New Worm Variant Spreads Through Open Ports

PandaLabs reported Monday it has detected the appearance of the new Y variant of the Opaserv worm. According to data gathered by Panda Software's international technical support services, this malicious code is already causing incidents.

Opaserv.Y spreads directly through the Internet by looking for computers to infect. In order to do this, it checks if port 137 is open and unprotected. If it is, Opaserv.Y gets into the computer through port 139 and copies itself in the C:\Windows directory under the name Speedy.scr.

At the same time, it generates several entries in the Windows Registry in order to ensure that it is run whenever the computer is started up. If the infected computer is connected to a network, Opaserv.Y will exploit the Windows vulnerability known as Share Level Password - based on an inconsistency in the protection of network shares in the operating systems Windows Me/98/95- in order to spread to the rest of the computers in the network.

At present, PandaLabs has detected two versions of Opaserv.Y. The difference between the two is the compression utility they are packed with. Another characteristic of this malicious code is that if the user runs the file carrying the worm from an MS-DOS window, instead of displaying the following message: "This program requires MS Windows", one of the following three will be displayed:

Due to the incidents detected and to avoid falling victim to Opaserv.Y, Panda Software advises users to treat all e-mails received with caution and to update their antivirus solutions immediately.

For more information about Opaserv.Y and other malicious code, visit Panda Software's Virus Encyclopedia here.

Trojan Targets Networks with Weak Passwords

W32/Agobot-S is a IRC backdoor Trojan and network worm. It copies itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC and the RPC locator vulnerabilities.

Microsoft has issued patches for the vulnerabilities exploited by this worm. These patches are available from:

http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
and
http://www.microsoft.com/technet/security/bulletin/MS03-001.asp

When first run, W32/Agobot-S copies itself to the Windows System folder as scvhost.exe and creates the following registry entries so that scvhost.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\Config Loader = scvhost.exe
and
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Config Loader = scvhost.exe

On Windows NT, 2000 and XP W32/Agobot-S may run itself as a new service called Cfgldr. Each time W32/Agobot-S is run it attempts to connect to a remote IRC server and join a specific channel. W32/Agobot-S then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC.

Instructions for removing worms are at this Sophos page.

Trojan Send Banking Details to Author

Trojan.Abaxo is a Trojan Horse that sends banking details to a remote sever for the author to collect. The Trojan arrives as a form that looks like a Bingo application from Banco Itaz. Technical details are at this Symantec page.

VB Worm Spreads via P2P Networks

There are several variants of W32/Titog.worm, so this description is a general guide. Things such as specific file-sizes, file-names and directory-names used may vary.

This worm is written in Visual Basic and propagates via P2P networks, such as Kazaa. It creates a shared folder and creates multiple copies of itself into this folder. Kazaa's default shared folder is changed to this folder by changing the following registry keys:

The name of the shared directory created varies, some of which are:

The worm uses common file names. They can be viewed with other information, at this McAfee page.

Worm Appends Windows Directory Files

W32/Pate.b.worm is an encrypted parasitic file-infecting virus and network aware worm. It appends PE EXE and SCR files in the Windows directory and subdirectories on the local system, as well as on any accessible network share. The virus creates an additional PE section with a random 3 letter section header followed by the character "".

The virus creates the following Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\PINF

The virus may mis-infect files with an incomplete virus body. These damaged samples are detected as W32/Pate.b.dam, cannot be repaired, and should be deleted and restored from backup. More information is at this McAfee page.

Worm Drops Copy of Itself in HTML Format

Worm_Caspid.A is a memory-resident worm that spreads though different peer-to-peer file-sharing networks, including Kazaa, Morpheus, LimeWire and BearShare.

It spreads via email dropping a copy of itself in HTML format and setting the HTML copy as the default stationery for outgoing Outlook email messages. As a result, all HTML-formatted messages sent using Outlook Express with the default stationery contains a copy of this worm.

It exploits a known vulnerability which affects Microsoft Outlook Express 5.5 and 6.0 which enables MIME-encoded program inside HTML files to execute. For more information about the vulnerability and to get hold of the critical patches, visit this Microsoft page.

This worm infects HTML files in all folders and subfolders on the infected system. It prepends a copy of itself into host files and encrypts the original contents of its hosts.

It runs on Windows 95, 98, ME, NT, 2000, and XP. Technical details are at this Trend Micro page.

--Compiled by Esther Shein