Panda Software weekly virus report

Posted in GD as a public service.

The poster is not an employee of, or in any way associated with Panda Software.
---

"Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity."
--Martin Luther King, Jr. (1929-68); US clergyman, civil rights leader.

Weekly virus report
Oxygen3 24h-365d, by Panda Software http://www.pandasoftware.com)

Madrid, December 7, 2003 - This first report for December will look at three worms: the L and M of Mimail and Gaobot.BK.

Mimail.L and Mimail.M spread via e-mail in a message which includes a file which in turn includes another file with a double extension. Both worms use their own SMTP engine to send themselves to all the addresses they find. They also carry out Denial of Service (DoS) attacks against various servers and register themselves as Windows services, to avoid appearing in the list of processes in the task administrator. The differences between the two variants are as follows:

- The subject field of the e-mail, as Mimail.L either has no subject field or includes the text "Re(2)we are going to bill your credit card", while the e-mail carrying Mimail.M is titled "Re: GREG" or "Re(3)" followed by a series of random characters.

- The attachment names which include, in the case of Mimail.L, WENDY.ZIP and FOR_GREG_WITH_LOVE.JPG.EXE, while for Mimail.M they could be -in addition to WENDY.ZIP-: only_for_greg.zip, for_greg.jpg.exe and Wendy.Exe.

- The servers they attack.

- The modifications they make to the Windows registry on the victim computer.

The third worm we'll look at today is Gaobot.BK which, in order to spread to as many computers as possible, exploits the RPC DCOM and WebDAV vulnerabilities. It also spreads by copying itself to shared network resources, which it access by 'guessing' simple or common passwords. A clear indication that Gaobot.BK is affecting a computer is a considerable increase in network traffic in TCP ports 135 and 445, due to the attempts it makes to exploit the security vulnerabilities.

When Gaobot.BK runs, it connects to a specific IRC server and waits for control commands. It could allow an attacker to get information from the affected computer, run files, launch Distributed Denial of Service (DDoS)attacks, upload files by FTP, etc. It also terminates processes in antivirus programs, firewalls and system monitoring tools, leaving the PC vulnerable to future attacks from worms and viruses. Gaobot.BK also terminates processes of Nachi.A, Autorooter.A, Sobig.F and several variants of Blaster.

For further information about these and other malicious code, visit Panda Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia

Additional information

- DoS / Denial of Service: This is a type of attack, sometimes caused by viruses, that prevents users from accessing certain services ( in the operating system, web servers etc.).

- SMTP (Simple Mail Transfer Protocol): This is a protocol used on the Internet exclusively for sending e-mail messages.

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.

Screw panda software! really!

They got in trouble like a year ago for not sharing virus information with other companies who make anti-virus software(they all had an agreement that they share new findings and in turn they would all have someone represent them at a board meeting between all the companys) and they got suspended from the board of other anti-virus software makers.

Ill stick to symtec and their Norton Anti-virus. They are the only company who stood up and said they wouldnt help the government get away with putting trojans on computers to spy on people. They said regardless of what law was put into place to give their actions legality, they would stick to their promise to customers and their guerentee to keep them virus/backdoor free. They stated that no matter what, they would protect users from said backdoor/trojan that the government was wanting to use.
lots of respect was gained from me when they made their statement saying theyd oppose the government using said means to spy on people.

BTW, speaking of backdoors, here's something that happened a few weeks ago and got virtually no publicity. I saw it reported on OS News.
Some person or persons unknown inserted a backdoor into the latest Linux kernel where it had been put up for safekeeping in preparation for further development. Luckily, someone discovered the tinkering. If it had gone undetected, every machine that had the newest kernel installed would become susceptible to intrusion.
I find this intriguing. Now WHO would want to intrude/spy on Linux users? Hmmm...?

gains more popularity over windows, they too will also be exploited and open to virus attacks. The only reason that Windows gets hammered is because of it's wide spread use. Once Linux becomes as popular it will experience the same thing.

I post their reports because they're timely and informative. I personally (and professionally) use Norton and McAfee.