|
|
symantecTM
|
|
| Symantec AntiVirus Research Center |
|
ISSN 1444-9994
|
|
|
|
| |
|
| |
SARC Home Page
|
August 2001 Newsletter
|
|
| |
|
These are the most reported Viruses, Trojans and Worms to SARC's offices
during the last month.
Top Global Threats
W95.Hybris
W32.Sircam.Worm@mm
W32.Magistr.24876@mm
VBS.Haptime.A@mm
W95.MTX
Wscript.KakWorm
W32.HLLW.Bymer
Trojan Horse
W32.Badtrans.13312@mm
W95.SoFunny.Worm@m
Asia
Pacific
W32.Sircam.Worm@mm
W95.Hybris
W32.Magistr.24876@mm
VBS.Haptime.A@mm
W95.MTX
Wscript.KakWorm
W32.HLLW.Bymer
W32.Badtrans.13312@mm
Trojan Horse
Backdoor.Trojan
Europe
W95.Hybris
W32.Sircam.Worm@mm
W32.Magistr.24876@mm
W95.MTX
VBS.Haptime.A@mm
Wscript.KakWorm
Trojan Horse
W32.HLLW.Bymer
JS.Seeker
W32.Choke.Worm
Japan
W95.Hybris
W32.Sircam.Worm@mm
W95.MTX
W32.Magistr.24876@mm
W32.HLLW.Bymer
Trojan Horse
VBS.Haptime.A@mm
Backdoor.Sadmind
JS.Seeker
W32.HLLW.Qaz.A
USA
W95.Hybris
W32.Sircam.Worm@mm
W32.Magistr.24876@mm
VBS.Haptime.A@mm
Wscript.KakWorm
W95.SoFunny.Worm@m
W95.MTX
W32.HLLW.Bymer
W32.Badtrans.13312@mm
Trojan Horse
|
|
Top 20
Consolidated
Global Threats
|
|
By SecurityPortal
|
|
W32.Sircam.Worm@mm
VBS.LoveLetter Family
W32.Funlove
W32.Hybris
W32.BadTrans.A@MM
PWSteal.Trojan
VBS.Stages.A
VBS.Kakworm
W95.MTX
W95.Choke.Worm
VBS.Haptime@MM
VBS.VBSWG.X@mm
(alias Homepage)
W97M.Marker Family
W97M.Thus
W97M.Ethan Family
O97M.Tristate.C
Happy99.Worm
(aka W32.Ska )
W32.HLLW.Bymer
W32.Navidad
|
|
Removal Tools
for malicious code are on our web
site
A list of Virus Hoaxes
reported to Symantec
A list of Joke Programs
reported to Symantec.
|
|
|
It's not often we get two high level
virus alerts in the same month, let alone at the same time. Both W32.Bady.Worm@mm(Code Red) and W32.SirCam.Worm@mm
have generated a lot of attention and rightly so, there were significant threats to network traffic (Code Red)
and privacy (Sircam). Symantec has been busy writing, testing and releasing updates to our anti-virus and intrusion
detection products for both of these worms.
Just as Code Red activity was dying off we have posted a level 3 alert for VBS.Potok@mm
which is a simple VBS worm that exploits NT streams.
Urs Gattiker of EICAR has issued a call for papers for the
next EICAR conference. Refer to th eend of the newsletter for more information. Next years conference is being
held in Berlin, Germany from the 8-11 June 2002. Details are available here; http://Conference.EICAR.org
David Banes.
Editor, sarc@symantec.com |
|
|
| |
|
|
|
|
|
|
| |
|
|
|
Worms |
|
| |
|
|
|
| CodeRed.II Worm |
Severe [4]
|
Win32
|
CodeRed II was discovered on August 4, 2001. It has been called a variant
of the original CodeRed
Worm because it uses the same "buffer overflow" exploit
to propagate to other web servers. Symantec AntiVirus Research Center received reports of a high number of IIS
web servers that were infected. CodeRed II is considered to be a high threat.
The original CodeRed had a payload that causes a Denial of Service attack on the White House Web server. CodeRed
II has a different payload that allows the hacker to have full remote access to the Web server.
SARC has created a tool to perform a vulnerability assessment of your computer and remove the CodeRed Worm and
CodeRed II. To obtain the CodeRed removal tool, please click here.
Additionally, Symantec is offering a free tool, Symantec Security Check, that you can use to determine if your
computer is at risk. The tool is available in two forms, both of which are free. Click here to begin an online scan,
or click here to download the tool onto your computer.
If you are running Microsoft’s IIS server, it is strongly recommended that you apply the latest Microsoft patch
to protect yourself from this worm. The patch can be found at: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
Norton AntiVirus is able to detect an infection on the Web server by detecting the payload (Trojan component) of
this worm as Trojan.VirtualRoot.
http://www.sarc.com/avcenter/venc/data/codered.v3.html
by: Peter Szor and Eric Chien
SARC, EMEA
| W32.Sircam.Worm@mm |
Severe [4]
|
Win32
|
W32.Sircam.Worm@mm contains its own SMTP engine, and propagates in a manner similar to the W32.Magistr.Worm.
Due to what appears to be a bug, this worm does not replicate under Windows NT or 2000.
This worm has two payloads, 1) The date of October 16th triggers the file deletion payload. 2) If the file deletion
occured, or after 8000 executions, the the space filler payload triggers.
The worm appends a random document from the infected PC to itself and sends this new file via email. There is a
1 in 20 chance of deleting all files and directories on C:. Only occurs on systems where the date is October 16
and which are using D/M/Y as the date format. Always occurs if attached file contains "FS2" not followed
by "sc". There is also a 1 in 50 chance of filling all remaining space on the C: drive by adding text
to the file c:\recycled\sircam.sys It will export a random document from the hard drive by appending it to the
body of the worm
The Subject of the email will be the filename of the attachment which will be a file from the sender's computer
with the extension .bat, .com, .lnk, or .pif added to it. The sSize of attachment: at least 134kb long. Sircam
searchs for shared drives and copies itself to those it finds.
http://www.sarc.com/avcenter/venc/data/w32.sircam.worm@mm.html
by Peter Ferrie and Peter Szor
SARC, USA.
| VBS.Potok@mm |
Moderate [3]
|
Script
|
The VBS.Potok@mm worm is a simple Visual Basic script that exploits a little-known feature of Windows NT/2000 to
spread. It sends itself to the first 50 recipients in the Microsoft Outlook Address Book. It attempts to add a
new user to the infected computer and grant the user Administrator rights. The sample of this worm the Symantec
AntiVirus Research Center (SARC) received has bugs that prevent it from operating correctly.
SARC has posted a tool to repair any infections. Click here to download the tool.
http://www.sarc.com/avcenter/venc/data/vbs.potok@mm.html
by: Jimmy Shah and Douglas Knowles
SARC, USA |
|
|
| |
|
|
|
|
|
|
| |
|
|
|
Viruses |
|
|
| |
|
|
|
| W32.HLLO.Videoinf |
Minimal [1]
|
Win32
|
W32.HLLO.Videoinf is a virus that overwrites .ht* and .exe files in the
folder that it is executed from. It sends information from the computer on which it is run to an email address.
On certain dates, the virus will modify the C:\Autoexec.bat file so that the hard drive will be formatted when
the computer is restarted.
http://www.sarc.com/avcenter/venc/data/w32.hllo.videoinf.html
by: Neal Hindocha
SARC, EMEA |
|
|
| |
|
|
|
|
|
|
| |
|
|
|
Trojans |
|
|
| |
|
|
|
| Trojan.Diagcfg |
Minimal [1]
|
Win32
|
This Trojan modifies the registry so that it loads whenever Windows is started.
It listens on port 6967 for commands. It sends email to its creator with information about the computer's IP address
and connected hosts. If the program is run again while it is already running, it displays the message:
This program is part of the system and can not be run separately.
http://www.sarc.com/avcenter/venc/data/trojan.diagcfg.html
by: Jimmy Shah
SARC, USA
|
|
|
| |
|
|
|
|
|
|
| |
|
|
|
Symantec Enterprise Security |
|
|
| |
|
|
|
Visit the Symantec Eenterprise Security Web Site
http://enterprisesecurity.symantec.com/
Recent Enterprise Security News headlines include:
Martyr or Criminal? Debate Over Electronic Copyright Law Rages as Russian Programmer Sits in a San Jose Jail; The
San Francisco Chronicle.
http://enterprisesecurity.symantec.com/content.cfm?articleid=823
Guard Against Revenge of the Downsized; VNU Computing.
http://enterprisesecurity.symantec.com/content.cfm?articleid=821
Security Vulnerabilities Found in Directory Protocol; Computerworld.
http://enterprisesecurity.symantec.com/content.cfm?articleid=812
Get the latest Enterprise Security News delivered straight to your inbox.Register for Symantec's free Enterprise
Security newsletters.
https://enterprisesecurity.symantec.com/Content/Subscribe.cfm |
|
|
| |
|
|
|
|
|
|
| |
|
|
|
3rd European Anti Malware Conference & 11th EICAR Annual Conference |
|
|
| |
|
|
|
http://Conference.EICAR.org
Berlin, 8-11 June 2002
1st Call for Papers: Submission Deadline Dec. 1, 2001
This conference brings together experts from industry, government, academia, and research as well as end-users
interested in keeping abreast of new developments.
Papers pertaining to malicious code & unwanted side-effects or malfunction, information age, warfare &
society, cryptography and the protection of privacy, new media and e-commerce, electronic payments, are of interest.
Research papers, case studies, research in progress short papers, panels, symposia, workshops and tutorials are
welcome. Please clearly mark your contribution according to category it belongs to when submitting.
Conference offers Best Paper Award, Student Awards, Best Paper Proceedings and more. Registration fees are waived
for presenting authors. For more information visit http://Conference.EICAR.org/?Author
Thank you
Urs E. Gattiker
EICAR |
|
|
| |
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
| |
|
|
|
SARC Glossary for definitions of viruses, Trojans and worms and more.
|
|
|
| |
|
|
|
Contacts and Subscriptions |
|
|
| |
|
|
|
Correspondence by email to: sarc@symantec.com, no unsubscribe or support emails please.
Follow this
link to unsubscribe or change
your subscription type.
Send virus samples to: avsubmit@symantec.com
Newsletter Archive:
http://www.symantec.com/avcenter/sarcnewsletters.html |
|
|
| |
|
|
|
|
|
|
| |
|
|
|
This is a Symantec Corporation publication,
use of requires permission in advance from Symantec.
All information contained in this newsletter is accurate
and valid as of the date of issue.
Copyright © 1996-2001 Symantec Corporation. All rights reserved.
|
|
|
| |
|
|
|
|
|
|
|