Top 10 malware reported to Sophos in March 2007

W32/Sdbot.worm!678b37ba

NEW YORK (CNNMoney.com) -- A disgruntled hacker with a personal grudge against Symantec, which provides anti-virus software to leading Fortune 500 companies, could be behind a new, crippling computer virus that's already hit a division of at least one big U.S. corporation on Thursday.

If it spreads, technology experts warn the latest strains of the insidious RINBOT computer virus could hijack network systems of businesses worldwide.

Graham Cluley, senior technology consultant with Boston-based IT security firm Sophos, said his company has been aware of "a number" of new versions of the RINBOT or DELBOT virus produced since Feb. 15.

"We believe this latest strain is the 7th version of RINBOT which first emerged in March 2005," Cluley said.

According to Cluley, this version is designed to exploit security vulnerabilities embedded in anti-virus software.

"Traditionally hackers always went after Microsoft's anti-virus programs. But now they're increasingly targeting other commonly used programs such as Symantec programs and others," he said.

Cluley said this strain appears to be hitting MS SQL servers. It looks for networks that run the Microsoft (Charts) Windows operating system, including Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and Windows XP. It then spreads through the network by manipulating "weak" spots such as simple passwords.

Once it's in, Cluley said the virus quickly spreads and takes over many computers with the intention of turning the network into a botnet, or a "zombie" network.

Read more here...

W32/Stration@MM

The authors of the prolific Warezov worm are targeting users of Skype.
 

Warezov variants first cropped up in September 2006 and spread in the attachments of email messages posing as security fixes. Instead of arriving via an email attachment, the latest variant of the worm spreads using a bogus Skype chat message asking users to click on a link, which points to a hacker-controlled website hosting malicious codes.

Read more here..

Uploader-AH

Japanese Trojan attacks P2P file-sharing pirates

In a case of a malware purveyor attacking pirate file-sharers, security vendor Sophos has warned of a bizarre Trojan horse which has been distributed on Japanese peer-to-peer file-sharing networks.
 

The Troj/Pirlames-A Trojan horse has been distributed on the controversial Winny file-sharing network in Japan, posing as a screensaver. However, if P2P users download and run the program their files are overwritten by pictures of a popular comic book star who abuses them for using Winny and threatens to expose them to the police if they don't stop using the system.

Programs, music files and email mailboxes are amongst the files targeted by the Trojan horse. EXE, BAT, CMD, INI, ASP, HTM, HTML, PHP, CLASS, JAVA, DBX, EML, MBX, TBB, WAB, HLP, TXT, MP3, XLS, LOG, BMP files are all overwritten by images contained inside the malicious code of comic book character Ayu Tsukimiya.

"This is one of the most bizarre pieces of malware we have seen in our labs for quite some time, but its data-destroying payload is no laughing matter," said Graham Cluley, senior technology consultant for Sophos. "It acts as a timely reminder to companies that they may want to control users' access to P2P file-sharing software not just because they can eat up bandwidth, but also because they can present a security risk to your corporate data."
 

Read more here...

W32/Nirbot.worm

-- Update April 16, 2007 --

A new variant in this family has been discovered which appears to exploit CVE-2007-1748.  We will add more details to this description as they are available.

W32/Nirbot.worm is an internet relay chat controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam, install adware or launch a DDos attack on internet systems. W32/Nirbot is written in C++ and is typically packed with EXECrypter.

There are multiple versions of the W32/Nirbot family of worms that use IRC (Internet Relay Chat) as a command and control mechanism. Such worms typically use exploits and weak password to spread to vulnerable machines on the network.
 

Aliases

• Backdoor.Vanbot.Gen!Pac (VirusBuster)

• Backdoor.Win32.VanBot.bj (Kaspersky)

• BDS/VanBot.BJ (Avira)

• W32.Rinbot!gen (Symantec)

• W32/Delbot-S (Sophos)

• W32/Rinbot.H!tr (Fortinet)

• W32/Rinbot.H.worm (Panda)

• WORM_RINBOT.T (Trend

Read more here...

JS/SpaceStalk

MySpace-hosted malware exploits QuickTime flaw

A security researcher has documented malware that uses a vulnerability in Apple's QuickTime movie player to make a computer download and run a Javascript. A MySpace account promoting a French music group is exploiting the flaw to siphon information about users visiting the page and send it to a remote server.

(Note: The hole was patched in a recent QuickTime update. An early version of this story mistakenly identified the flaw as a zero day.)

The perpetrators pull off the feat by embedding into their page an invisible QuickTime video that uses one Javascript to download and execute a second Javascript. It's this second script that acts as the spyware, according to the researcher, Didier Stevens, who documents his findings here.

Stevens says McAfee VirusScan will flag the first script as malware and identify it as JS/SpaceTalk Trojan. Both the QuickTime movie file, titled tys4.mov, and the second script are downloaded from a server at profileawareness.com. That's also the site that collects the user data.

Read more here...

W32/Sality-AA is a virus that also acts as a keylogger.