Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

VIRUS

0 views
Skip to first unread message

Igor Buslayev

unread,
Oct 5, 2004, 1:43:51 AM10/5/04
to
Hello All!


=== Begin m_000127.mes ===

From: CX...@CX2SA.LAV.URY.SA
To : VIRUS@WW


Top Ten viruses most frequently detected by Panda ActiveScan in September

10/01/2004. For the fourth month running, the Downloader.GK Trojan was the
most frequently encountered malicious code

September was, in general, a quiet month in terms of virus activity. None of
the new malicious code that appeared caused major incidents. However, the
discovery of a new vulnerability -Exploit/MS04-028- has given cause for
concern. This security problem, which affects many Microsoft products, means
that specially-crafted malicious JPEG files could be used to take action on the
computers on which they are run. Because of this, it is likely that new viruses
that appear in coming months will try to exploit this vulnerability.

But leaving the future to one side, and although there have been no epidemics,
existing viruses have still continued to be the bane of computer users, judging
by the data gathered from Panda ActiveScan, the free online scanner. For the
fourth month running, the Downloader.GK Trojan has infected more computers than
any other malicious code, and was responsible for over 21 percent of
infections. Next came Mhtredir.gen (6.64%), a generic detection for a large
family of Trojans and the culprit in just under seven percent of positive
cases.

In third and fourth place came two well-known worms: Netsky.P (5.78%) and
Sasser.ftp (5.53%) - which includes all the Sasser worms that are downloaded
to computers via FTP. Gaobot.gen (4.62%), the generic detection of this family
of worms, came in fifth place while sixth and seventh place were filled by the
Trojans Briss.A (4.01%) and StartPage.FH (3.96%). The end of the ranking
included Mabutu.A (3.25%) and the Trojans Qhost.gen (3.19%) and Downloader.JH
(2.90%).

Virus % frequency
-+----------------------------------
Trj/Downloader.GK 21,32%
Exploit/Mhtredir.gen 6,64%
W32/Netsky.P.worm 5,78%
W32/Sasser.ftp 5,53%
W32/Gaobot.gen.worm 4,62%
Trj/Briss.A 4,01%
Trj/StartPage.FH 3,96%
W32/Mabutu.A.worm 3,25%
Trj/Qhost.gen 3,19%
Trj/Downloader.JH 2,90%

The following conclusions can be drawn from the data collected by Panda
ActiveScan last month:

- Trojans still going strong. The trend of recent months continues with Trojans
occupying more than half of the ranking. This is symptomatic of an increase in
the activity of cyber-criminals on the Internet using Trojans as tool.

- Software vulnerabilities are once again a threat. Four of the Top Ten use
vulnerabilities in commonly used applications to infect computers, which
demonstrates how many users still haven't applied the corresponding patches.
This is particularly worrying now with the discovery of Exploit/MS04-028, which
affects the viewing of JPEG files and will no doubt be used by numerous
malicious code in the future.

To help as many users as possible keep their systems virus free, Panda Software
offers Panda ActiveScan, free of charge, at http://www.pandasoftware.com/
.Webmasters who would like to include ActiveScan on their websites can get the
HTML code, free of charge, from
http://www.pandasoftware.com/partners/webmasters/

For more information about these and other viruses, visit Panda Software's
Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia

**************************************************************
* -*<< CX2SA:BBS + CX2SA-7:WX + CX2SA-8:APRS/DIGI/IGATE >>*- *
*------------------------------------------------------------*
* ((((((( 24/7 * 365 ))))))) *
*------------------------------------------------------------*
* HF: 7040/14105 KHz - TELNET: cx2sa.dyndns.org Port 23 *
*------------------------------------------------------------*
* Jose Maria Gonzalez Devitta *
* e-mail: cx...@adinet.com.uy *
* P. O. BOX #507 - C.P. 30000 *
* Minas * Lavalleja * URUGUAY * S.A. * [GF25JP] *
**************************************************************
=== End m_000127.mes ===

*73! С уважением: Igor*
*Nizhny Novgorod (RA3TW Amateur Radio Station)*

Igor Buslayev

unread,
Oct 5, 2004, 1:44:11 AM10/5/04
to
Hello All!


=== Begin m_000132.mes ===
From: CX...@CX2SA.LAV.URY.SA
To : VIRUS@WW


Weekly report on viruses and intruders

10/01/2004. This week's report will focus on two worms -Noomy.A and Bagle.BB
-, and a Trojan called HardFull.A.

Noomy.A spreads via email and IRC. In order to spread via email it sends itself
out to all the addresses it finds in the files with a .dbx, .htm, .html or .php
extension, except to those that contain certain strings. In order to spread
across IRC, Noomy.A installs its own HTTP server and sends messages to several
hard-coded IRC channels, as well as links that try to persuade users to connect
to the HTTP server on the affected computer. When the user accesses these
links, a web page is opened, from which copies of the worm can be downloaded.

The propagation and payload of Noomy.A vary depending on the date it is run and
the type of Internet connection used. The actions that this worm can carry out
on affected computers include the following:

- End the processes belonging to security tools, such as antivirus and firewall
applications, leaving the computer vulnerable to attack from other malware.

- Launch Denial of Service attacks by pinging several websites, including
Microsoft's website.

- Connect to a website in order to send information about the compromised
computer, such as the system date and time, whether MSWINSCK.OCX is used and
the SMTP server and user name that Outlook uses.

When it is run, Noomy.A displays an error message on screen, making it easy to
know if it has infected the computer.

The second worm in today's report is Bagle.BB, which spreads via email in a
message with variable characteristics, and through P2P (peer-to-peer) file
sharing programs.

Bagle.BB opens TCP port 81 and listens in on the communications for a remote
connection. Through this connection, the worm will allow remote access to the
affected computer. This would allow a remote user to carry out actions that
could compromise the confidentiality of user data or impede the tasks carried
out.

Bagle.BB ends the processes belonging to security tools, such as antivirus
applications, leaving the computer vulnerable to attack from other malware.
Bagle.BB also deletes the entries created by several variants of the Netsky
worm in the Windows Registry, preventing them from being run when the computer
starts up.

We are going to finish this report with HardFull.A, a Trojan that does not
spread automatically using its own means, but requires intervention from the
attacker. The means of transmission it uses include, floppy disks, CD-ROMs,
email messages with attached files, Internet downloads, etc.

HardFull.A creates a file that fills itself with the text Win32.Delf.du_Ful,
increasing its size until it uses up all the hard drive space available and
causing the computer to slow down or even block. This Trojan also disables the
Windows Registry editing tools, and the Run and Find options in the Start menu.

For further information about these and other computer threats, visit Panda


Software's Virus Encyclopedia at:

http://www.pandasoftware.com/virus_info/encyclopedia/

**************************************************************
* -*<< CX2SA:BBS + CX2SA-7:WX + CX2SA-8:APRS/DIGI/IGATE >>*- *
*------------------------------------------------------------*
* ((((((( 24/7 * 365 ))))))) *
*------------------------------------------------------------*
* HF: 7040/14105 KHz - TELNET: cx2sa.dyndns.org Port 23 *
*------------------------------------------------------------*
* Jose Maria Gonzalez Devitta *
* e-mail: cx...@adinet.com.uy *
* P. O. BOX #507 - C.P. 30000 *
* Minas * Lavalleja * URUGUAY * S.A. * [GF25JP] *
**************************************************************

=== End m_000132.mes ===

0 new messages