|
|
|
Top 10 malware reported to Sophos in January 2005
W32/Zar@MM
|
Worm
rides tsunami
[Johannesburg, 18 January 2005] - Security experts have identified a
new worm that spreads by conning users into opening a document that
claims to be a plea for tsunami disaster aid.
The mass mailing worm, which so far has a minimal infection rate,
represents a new low on behalf of virus writers, says Brett Myroff, CEO
of local Sophos distributor Netxactics. “All viruses are wrong, but to
play on a disaster, where more than 150 000 people died, in order to
spread a virus is just disgusting.
“I think they are really scraping the barrel.”
Anti-virus vendor Trend Micro says the worm, which it calls WORM_ZAR.A,
comes with the subject: “Tsunami Donation! Please Help!”
More |
W32/Bagle.ci
W32/Bagle.cj@mm
W32/Bagle.ck
W32/Bagle.cl
|
Characteristics -
This Bagle variant has been mass spammed and arrives in a ZIP file.
It is heuristically detected as 'Virus or variant New Poly Win32' by
4424 DATS and above.
This variant copies itself to the %WinDir% \system32 as WINSHOST.EXE and
adds the following registry hooks:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DownloadManager
* HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe
It drops a file wiwshost.exe which is detected by 4424 DATs and above as
W32/Bagle.gen@MM . This file gets injected into the EXPLORER process and
tries to download a file osa6.gif from various sites. (Refer to
Symptoms). It also terminates security services like its predecessors
and in some cases renames the main security program executable.
Sets to "disable" the following services:
* HKLM\System\CurrentControlSet\Services\wuauserv
More
|
W32/Sober-I is a variant of the W32/Sober mass mailing worms family for
the Windows platform that harvests email addresses from files with the
following extensions:
PMR STM SLK INBOX IMB CSV BAK IMH XHTML IMM IMH CMS NWS VC CTL DHTM CGI PP
PPT MSG JSP OFT VBS UIN LDB ABC PST CFG MDW MBX MDX MDA ADP NAB FDB VAP DSP
ADE SLN DSW MDE FRM BAS ADR CLS INI LDIF LOG MDB XML WSH TBB ABX ABD ADB PL
RTF MMF DOC ODS NCH XLS NSF TXT WAB EML HLP MHT NFO PHP ASP SHTML DBX
When executed, W32/Sober-I displays a fake error message with the header
"WinZip Self-Extractor", followed by the message text "WinZip_Data_Module is
missing ~Error:...", and at the same time creates the following files in the
Windows system folder, some of which are used for storing harvested
information, and others which are encrypted and/or packed worm copies:
Odin-Anon.Ger
clonzips.ssc (text-ascii)
clsobern.isc (text-ascii)
cvqaikxt.apk
dgssxy.yoi
diagdatacrypt.exe (win-pack-hackupx)
expolerlog.exe (win-pack-hackupx)
nonzipsr.noz
sysmms32.lla
winroot64.dal
winsend32.dal
zippedsr.piz (text-ascii)
(where filenames marked 'text-ascii' contain a base64 coded encrypted ZIP
packed worm copy, and 'win-pack-hackupx' are files packed with a modified
UPX copy of the worm.)
W32/Sober-I copies itself to the Windows system folder as an EXE file with a
name that is constructed from the following strings:
sys, host, dir, expolrer, win, run, log, 32, disc, crypt, data, diag, spool,
service,smss32
In order to be able to run automatically when Windows starts up, W32/Sober-I
sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<random name> =
<random filename>
(where <random name> is a string constructed from the list above and <random
filename> corresponds to the worm copy filename.)
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\MSAntiVirus =
<path_to_file*gt;\<filename> %1
(where <filename> corresponds to the currently executed file.)
W32/Sober-I checks the country origin by comparing the domain extension with
ones from the following list:
.de, .ch, .at, .li, .gmx
In cases where the domain extension matches a German variant, the email
language will be German, otherwise it will be English based.
W32/Sober-I may arrive in an email with the following characteristics:
Subject line: constructed from:
FwD:
Re:
Oh God
Registration Confirmation
Confirmation
Your Password
Your mail password
Delivery_failure_notice
Faulty_mail delivery
Mail delivery_failed
Mail Error
illegal signs in your mail
invalid mail
Mail_Delivery_failure
mail delivery system
Key:
SMTP:
ESMTP:
Info von
Mailzustellung fehlgeschlagen
Fehler in E-Mail
Ihre E-Mail wurde verweigert
Mailer Error
Ungueltige Zeichen in Ihrer E-Mail
Mail- Verbindung wurde abgebrochen
Mailer-Fehler
Betr.-Ihr Account
Ihre neuen Account-Daten
Auftragsbestaetigung
Lieferung-Bescheid
Message Text (English): subject dependent
Message Text for Subject 'Oh God':
I was surprised, too!
Who_could_suspect_something_like_that? shityiiiii
Message Text for delivery failure subject lines:contructed from
This mail was generated automatically.
More info about --<random name>-- under: http://www.<random URL>
<random ip><random error message1>
# <random number>: <randomly chosen error message2>
The original mail is attached.
Auto_Mail.System: [<random name>]
<possible fake anti-virus message>
Possible error messages 1:
_does_not_like_recipient.
_does_not_like_sender.
Possible error messages 2:
This_account_has_been_discontinued_[#144].
mailbox_unavailable
Remote_host_said:_delivery_error
Giving_up_on_53.32.183.90.
MAILBOX NOT FOUND
Fake anti-virus message:
*-*-* Mail_Scanner: No Virus
*-*-* <random name>- Anti_Virus Service
*-*-* http://www.<random URL>
(See attached file: <random filename>.zip)
Message Text (German): chosen from
Message Text 1:constructed from:
Diese E-Mail wurde automatisch generiert.
Mehr Informationen erhalten Sie unter http://www.<random URL>
Folgende Fehler wurden aufgezeichnet:
<random ip><random error message1>
# <random number>: <randomly choosen error message2>
STOP mailer
The original mail is attached.
Auto_Mail.System: [<random name>]
<possible fake anti-virus message>
Possible error message 1:
Remote_host_said: _Requested_action_not_taken
_delivery_error
Possible error message 2:
mailbox_unavailable
Giving_up_on_
This_account_has_been_ disabled
This_account_has_been_ discontinued
Mailbox unavailable
Giving up on
... does not like
Fake anti-virus message:
Anti_Virus: Es wurde kein Virus gefunden
Anti_Virus Service
Message Text 2: constructed from
Da Sie uns Ihre Persoenlichen Daten sugesandt haben ist das Password
Ihr Geburts-Datum Viel Vergnuegen mit unserem Angebot!
*****
Im I-Net unter: http://www.<random URL>
Message Text 3: constructed from:
Aus Datenshutzrechtlichen Gruenden darf die vollstaendige E-Mail incl. Daten
nur angehaengt werden
da unsere Datenbank leider durch einen Programm Fehler zerstoert wurde,
mussten wir leider eine Aenderung bezueglich Ihrer Nutzungs-Daten vornehmen.
Ihre geanderten Account Daten befinden sich im beigefuegten Dokument.
Weitere Informationen befinden sich im Anhang dieser Mail.
The attached file may have an extension chosen from the following:
ZIP, PIF, SCR, BAT, COM.
W32/Sober-I stops emailing itself after 05 Jan 2005
|
|
|
This web is optimized for 800 x 600 monitor resolution or above and
the latest web browser. Get the latest IE or Netscape web browser. (you
need to connect to the internet first) |
|
|
