Posted in GD as a public service. Mods, please move if you think this forum is inappropriate.
---------
- Weekly virus report -
Virus Alerts, by Panda Software (
http://www.pandasoftware.com)
Madrid, September 26, 2003 - Today's report on malicious code focuses on three worms: Gaobot.M (with backdoor characteristics), Opaserv.Y and Colevo.A.
Gaobot.M infects Windows XP/2000/NT computers and it exploits the RPC DCOM and WebDAV vulnerabilities to spread to as many computers as possible. Gaobot.M also spreads by attempting to copy itself to network shared resources. It gains access to these shared resources by using passwords that are typical or easy to guess. Once it is run, Gaobot.M connects to a specified IRC server through the port 6667 and waits for control commands.
As a backdoor, Gaobot.M lets malicious users obtain information on the affected computer, run files, launch Distributed Denial of Service (DDoS) attacks, upload files by FTP, etc. In addition, this worm ends processes belonging to antivirus programs, firewalls and system monitoring tools. This leaves the affected computer vulnerable to the attack of other viruses or worms. It also ends the processes of Nachi.A, Autorooter.A, Sobig.F and several variants of Blaster.
One indication that Gaobot.M has reached the computer is that the network traffic increases on the ports 135 and 445, as the worm attempts to exploit the 'RPC DCOM' vulnerability.
Opaserv.Y spreads to other computers by attacking IP addresses, in which it tries to make copies of itself to the existing shared network drives. It attempts to access these shared drives -through port 137- by exploiting the 'Share Level Password' vulnerability in Windows Me/98/95.
Opaserv.Y creates the file 'SPEEDY.SCR', which is a copy of the worm, and the files 'PODRE!!', 'BANDA!', 'VACAS!' and 'VAGABU!'. These files contain information on scanned and affected computers, and are encrypted with Crypto-Algorythm.
We finish this report with Colevo.A that spreads via e-mail and sends itself out to all the contacts in MSN Messenger's Contact list. In order to do so, Colevo.A incorporates its own SMTP engine. Similarly, Colevo.A opens the communication port 2536, and allows hackers to remotely control the affected computer. It opens the Internet Explorer browser and randomly accesses several web pages that contain pictures of the Bolivian leader Evo Morales.
For further information about these and other viruses, visit Panda Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/Additional information
- Encryption / Self-encryption: This is a technique used by some viruses to disguise themselves and therefore avoid detection by antivirus applications.
- DoS / Denial of Service: This is a type of attack, sometimes caused by viruses, that prevents users from accessing certain services (in the operating system, web servers etc.).
- SMTP (Simple Mail Transfer Protocol): This is a protocol used on the Internet exclusively for sending e-mail messages.
More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspxNOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.