Kaspersky Lab On-line Newsletter #26

17 Apr 2002
Virus News

Network Worms

  • I-Worm.Brit
  • I-Worm.Cosol
  • I-Worm.Lee-Saltlake
  • Worm.Newbiero
  • I-Worm.Wargam
  • I-Worm.Valcard

    Windows Viruses

  • Win32.HLLW.Bezilom
  • Win32.HLLW.Scareg

    Linux Viruses

  • Linux.OSF.8795

    Security Breeches

  • Exploit.IIS.Beavuh

    Network Worms

    I-Worm.Brit
    I-worm.Brit is a simple worm that spreads via e-mail and by IRC channels. This worm gets into a computer in the form of an e-mail message with the attached file 'CHM', which contains the worm. The message has the following characteristics:
    Message theme: "RE: Britney Pics" Message text: Take a look at these pics ...
    Regards,
    %CurrentUser.Name%
    Where %CurrentUser.Name% User Name. Attached file name: BRITNEY.CHM [ Details... ]
    I-Worm.Cosol
    Cosol is a worm virus spreading via the Internet as an email attachment. This worm also has a backdoor and key-spy routines. The worm itself is a Windows PE EXE file about 355Kb in size (compressed by UPX, its decompressed size is about 675Kb), written in Delphi. [ Details... ]
    I-Worm.Lee-Saltlake
    This is a simple worm that replicates through e-mail messages and IRC channels. The worm arrives in an infected message with an attached VBS file, which is actually the worm's body. Infected messages have the following properties:
    Subject: You get off the ice and respect the referees decision
    Message body: Do you agree with the judge''s decision to disqualify a Korean skater and award Apolo Ohno the gold medal Wednesday night?
    Attachment name: SALTLAKE.jpg.vbs
    [ Details... ]
    Worm.Newbiero
    Newbiero is a worm virus spreading through local area networks. This worm has a backdoor routine that allows a 'master' (the person controlling the worm) to monitor infected machines. The worm itself is a Windows PE EXE file about 160Kb in size, written in Microsoft Visual C++. When run the worm installs itself into the system, copies itself to the Windows system directory with a random name (for example, AGCMJL.EXE or CBICAR.EXE) and registers this file in the system registry auto-run key:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Microsoft Diagnostic = %worm random EXE name%
    Newbiero then deletes its original EXE file (from where it was run). [ Details... ]
    I-Worm.Wargam
    This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 77Kb in length (encrypted by ASProtect EXE files protection utility), and written in Borland C++. The infected messages have one of the three following variants of the Subject/Body/Attached file: [ Details... ]
    I-Worm.Valcard
    This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 97Kb in length (compressed by UPX, about 132K when decompressed), and it is written in Visual Basic. [ Details... ]

    Windows Viruses

    Win32.HLLW.Bezilom
    This is a harmless, non-memory resident parasitic Win32 virus. The worm consists of three components, all of them are Windows PE EXE files written in Visual Basic:
    Natasha.exe - 143K, virus dropper, was spammed to several email conferences in the middle of February 2002 Maria.doc.exe - 29K, this is the virus itself MacroSoftBL.exe - 70K, this is a fake anti-virus program (decoy)
    When the dropper is being executed, it drops two other components and runs them:
    File1: "PKGF320.exe" in Windows TEMP directory. File2: "MacroSoftBL.exe" in "Program Files\MacroSoftBL" directory, with Hidden and System attributes set on.
    [ Details... ]
    Win32.HLLW.Scareg
    Scareg is a worm virus spreading through removable drives (i.e. floppy disks, zip disks etc.). The worm itself is a Windows PE EXE file about 372Kb in size, written in Delphi. The worm installs itself into the system twice. First, it moves the original SCANREGW.EXE file from the Windows directory to the Windows system directory:
    Windows\SCANREGW.EXE -> Windows\SYSTEM\SCANREGW.EXE
    and overwrites the original SCANREGW.EXE file with its (worm) copy. [ Details... ]

    Linux Viruses

    Linux.OSF.8795
    Linux.OSF.8759 is a virus with enhanced backdoor capabilities that replicates on Linux systems and infects ELF executables. The files infected by the virus have their file size increased by 8759 bytes. 3979 bytes belong to the actual virus code while the other 4662 belong to the code of a backdoor attached by the virus at the end of the file. Although the backdoor code is copied along with the virus, it seems it appears designed in such way that it can be easily replaced with updated versions - the backdoor is not linked into the ELF structure, but is instead loaded and executed by the virus itself. Therefore improved versions of this virus, especially of the backdoor code can be expected in the future. [ Details... ]

    Security Breeches

    Exploit.IIS.Beavuh
    Beavuh is a malware exploit of the so-called MS IIS ".printer" vulnerability, which is described by Microsoft in the "Security Bulletin MS01-23",released May 1, 2001. The MS01-23 Security Bulletin can be viewed at the following location: www.microsoft.com/technet/security/bulletin/ms01-023.asp This exploit program gives remote access to a simple Windows NT command shell on the target machine. It was recently reported (March 2, 2002) that Beavuh has been used in a large number of hacking attempts. [ Details... ]
    � 2002, Kaspersky Lab, Ltd. All rights reservedKaspersky Lab
    10 Geroyev Panfilovtsev St., Moscow, Russia 125363
    Telephone/ Fax: +7 095 797 87 00
    E-mail: info@kaspersky.com
    WWW: http://www.kaspersky.com