Newest Bagle Worm Threatens Legal Action

By Gregg Keizer , TechWeb Technology News

Another bullying Bagle worm appeared Friday, security companies warned, although this one threatens to bring on the lawyers, not the police.

Bagle.do, said U.K.-based Sophos, spreads in e-mails with subject lines such as "Call to your lawer [sic] immidiately [sic]" and "Lawsuit against you." The text of the worm-carrying message varies, but all versions cite some legal beef, ranging from identity theft to "spamming" faxes to the sender's machine.

The attached file, with names like "lawsuit.exe" and "explanation.exe," purport to be supporting legal documents but are, of course, the worm. Launching the executable file infects the PC with a backdoor and lowers the machine's security settings, and may end up with more malicious code downloaded to the system from a slew of Web sites.

Bagle.do will also try to spread via peer-to-peer file sharing by planting copies of itself in folders commonly used by P2P applications such as KaZaa and Limewire.

More

New IM Worms Delete Files, Hijack PCs

Two new worms spreading on Microsoft's and America Online's instant messaging networks delete files and leave systems open to hijacking.

March 7, 2006 01:52 PM

An anti-virus vendor warned Tuesday that two new worms spreading on Microsoft (NSDQ: MSFT)'s and America Online's instant messaging networks delete files and leave systems open to hijacking.
Symantec (NSDQ: SYMC) posted alerts for the "Hotmatom" and "Maniccum" worms, and ranked both as a level "2" threat. The Cupertino, Calif.-based security company uses a 1 through 5 scale to label worms, viruses, and Trojans.

Hotmatom, said Symantec, is a Spanish-language worm transmitted over Microsoft's MSN instant messaging network. A message arrives, seemingly from a trusted IM contact, that claims a "very dangerous virus" (virus muy peligroso) has been detected, and offers a link to a free patch. Clicking on the link, however, actually installs the worm.

Once on a PC, Hotmatom deletes files at the root level of the A:/ and C:/ drives, then assigns those deleted filenames to copies of itself.

It also appends text to any future Microsoft Hotmail e-mail messages sent by that computer; the text, which can be in either Spanish or English, includes links to the same malicious code.

More

W32/Maniccum.worm

Maniccum, meanwhile, propagates via both America Online's AIM and MSN's networks, and if installed, opens a backdoor on that PC and tries to disable security programs, including anti-virus and firewall software.

The backdoor, which accepts commands from the attacker via IRC, can be used to access files, update the worm, upload more malicious code, send additional AIM and/or MSN messages, and launch denial-of-service (DoS) attacks, said Symantec.

More

Trojan Hearse spells doom for surfers

Beware geeks bearing rootkits

Robert McMillan

More

Dangerous code on Net could be used to exploit IE hole

Code that takes advantage of a security hole in Internet Explorer has been published on the Web and could be used by someone to unleash an e-mail virus that could put people's computers and data at risk, Microsoft and security experts said Thursday.

As with many such attacks, malicious code could sneak onto an unwitting victim's computer after the user is enticed to open an e-mail attachment containing the code or lured to visit a Web site with the code hidden in it. Once the computer is infected, an attacker could take control of the machine remotely, steal data and use the computer to attack others.

"We have seen examples of proof-of-concept code, but we are not aware of attacks that try to use the reported vulnerabilities, or of customer impact, at this time," Microsoft said in a security advisory posted on its Web site.


More