- Netsky.C, Bizex.A, Nachi.D and Mydoom.F.
Netsky.C spreads via e-mail -in a message with variable characteristics- and through peer-to-peer file sharing applications. This malicious code deletes registry entries made by several worms including Mydoom.A and Mimail.T. In addition, when the system date is February 26 2004, Netsky.C emits random noises between 6.00 and 8.59 in the morning.
Bizex.A, on the other hand, spreads through the ICQ instant messaging program. It also downloads and runs a copy of itself by exploiting two recently detected flaws in Internet Explorer.
Bizex.A tries to steal information that users enter in websites of banks or other financial entities as well as information transmitted via HTTPS (HTTP over Secure Socket Layer) related to the login.yahoo.com and .passport domains. The data gathered is sent to an FTP server.
The third worm we'll look at in this report is Nachi.D, which spreads to computers with Windows 2003, XP, 2000 or NT. In order to spread as widely as possible it downloads a copy of itself by exploiting three vulnerabilities: Buffer Overrun in RPC Interface, WebDAV and Workstation Service Buffer Overrun. This action causes an increase in network traffic through TCP ports 80, 135 and 445.
Nachi.D can uninstall the A and B variants of Mydoom and Doomjuice, terminating their processes and removing any associated files. When the system date is June 1 or later, Nachi.D deletes itself.
Finally, we'll look at the F variant of Mydoom, which spreads in an e-mail message with variable characteristics. This is a destructive worm which deletes all files with any of the following extensions: AVI, BMP, DOC, JPG, MDB, SAV y XLS.
Mydoom.F installs a DLL which opens a backdoor and allows antivirus processes to be terminated, which leaves the PC vulnerable to attack from other malware. When the system date is between the 17th and 22nd of any month (and year) this worm carries out a distributed denial of service attack (DDoS) against w w w.microsoft.com and w w w.riaa.com (two out of three of the attacks are against Microsoft).
In seven out of ten cases, Mydoom.F displays an error message in the infected computer.
And lastly don't forget to keep your anti virus updated at all times
- Netsky.D
reaches computers in an e-mail message whose subject, message body and attached file are selected at random from a list of options. Unlike the C variant, Netsky.D launches eight simultaneous threads, which means that from each infected computer, it will send at least eight times more infected mails
- Bagle.E
is a worm that spreads via e-mail in a message with variable characteristics, and an attached file that has an icon similar to the one belonging to Windows Notepad. Bagle.E contains a backdoor which opens the TCP port 2745. It attempts to connect to several web pages that host a PHP script. By doing this, Bagle.E notifies its author that the affected computer can be accessed through the port mentioned above.
- Netsky family:
W32/Bagle.C@mm
W32/Bagle.D@mm
W32/Bagle.E@mm
W32/Bagle.F@mm
W32/Bagle.G@mm
W32/Bagle.H@mm
W32/Netsky.D@mm
W32/Netsky.E@mm
These new variants started spreading between 28 February and
1 March 2004.
Risk:
Most of these new variants are rated low risk and would not
warrant a virus alert on their own. Given the number of new
variants in a relatively short span of time, however, there
is reason for computer users to be careful.
Recommended Reactions:
Users of Antivirus should update their virus signature
files immediately. These variants are all detected by
Antivirus using virus signature files dated 1 March 2004 and
later. Note that multiple virus signature files were
released between 28 February and 1 March, each of which
detected all the variants that had been discovered at the
time of their release.
- W32/Bagle.n@MM
- Home Users: Medium
- Corporate Users: Medium
Date Discovered: 3/13/2004
Date Added: 3/13/2004
Origin: Unknown
Length: 21kb
Type: Virus
SubType: E-mail worm
DAT Required: 4337
Quick Links
Virus Characteristics
Indications of Infection
Method of Infection
Removal Instructions
Aliases
0 komentar:
Posting Komentar