is a macro virus that drops a VBS script detected by Sophos Anti-Virus as VBS/Simuleek-C. VBS/Simuleek-C is added to the WIN.INI so that the script runs on startup. The virus has the ability to re-infect the Word environment. WM97/Simuleek-C may attempt to replace occurrences of the word "Ranuya" with the word "John". More information is at this Sophos page.

Worm Targets Network Shares with Weak Passwords

W32/Sluter-B, also known as W32.Randex.F, is a worm that propagates over network shares with weak passwords. The worm copies itself to the Windows system folder as netd32.exe and sets the following registry entries so as to run on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Network Daemon for Win32 = netd32.exe
and
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Network Daemon for Win32 = netd32.exe

Additionally, W32/Sluter-B acts as an IRC based backdoor Trojan, allowing a remote intruder unlimited access to the affected machine. Instructions for removing worms are at this Sophos page.

Trojan Exploits IE Vulnerability

Troj/JSurf-B arrives via an HTML email exploiting a vulnerability reportedly fixed in the Cumulative Patch of Internet Explorer (MS03-032).

The email contains a Object Data tag that runs a VBS script on a remote site. The script drops an EXE in the C:\ drive as SFBAR.EXE. This component of Troj/JSurf-B connects to a remote website, downloads a DLL to C:\Program Files\win32.dll and then runs regsvr32.exe to register it on the system.

The Trojan relies upon a vulnerability in Microsoft's software. Microsoft issued a patch that reportedly fixes the problem, in August 2003. The patch can be found here.

--Compiled by Esther Shein