On the heels of the Mimail.P worm surfacing on Wednesday, security vendor Sophos Thursday issued an alert for the N variant. Like Mimail.P, W32/Mimail-N is a mass-mailing worm that disguises itself as a legitimate form from Paypal credit card information. If a network connection is detected on execution then two forms are displayed asking for credit card and personal information. Once this information is filled in, it is sent to a remote web site.
If a network connection is not detected then the start page of Internet Explorer is changed to a web site with a satirical picture.
The worm copies itself to ee98af.tmp and winmgr32.exe in the Windows folder and sets the following registry entry so that the latter is run on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinMgr32
W32/Mimail-N also creates a zipped copy of itself as zipzip.tmp in the Windows folder and drops the fake forms as index.hta and index2.hta to the root folder.
The worm scans files on the hard disk for email addresses and stores the result in outlook.cfg in the Windows folder.
Instructions for removing worms are at this Sophos page.
Mass-Mailing Worm Poses as Microsoft Update
The W32/Bugbros@MM worm is continuing to spread. McAfee Thursday issued an alert for the mass-mailing worm, which poses as an update from Microsoft. The entire purpose of the worm is to spread via email. It arrives in an email message as follows:
Subject: LiveUpdate Informations
Body:
Hi,
I have send you the needed informations for the new worm-backdoor discovered.
The Backdoor is called W32.Bug.Gear.A
You can run the attachment to avoide getting hacked by closing the backdoor.
bye
Attachment: (name can vary, it depends on the name of the .exe file when run on the infected sender's system)
When the attachment is run, the worm tries to copy itself to the C:\WINDOWS\SYSTEM32 directory. If this directory does not exist, an error message is displayed.
Read more at this McAfee page.
Backdoor Trojan Lets Attacker Use IRC Channel to Gain Computer Access
Backdoor.Sdbot.S is a variant of Backdoor.Sdbot. This Backdoor Trojan horse allows an attacker to use Internet Relay Chat (IRC) to gain access to an infected computer. The existence of the file ntspcv.exe is an indication of a possible infection.
The Trojan is packed with ExeStealth and ASPack.
Technical details are at this Symantec page.
Opaserv Variant Spreads Across Open Network Shares
W32.Opaserv.AE.Worm is a variant of W32.Opaserv.Worm. It is a network-aware worm that spreads across open network shares. It copies itself to the remote computer as the file Natal.scr. The worm is packed with PEPACK.
This worm attempts to download updates from www.4ws.com.br, although the site may have already been shut down. Indicators of infection include:
More information is at this Symantec page.
Worm Exploits Certain Vulnerabilities to Spread
Worm_Agobot.FB is a memory-resident worm that exploits certain vulnerabilities to propagate across networks. Like the earlier AGOBOT variants, it takes advantage of the following Windows vulnerabilities:
For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:
Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS03-001
Microsoft Security Bulletin MS03-007
It attempts to log in on systems using a predefined list of user names and passwords. It also has backdoor capabilities and may execute malicious commands on the host machine. It terminates antivirus-related processes and dropped files by other malware. It also steals CD keys of certain game applications.
It only runs on Windows 2000 and XP.
Technical details are at this Trend Micro page.
--Compiled by Esther Shein
Loading Comments...