Whitepaper: The Business Value of Web 2.0 Technology. It's fast becoming a Web 2.0 world. Learn how to take advantage of new technologies & tap into the collective knowledge of employees, customers & influencers.

Generate Revenue Through IT Using Business Service Management Sponsored by HP Making sure that your business applications are available to their end users is an important part of running your business smoothly. Business operations have evolved to where IT must now broaden its focus to help the company attract, retain and grow customer relationships and increase customer satisfaction. Business service management (BSM) helps lay the foundation by managing services in dynamic support of business requirements. »     Managing the Modern Network Sponsored by HP Networks are more than vehicles to transport e-mail and Web pages. In a global economy where information crosses the globe in an instant, and where Web-based applications power business, it's more important than ever to ensure your network is safe from threats and optimized to deliver the data your business needs. »     Storage Networking 2, Configuration and Planning Sponsored by HP In Part 1, we discussed storage area networks (SANs) and fibre channel. In Part 2, delve into best practices and cover the general concepts you must know before configuring SAN-attached storage. The most critical, sometimes tedious, part of setting up a SAN is configuring each individual disk array. This guide examines configurations for SAN-attached servers and disk arrays, and also includes a look at the future of IP storage. »     Is Your Disaster Recovery Plan Good Enough? Get Disaster Recovery Right Sponsored by HP Preparing for a disaster is more often than not part of the storage planning process, and without question it is one of the most difficult task, since it includes local hardware and software, networking equipment, and a test plan to ensure that you can recover from the disaster. Learn how to put your organization on the proper disaster recovery plan, now. »

eSecurity Glossary biometrics encryption keylogger malware phishing RFID security spyware virus worm Search for more eSecurity terms ...

FREE Tech Newsletters Instant Messaging Planet HTML CIO Update CodeGuru Update Enterprise Networking Planet Practically Networked HTML Enterprise Storage Forum HTML Optically Networked HTML Intranet Journal Update Datamation IT Management Careers Datamation IT Management Update Developer.com Update Gamelan Java Update Goodies to Go Javascript Weekly HTML JARS Java Update OpenSource Update SysOpt Tech Notes Grid Computing Planet HTML E-Security Planet HTML Virtual Dr. Text

Worm Tries to Disguise Itself as Excel Spreadsheet File
May 5, 2004

W32/Famus-A is a mass mailing worm for the Windows platform that copies itself to the system folder as the file PentagonSecret.xls.exe, where the second extension is several white space characters after the first, in an attempt to disguise itself as a Microsoft Excel spreadsheet file. Copies of the worm will also have a crude Excel icon, according to Sophos, which issued an alert Wednesday.

W32/Famus-A will make additional copies of itself as Casper9247.exe and Red7324.exe in the Temp folder along with other non malicious files related to the sent emails. Among these will be the file SMTP.OCX which is a freeware SMTP engine used in the mailing of W32/Famus-A to members of the user's address book.

W32/Famus-A will send itself to members of the user's Outlook address book attached to an email with the following characteristics:

Subject:
Que sabe el Pentagono sobreusted (What the Pentagon knows about you)
Body:
?Crees que estas a salvo del Pentagono de los E.U? Mira estos datos y te asombraras.
Do you believe you are safe from the Pentagon of the E.U? Just look these data and you will be surprised
Password: 123

More information is at this Sophos page.

Sasser Leaves Effects in Many Organizations

As Sasser continues to spread, the number of organizations affected by the virus continues to rise, according to Panda Software. These include governmental institutions the world over, such as the European Commission--where 1,200 computers have been affected--the University of Massachusetts, banking IT systems, travel booking services and companies such as British Airways. In addition to the direct damage caused by Sasser in corporate environments, production is also lost as machines are brought up-to date and the Microsoft patch applied to correct the vulnerability that the worm is exploiting.

Other victims include all those who simply can't use their computers as systems infected by variants of Sasser restart every 60 seconds. This means that there is no time to eliminate the virus from the computer and download the Microsoft patch. One way that users can get round this is by first putting the system clock back, as described below:

- When the window is displayed saying that the system will restart, double-click on the time displayed at the bottom of the screen.

- Once the time settings window opens, put the clock back a few hours.

Users can detect and disinfect the new worm with an up-to-date antivirus, but it is important to install the Microsoft patch to ensure that Sasser doesnt re-infect computers. The vulnerability exploited by this worm was reported by Microsoft recently in bulletin MS04-011, along with the patch.

More information about these and other IT threats is available from Panda Software's Virus Encyclopedia here.

Trojan Gives Hacker Remote Access to Computer

Troj/Agobot-HZ is a backdoor Trojan for the Windows platform.

Troj/Agobot-HZ allows a malicious user remote access to an infected computer. In order to run automatically when Windows starts up Troj/Agobot-HZ creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\File System Service=wmiprvsc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\File System Service=wmiprvsc.exe.

More information is at this Sophos page.

Virus Tries to Infect Files With Certain Extensions

W32.Arcam is a virus that attempts to infect the .exe, .cpl, and .scr files. It may also attempt to spread by email and IRC.

Due to corruption, the only known samples of this virus did not successfully propagate. Technical details are at this Symantec page.

Trojan Installs Keylogger, Steals Cached Passwords

Backdoor.Carool is a Backdoor Trojan horse that allows unauthorized remote access your computer. The Trojan also installs a keylogger and steals cached passwords.

Technical details are at this Symantec page.

Trojan Attemps to Steal C: Drive Files

W32.Netad.Trojan is a Trojan horse that attempts to delete all files on the C: drive.

Technical details are at this Symantec page.

Worm Takes Advantage of Certain Vulnerabilities

Worm_Nachi.K is a worm that can take advantage of the following vulnerabilities to propagate into accessible systems:

For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

Microsoft Security Bulletin MS03-001
Microsoft Security Bulletin MS03-007
Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS03-049

This worm also utilizes the backdoor functionalities of WORM_MYDOOM variants to propagate into infected systems although it also attempts to delete certain files and registry entries associated with some WORM_MYDOOM and WORM_DOOMJUICE variants. Moreover, it tries to patch the system against the RPC DCOM Buffer Overflow vulnerability.

If the language version of the system is Japanese, it looks for certain files located in particular folders and overwrites them with an HTML code.

It runs on Windows 2000 and XP.

Technical details are at this Trend Micro page.

Netsky Variant Performs Several Functions

W32/Netsky.ac@MM is a new variant of W32/Netsky. It bears the following characteristics:

The virus harvests email addresses from files on the victim machine with a variety of extensions. View them and other information at this McAfee page.

Exploit Modifies Specific Running Application

Exploit-Fumn is malware designed to modify a specific running application. The target application is hard-coded in the binary.

It first spawns a process at ring 0 (same privilege level as the OS kernel) and load the specific application. After a configurable time it modifies specific locations of the application memory image.

More information is at this McAfee page.

Trojans Exploit Microsoft Vulnerability, May Download Malicious Executables

JV/Shinwow is a detection covering a wide range of trojans that use the Microsoft Security Bulletin MS03-011 vulnerability, using the Exploit-ByteVerify to function.

These trojans may download malicious executables, change the Internet Explorer homepage by editing the registry or conversely malicious code may have been run, which could result in any number of modifications to the system.

All vulnerable systems should apply the patch from Microsoft. Patched systems are immune from the effects of the exploit code. However, detection will still occur on files attempting to make use of this exploit.

Find out more at this McAfee page.

--Compiled by Esther Shein

Tools:

Add www.esecurityplanet.com to your favorites Add www.esecurityplanet.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.x Receive news via our XML/RSS feed

eBook: Evaluating Software as a Service for Your Business. Sponsored by Webroot
Keep up with the latest business and technology news and information! Visit Internet.com.
Data Sheet: IBM Information Server Blade
Whitepaper: Maximizing Site Visitor Trust Using Extended Validation SSL
IT in 2018: Download Free eBook By The Author Of "Does IT Matter?" Simple Registration Is Required.