Weekly virus report

Posted in GD as a public service. If deemed to be inappropriate for this forum, Mods please move or lock.

The poster is not an employee of, or in any way associated with Panda Software.
---

- Weekly virus report -

Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, October 3, 2003 - Today's report on malicious code centers on the Trojans -Hatoy.A, Petala.A and six variants of Istbar-, and three worms -Dozer.A, Simbag.A and Holar.I-.

Hatoy.A reaches computers when users access a malicious web page. To do this it exploits the 'Object type' Microsoft Internet Explorer vulnerability, which allows files in certain pages to be run locally. Once it is executed, and when users try to access certain search engines, Hatoy.A redirects them to an IP address that could host different pages.

Petala.A, is a backdoor Trojan that spreads across networks and IRC. This malicious code could give hackers remote access to the computer with which they could use IRC commands in order to copy files, terminate processes, etc., thus compromising confidential data and interfering with the use of the PC.

The B, C, D, E, F and G variants of the Istbar Trojan install spyware and dialers on the computer without users knowledge. They also display different screens with advertising for pornographic websites and add a toolbar to the Internet Explorer browser.

The first worm we'll be looking at in today's report is Dozer.A, which sends itself to all MSN Messenger contacts in the compromised PC. In order to trick users, it sends itself in an e-mail, which claims to contain a patch for MSN Messenger sent by Microsoft. However, when this file is run, a false error message is displayed to confuse the victim. Dozer.A creates various Windows registry keys and intercepts and terminates antivirus and firewall processes.

Simbag.A also spreads via MSN Messenger, sending a copy of itself to all contacts it finds. It also creates links to different erotic websites and generates the following files in the Windows directory: SMB.EXE, ADMAGIC.EXE, TEST.TXT, SM.DLL, RAW32X.DLL and UZ.EXE.

Finally, Holar.I spreads via e-mail and the KaZaA file sharing program. It changes the home page of Internet Explorer and when it has run more than thirty times it disables the mouse and the keyboard.

More information on these and other malicious code is available at the Panda Software Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Backdoor: This is an entry point, through either hardware or software, that can give access to a computer and could be used to take partial or complete control of the system.

- Dialer: This is a program that is often used to maliciously redirect Internet connections. When used in this way, it disconnects the legitimate telephone connection used to hook up to the Internet and re-connects via a premium rate number.

- Spyware: A program that is automatically installed with another, (without the user's permission and even without the user realizing), which collects personal data (data on Internet access, action carried out while browsing, pages visited, programs installed on the computer, etc.).

More definitions of virus and antivirus terminology at: http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.

:kick:

for the late-sleepers. ;-)

I loath these people